[BreachExchange] 7 Ransomware Trends: Gangs Join Forces, Auction Stolen Data

Destry Winant destry at riskbasedsecurity.com
Tue Jun 9 09:47:06 EDT 2020


Ransomware gangs continue to innovate. Indeed, barely a day seems to
go by without news of yet another high-profile victim of
crypto-locking malware coming to light.

See Also: Live Webinar | 2021: A Cybersecurity Odyssey

In just the past week, for starters, reports have emerged of a
collaboration between the Maze and Lockbit gangs, as well as the REvil
- aka Sodinokibi - operators not leaking stolen data for free when
victims don't pay, but instead auctioning it off to the highest
bidder. And despite the ongoing COVID-19 pandemic, many gangs have
continued to pummel the healthcare sector and its suppliers.

Here are seven of the latest ransomware trends.

1. Maze Offers 'Data Leaking as a Service'

The Maze ransomware gang was the first to begin not just
crypto-locking systems, but also stealing and leaking data, to try and
force victims to pay. Since beginning to use this tactics in October
2019, about a dozen other gangs or ransomware-as-a-service operations
have followed suit, including Nefilim, Sekhmet and REvil (see:
Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

The leak sites appear to be a response to fewer victims paying ransoms
to attackers. "The reason that they're creating leak sites is because
the message got across, right?" says Raj Samani, chief scientist at
McAfee. "People, I believe, were paying less and less."

Continuing to be a trendsetter, Maze has now gone a step further, and
begun collaborating with the Lockbit gang, by posting data stolen by
Lockbit to Maze's dedicated leaks site, according to IBM X-Force
researchers. The group didn't previously have a data-leaking site.

The move could be part of a bid by Maze to offer
data-leaking-as-a-service to other ransomware gangs, via Maze's
relatively high-profile data-leaking site.

"We do not have any specific information on what Maze is receiving for
providing this service to other groups, but we strongly suspect that
they are getting a percentage of any payment that the victims make in
response to the data being posted on the Maze site," says Ole
Villadsen, a cyberthreat hunt analyst for IBM X-Force IRIS.

But Maze has continued to expand its leaking syndicate, and by Monday
had begun hosting leaks from the RagnarLocker gang, which previously
dumped data using the Mega file-sharing site, reports the Ransom Leaks
account on Twitter, which tracks ransomware gangs. "RagnarLocker's
leak site was hosting leaks on http://mega.nz which leaves them
vulnerable to takedowns," it reports. "Hosting on Maze's
infrastructure means they don't have to worry about it and they can
retire their WordPress site."

2. Fresh Shakedown Play: Auctioning Stolen Data

Another innovation that's come to light in recent days is not leaking
data, but instead auctioning it for sale to the highest bidder.

Last week, the operators behind the ransomware-as-a-service operation
REvil began auctioning data that the gang claims was stolen from
Canadian agricultural company Agromart Group, which includes Sollio
Agriculture, and promised there would soon be more victims to

"While ransomware groups have likely sold and traded data in the past,
this is the first time that it has actually been sold in an organized
auction - but it will probably not be the last time," Emsisoft threat
analyst Brett Callow tells Information Security Media Group.

"Selling the data in this way not only provides the criminals with an
additional option for monetization, it also puts additional pressure
on future victims," he says. "The prospect of their data being
auctioned and sold to competitors or other criminal enterprises is
likely to concern companies more than the prospect of it simply being
posted on an obscure Tor site."

On the other hand, a shakedown is a shakedown, right? "While there is
no substantive difference, I suspect companies may feel more pressured
by the prospect of their data being auctioned," Callow adds.

That proposition is set to be further tested, as REvil in recent days
has begun data auctions for two more alleged victims: Fraser Wheeler &
Courtney LLP, based in Lake Charles, Louisiana; and Vierra Magen
Marcus LLP, in Daly City, California. Neither law firm immediately
responded to a request for comment.

3. Targeted Ransomware Attacks Continue

Ransomware attacks typically fall into one of two buckets, says
incident response expert David Stubley, who heads Edinburgh,
Scotland-based security testing firm and consultancy 7 Elements. Some
attackers practice "smash and grab," gaining access to a network,
infecting a bunch of endpoints and then moving on, he says. But other
attackers are more advanced, and spend their time conducting
reconnaissance, gathering credentials, studying potential avenues for
hitting business partners and more.

Attackers wielding any strain of malware may bring more advanced
moves, including "living off the land" tactics - using legitimate
network administration tools to help escape detection - to bear (see:
10 Ransomware Strains Being Used in Advanced Attacks).

But some types of ransomware appear to get used only for targeted
attacks. For example, researchers at BlackBerry and KPMG's UK Cyber
Response Services have just released a joint report into Tycoon, a
strain of ransomware that uses a Trojanized Java runtime environment
to hit both Windows and Linux systems. Security researchers say the
ransomware has been seen in attacks targeting organizations in the
education and software development sectors, since last December.

"To deploy this ransomware, the threat actor needs to establish a
foothold into the organization, do reconnaissance, identify targets
and gain access," Eric Milam, vice president of threat intelligence at
BlackBerry, tells ISMG (see: Report: Tycoon Ransomware Targets
Windows, Linux Systems).

