[BreachExchange] Targeted, custom ransomware menace rears its ugly head

Destry Winant destry at riskbasedsecurity.com
Thu Jul 20 03:47:52 EDT 2017


https://www.theregister.co.uk/2017/07/19/custom_ransomware/
One six-week program, taught in Russian, includes lectures on finding
legitimate credit card data for sale and hacking into PayPal accounts.

Attackers are manually deploying ransomware directly into target
networks to maximise the damage and potential payout.

Unlike "spray-and-pray" attacks such as WannaCrypt, which hit victims
at random, targeted attacks that manually execute the ransomware
enable criminals to ensure they have locked mission-critical files
that companies will be most likely to pay exorbitant fees to retrieve.
Manual deployments can also evade most traditional signature-based
security measures, making it much harder to identify and stop before
it's too late.

Matt Hillman, a principal security researcher at MWR InfoSecurity,
said the custom ransomware associated with these attacks is typically
getting distributed through phishing emails rather than software
exploits. The attacks are targeted against banking and infrastructure
firms worldwide.

"This ransomware is targeted at big organisations because the amount
they are prepared to pay is greater," Hillman explained. "Hackers are
timing their attack to add pressure," for example by launching
assaults just before sales quarters close or a major announcement or
industry event.

The attacks are more geared at making money than causing disruption,
unlike the recent NotPetya outbreak.

Sean Sullivan, a security advisor at F-Secure, said that its labs
haven't seen any "bespoke" ransomware as such but it has seen some
file-encrypting malware variants "aimed very selectively". F-Secure
uncovered chat sessions in which a ransomware support agent claimed
they were hired by a corporation for targeted operations (see page 15
of this PDF). "There was some analysis/metadata that we later used to
find another variant which seemed to support that claim," Sullivan
told El Reg, adding that the follow-up attack targeted IP lawyers and
was seemingly aimed as disrupting their business operations.

Raj Samani, chief scientist at McAfee, added that targeted ransomware
might be used for obscuring attacks actually aimed at data
exfiltration. This would give better "better plausible deniability"
than traditional wiper-style attacks, he added. Wiper attacks in the
past have included the Shamoon assaults on oil company Saudi Aramco
and other targets.

Researchers approached by El Reg cited one already recognised example
of manually deployed ransomware. Crooks behind the SamSam ransomware
typically charge very high ransoms because of the amount of effort
invested in their operations.

Defending against SamSam is more akin to a targeted attack than
typical opportunistic ransomware, an article by security tools firm
AlienVault explains. SamSam attackers have broken into corporate
networks using JBoss exploits or similar before deploying web shells
and running batch scripts to deploy the ransomware on machines.

"The attacks seem to peak in waves as campaigns distributing SamSam
are executed," AlienVault's Chris Doman reports. "A notable recent
example was a large hospital in [upstate] New York that was hit with
SamSam in April. The hospital declined to pay the attackers the
$44,000 ransom demanded. It took a month for the hospital's IT systems
to be fully restored."

Last month SamSam variants appeared that demanded 12 Bitcoins
($32,800) to receive data on all infected machines or 1.7 Bitcoins
($4,600) for a single machine. "The ransom the victims must pay to
recover their files is hardcoded in the malware," AlienVault added.

Extortionate demands for regular spray-and-pray ransomware vary widely
but at the lower end come out at $300 per infection, so targeted
ransomware demands can be at least 10 times higher by that estimate.

Targeted ransomware will only increase, according to Bart Blaze, a
threat intelligence expert at PwC.

MWR's Hillman advised organisations to review their security policies
in order to better defend against custom malware, adopting an approach
he described as "containment by design". This would involve giving
users and software the least possible privileges (the security perils
of running too much stuff as admin was, of course, illustrated the the
recent NotPetya outbreak); using security packages capable of blocking
malicious behaviour; and network segmentation. Businesses should also
develop a recovery plan before testing it to make sure they have an
effective disaster recovery strategy in place, he added.


More information about the BreachExchange mailing list