“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Ransomware should be a primary concern for any organization. It requires increasing investments to secure data and protect business operations from attacks that continue to hit multiple sectors including healthcare, local and state governments, etc. The financial sector continues to be hard hit due to the large and growing use of web and mobile applications for banking transactions and payments.
Just when it appeared that ransomware was on a downward spiral, new trends show otherwise. We previously reported that ransomware attacks were on the decline; however, by mid-2019 that had turned drastically. McAfee reports that new ransomware attacks grew 118% between 2018 and 2019. A six month look at global trends shows that ransomware is on a roller coaster ride. Reported attacks saw a spike in the end of August and beginning of September.
The factors responsible for the return to popularity include:
Ransomware has matured as a category of malware, with the top families employing advanced designs and complex algorithms. While the number of ransomware families has dwindled, various families have forked and the strongest have survived. 2019 is seeing approximately twenty larger ransomware families that have continued to dominate and improve. In September alone, the BlueVoyant Threat Fusion Cell recognized six new top ransomware variants.
Ransomware Attack Vectors
Ransomware Business Model
Ransomware as a Service (RaaS) has become the preferred method of monetization for ransomware developers. Given the recent high demand for ransomware, creative cyber-criminal entrepreneurs followed this industry trend and created RaaS models. Ransomware developers hire affiliates to spread and distribute ransomware. They share a portion of the proceeds with the affiliates, while keeping the larger portion for themselves. This increases the chances of infection as the targets and attackers are spread over various teams using multiple attack vectors.
Ransomware is incorporating additional functionality within the ransomware itself. For example, stealing sensitive information for other monetization opportunities. Ransomware developers are also including disk wipers to increase the damage inflicted.
Some notable ransomware in September 2019 includes:
REVIL/SODIN: After raking in approximately $2 billion in ransom payments, and the release of a free decryption tool, the group behind GandCrab announced their retirement earlier in the year; however, strong evidence suggests that the code is still in use in REvil/Sodin/Sodinokibi. The attackers have been observed exploiting Oracle Web Logic servers, RDP attacks, and of course, phishing campaigns.
ROBBINHOOD: Operators behind the RobbinHood ransomware have changed the tone of ransom notes attempting to rob victims of all hope of decrypting files for free. The new messages are reported to be “boastful” and “arrogant” and point to previous incidents which resulted in victims paying much more than the ransom demand when trying to recover the encrypted data on their own. To make sure victims get their message, the cybercriminals direct them to search for two incidents earlier this year involving RobbinHood, which affected systems in Greenville, North Carolina, and the more famous one on 7 May impacting the servers of the City of Baltimore.
According to CBS Baltimore in June, the city "put more than $18 million into the attack." In more recent news, the administration at the end of August, voted to spend $6 million on "cyber-attack remediation and hardening of the environment," informs the Baltimore Sun. It should be noted, though, that a bill this large was not only RobbinHood's doing. How the incident was managed and the poor security defenses before the attack are the main reason for the high costs.
HDDCRYPTOR/MAMBA RANSOMWARE: Trend Micro spotted a new variant of HDDCryptor (AKA Mamba), which has been known to use DiskCryptor to encrypt disk and network files and overwrite the Master Boot Record (MBR). Iterations of the ransomware were previously seen in attacks against the San Francisco Municipal Transport Agency (SFMTA) in 2016 and a number of victims in Brazil and Saudi Arabia in 2017.
The new variant now contains a modified DiskCryptor component that can encrypt resources in network shares such as entire drives, folders, files, printers, and serial ports. Worryingly, some adversaries deploying ransomware are now scanning and attempting to recognize and identify backups and destroy those too. Experts advise organizations to avoid storing backups in the same physical location as, or connected to, production or development systems.
BlueVoyant recommends the use of a trusted third-party backup. At the very least, the connection needs to be completely severed from the production network to ensure security. Experts caution against cloud-based backups such as AWS or Azure, etc.