4. Healthcare Keeps Getting Hit

Despite the pandemic, and some ransomware gangs pledging to try and
not hit healthcare organizations, security experts say they've seen no
cessation in attacks targeting the sector. In fact, the healthcare
sector may be getting hit more than ever before (see: No COVID-19
Respite: Ransomware Keeps Pummeling Healthcare).

Two more ransomware attacks against healthcare organizations that have
recently come to light involved incidents at Woodlawn Dental Center in
Cambridge, Ohio; and Mat-Su Surgical Associates in Palmer, Alaska.
Both incidents potentially involved attackers stealing sensitive data
and were reported to the Department of Health and Human Services'
Office for Civil Rights

5. More Free Decryptors

The "Billy the Puppet" image used for the original Jigsaw ransomware
variant's ransom demand.

Thankfully, the current ransomware story isn't all doom and gloom.

The No More Ransom project, which provides free decryptors for a
number of strains of ransomware, recently added free decryptors for
JavaLocker and Vcryptor ransomware.

Also in recent days, Emsisoft released a free decryptor for RedRum
ransomware, which it says "encrypts victim's files using AES256 GCM
and RSA-1024, adding the extension ".id-.[].redrum" to files."

Emsisoft has also released an updated decryptor for Jigsaw, giving it
the ability to decypt the .ElvisPresley variant. (Jigsaw can include a
range of filenames, including .fun but also .gdpr and .payransom,
among many others.) The firm also updated its Mapol ransomware
decryptor, adding coverage for more varieties.

Security experts recommend ransomware victims use both No More Ransom
as well as ID Ransomware, maintained by Emsisoft employee Michael
Gillespie (@demonslay335), to identify the strain of ransomware with
which they've been hit, to see if free decryptors or workarounds might
be available to restore encrypted data.

Raj Samani✔@Raj_Samani

More reasons to Not Pay #ransomware demands. The #NoMoreRansom site
has more decryption tools - with #JavaLocker & #Vcryptor now covered.
Also #Jigsaw & #Mapol decryptors updated H/T @emsisoft
@ElevenPathshttps://www.nomoreransom.org/en/decryption-tools.html …
#malware #cybersecurity #DontPay

No More Ransom offers this via the site's "Crypto Sheriff" page, while
ID Ransomware offers it from the homepage. Both services allow victims
to upload an encrypted file for identification, while ID Ransomware
also gives victims the ability to upload a ransom note for
identification purposes.

6. Unfixed Flaws Get Exploited by Others

Unfortunately, security experts haven't cracked every strain of
ransomware in use, meaning there aren't free decryptors for many
strains of crypto-locking malware. But that may only be part of the
problem for an organization that discovers its systems have been
forcibly encrypted, with a gang demanding a ransom in return for the
promise of a decryption key or decryptor tool.

Indeed, experts have long warned that many successful ransomware
attacks must be seen as being part of a bigger incident response
challenge (see: Surviving a Breach: 8 Incident Response Essentials).

Namely, many breaches do not begin or end with ransomware. Before
infecting systems with crypto-locking malware, attackers may have
gained remote access to the network via brute-forced remote desktop
protocol credentials or a phishing attack. Then they may have spent
weeks or months leapfrogging to other systems, conducting
reconnaissance, potentially stealing administrator-level access
credentials for Active Directory as well as stealing sensitive data to
potentially leak it later if victims do not immediately pay.

Even after a company experiences a ransomware outbreak, the current
attackers may not be finished, and new attackers may come calling to
try and find weaknesses the company hasn't yet fixed.

"Toll Group was attacked a second time because it failed to secure its
network after the first attack," Emsisoft's Callow says, referring to
the Australian shipping giant, which got hit by a Netwalker - aka
Mailto - attack in March, only to get hit about six weeks later by the
Nefilim gang. Likewise, mailing equipment manufacturer Pitney Bowes
was recently hit by a ransomware attack - it's blamed Maze - after
being previously hit by ransomware in October 2019, reportedly by

7. Gangs May Still Be Camped Out

Sometimes, attackers remain camped out in victims' networks after
hitting it with ransomware. For victims, one challenge can be that
attackers can eavesdrop on their post-breach response plans. Recently,
for example, "REvil and Maze seemingly continued to have post-incident
access to Agromark and ST Engineering's networks," Callow says.

In the latter attack, Singapore-based defense contractor ST
Engineering has confirmed that its North American subsidiary VT San
Antonio Aerospace was hit by the Maze ransomware gang. ST Engineering
hasn't said when the attack began. Documents subsequently leaked by
attackers, however, include an incident response report - suggesting
that attackers continued to enjoy remote access to systems - saying
the firm's systems were crypto-locked by attackers on March 7. But the
veracity of the leaked data - which may have been altered by Maze -
could not be confirmed.

REvil's leak site includes an auction for data allegedly stolen from
Sollio Agriculture's Agromark Group before its systems were
crypto-locked. (Source: Emsisoft)

Similarly, in the case of Sollio Agriculture's Agromark Group, REvil
has leaked a June 2 email that appears to be an internal company
communication detailing how the company is responding to the
ransomware infection, including by crafting an internal communications
message, speaking with attorneys and "talking with a consultant to
better understand the profile of the pirats' [sic] Twitter account and
take some defensive measures."

The internal email adds in red text: "Do not forward this email."

Sollio Agriculture didn't immediately respond to a request for comment
about the veracity of the leaked data, when it detected the attack or
when it was remediated.

More information about the BreachExchange mailing list