[BreachExchange] Recent ransomware attacks define the malware's new age

[Destry Winant]

https://www.csoonline.com/article/3212260/recent-ransomware-attacks-define-the-malwares-new-age.html#tk.rss_news

History of ransomware

Ransomware, a type of malware that holds data for ransom, has been
around for years. In 1991, a biologist spread PC Cyborg, the first
ransomware, by sending floppy disks via surface mail to other AIDS
researchers, for instance. In the mid '00s Archiveus was the first
ransomware to use encryption, though it's long ago been defeated and
you can find its password on its Wikipedia page. In the early 2010s, a
series of "police" ransomware packages appeared, so called because
they purported to be warnings from law enforcement about the victims'
illicit activities and demanded payment of "fines"; they began to
exploit the new generation of anonymous payment services to better
harvest payments without getting caught.

In the 2010s, a new ransomware trend emerged: the use of
cryptocurrencies as the ransom payment method of choice by
cybercriminals. The appeal to the extortionists is obvious, as
cryptocurrencies are specifically designed to provide an untraceable,
anonymous payment method. Most ransomware gangs demanded payment in
bitcoin, the most high-profile cryptocurrency, although some began
shifting their demands to other currencies as bitcoin's popularity
made its value more volatile.

Attacks shot up in the middle of the 2010s to crisis levels. But by
2018, the ransomware boom seemed to be on its way out, in favor of
another illicit way to snag bitcoin that didn't require victims to
figure out what a bitcoin wallet was: cryptojacking. Cryptojackers
follow the script that spammers and DDoS attackers have been using for
years: surreptitiously gaining control of computers without their
owners knowing. In the case of cryptojacking, the compromised machines
become bitcoin mining rigs, quietly generating cryptocurrency in the
background and eating up idle computing cycles while the victim is
none the wiser. Ransomware attacks declined over the course of 2018,
while cryptojacking attacks shot up by 450 percent.

Ransomware attacks today

Over the past two years, however, ransomware has come back with a
vengeance. Mounir Hahad, head of the Juniper Threat Labs at Juniper
Networks, sees two big drivers behind this trend. The first has to do
with the vagaries of cryptocurrency pricing. Many cryptojackers were
using their victims' computers to mine the open source Monero
currency; with Monero prices dropping, "at some point the threat
actors will realize that mining cryptocurrency was not going to be as
rewarding as ransomware," says Hahad. And because the attackers had
already compromised their victim's machines with Trojan downloaders,
it was simple to launch a ransomware attack when the time was right.
"I was honestly hoping that that prospect would be two to three years
out," says Hahad, "but it took about a year to 18 months for them to
make that U-turn and go back to their original attack."


The other trend was that more attacks focused on striking production
servers that hold mission-critical data. "If you get a random laptop,
an organization may not care as much," says Hahad. "But if you get to
the servers that fuel their day-to-day business, that has so much more
grabbing power."

These kinds of attacks require more sophistication — not necessarily
in terms of the ransomware code itself, but in the skills needed by
the attackers to infiltrate better protected systems to install the
malware. "A spray and pray type of tactic isn't going to give them a
lot of return on investment," says Hahad. "More targeted attacks with
good lateral movement capability are going to get them there, and most
of the time that lateral movement is not automatic. It's really about
gaining initial intrusion points and then somebody manually going in
there and sniffing around the network, moving files around, escalating
privileges, getting credentials for some admin potentially to access
another machine remotely."

With that in mind, let's take a look at the worst offenders in this
new age of ransomware.

1. SamSam

Attacks using software known as SamSam started appearing in late 2015,
but really ramped up in the next few years, gaining some high-profile
scalps, including the Colorado Department of Transportation, the City
of Atlanta, and numerous health care facilities. SamSam is the perfect
example of how attackers' organizational prowess is as important as
their coding skills. SamSam doesn't indiscriminately look for some
specific vulnerability, as some other ransomware variants do, but
rather operates as ransomware-as-a-service whose controllers carefully
probe pre-selected targets for weaknesses, with the holes it has
exploited running the gambit from vulnerabilities in IIS to FTP to
RDP. Once inside the system, the attackers dutifully work to escalate
privileges to ensure that when they do start encrypting files, the
attack is particularly damaging.


Although the initial belief among security researchers was that SamSam
had an Eastern European origin, the overwhelming majority of SamSam
attacks targeted institutions within the United States. In late 2018,
the United States Department of Justice indicted two Iranians that
they claim were behind the attacks; the indictment said that those
attacks had resulted in over $30 million in losses. It's unclear how
much of that figure represents actual ransom paid; at one point the
Atlanta city officials provided local media with screenshots of ransom
messages that included information on how to communicate with the
attackers, which led them to shut that communications portal down,
possibly preventing Atlanta from paying ransom even if they wanted to.

2. Ryuk

Ryuk is another targeted ransomware variant that hit big in 2018 and
2019, with its victims being chosen specifically as organizations with
little tolerance for downtime; they include daily newspapers and a
North Carolina water utility struggling with the aftermath of
Hurricane Florence. The Los Angeles Times wrote a fairly detailed
account of what happened when their own systems were infected. One
particularly devious feature in Ryuk is that it can disable the
Windows System Restore option on infected computers, making it all the
more difficult to retrieve encrypted data without paying a ransom.
Ransom demands were particularly high, corresponding to the high-value
victims that the attackers targeted; a holiday season wave of attacks
showed that the attackers weren't afraid to ruin Christmas to achieve
their goals.

Analysts believe that the Ryuk source code is largely derived from
Hermes, which is a product of North Korea's Lazarus Group. However,
that doesn't mean that the Ryuk attacks themselves were run from North
Korea; McAfee believes that Ryuk was built on code purchased from a
Russian-speaking supplier, in part because the ransomware will not
execute on computers whose language is set to Russian, Belarusian, or
Ukrainian. How this Russian source acquired the code from North Korea
is unclear.

3. PureLocker

PureLocker is a new ransomware variant that was the subject of a paper
jointly put out by IBM and Intezer in November 2019. Operating on
either Windows or Linux machines, PureLocker is a good example of the
new wave of targeted malware. Rather than taking root on machines via
broad-range phishing attacks, PureLocker appears to be associated with
more_eggs, a backdoor malware associated with several well-known
cyber-criminal gangs. In other words, PureLocker is installed on
machines that have already been compromised and are fairly well
understood by their attackers, and then proceeds to make a number of
checks on the machine where it finds itself before executing, rather
than opportunistically encrypting data wherever it can.


While IBM and Intezer didn't disclose how widespread PureLocker
infections were, they did reveal that most took place on enterprise
production servers, which are obviously high-value targets. Because of
the high-skill human control this kind of attack entails, Intezer
security researcher Michael Kajiloti believes that PureLocker is a
ransomware as a service offering that's only available to criminal
gangs who can pay well up front.

4. Zeppelin

Zeppelin was is an evolutionary descendent of the family known as Vega
or VegasLocker, a ransomware-as-a-service offering that wreaked havoc
across accounting firms in Russia and Eastern Europe. Zeppelin has
some new technical tricks up its sleeve, especially when it comes to
configurability, but what makes it stand out from the Vega family is
its targeted nature. Where Vega spread somewhat indiscriminately and
mostly operated in the Russian-speaking world, Zeppelin is
specifically designed to not execute on computers running in Russia,
Ukraine, Belarus, or Kazakhstan. Zeppelin can be deployed in a number
of ways, including as an EXE, a DLL, or a PowerShell loader, but it
appears that at least some of its attacks came via compromised managed
security service providers, which ought to send a chill down anyone's
spine.

Zeppelin began to appear on the scene in November 2019, and as more
proof of its difference from Vega, its targets semeed carefully
chosen. Victims were mostly in the health care and technology
industries in North America and Europe, and some of the ransom notes
were written to specifically address the infected target organization.
Security experts believe the shift from Vega's behavior is the result
of the codebase being used by a new and more ambitious threat actor,
probably in Russia; while the number of infections isn't that high,
some believe what we've seen so far has been a proof of concept for a
larger set of strikes.

5. REvil/Sodinokibi

Sodinokibi, also known as REvil, first emerged in April of 2019. Like
Zeppelin, Sodinokibi appeared to be the descendent of another malware
family, this one called GandCrab; it also had code that prevented it
from executing in Russia and several adjacent countries, as well as
Syria, indicating that its origin is in that region. It had several
methods of propagation, including exploiting holes in Oracle WebLogic
servers or the Pulse Connect Secure VPN.

Sodinokibi's spread again indicated an ambitious command and control
team behind it, probably as a ransomware as a service offering. It was
responsible for shutting down more than 22 small Texas towns in
September, but it truly hit notorious status on New Year’s Eve 2019
when it took down the UK currency exchange service Travelex, forcing
airport kiosks to resort to pen and paper and leaving customers in
limbo. The attackers demanded a stunning $6 million ransom, which the
company refuses to confirm or deny it paid.

When I asked Juniper's Hahad for his pick for the worst ransomware of
2019, Sodinokibi was his choice, because of an extra twist that
Sodinokibi's controllers put into their attacks. "The one thing that
really makes this a little bit special is that this particular group
has taken on a new approach of not only telling people, 'You're not
going to get your data back if you do not pay the ransom,' but also,
'We are going to publish that confidential data on the web or sell it
in an underground forum to whomever is the highest bidder.' That takes
the ransomware approach to the next level in their business model."
This is a huge departure from the usual ransomware model — after all,
one of its big advantages is that you can lock down your victim's data
without going through the difficult process of exfiltrating it — but
they've already followed through on the threat at least once. The new
era of hyper-targeted, custom-tailored ransomware appears to be
reaching new and dangerous depths.