Supply Chain Defense
Ransomware Continues the Upward Swing
“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Ransomware should be a primary concern for any organization. It requires increasing investments to secure data and protect business operations from attacks that continue to hit multiple sectors including healthcare, local and state governments, etc. The financial sector continues to be hard hit due to the large and growing use of web and mobile applications for banking transactions and payments.
Just when it appeared that ransomware was on a downward spiral, new trends show otherwise. We previously reported that ransomware attacks were on the decline; however, by mid-2019 that had turned drastically. McAfee reports that new ransomware attacks grew 118% between 2018 and 2019. A six month look at global trends shows that ransomware is on a roller coaster ride. Reported attacks saw a spike in the end of August and beginning of September.
The factors responsible for the return to popularity include:
- High Visibility - Successful ransomware attacks can result in very large ransom demands. This makes headlines and helps the developers gain in notoriety.
- Low Time Investment - After a successful ransomware attack, the attacker merely waits for the victim to respond and begin making payment.
- It’s Effective! - Mature ransomware is very capable and some families/variants can move laterally within an organization, sometimes completely locking down the entire environment.
Ransomware has matured as a category of malware, with the top families employing advanced designs and complex algorithms. While the number of ransomware families has dwindled, various families have forked and the strongest have survived. 2019 is seeing approximately twenty larger ransomware families that have continued to dominate and improve. In September alone, the BlueVoyant Threat Fusion Cell recognized six new top ransomware variants.
Ransomware Attack Vectors
- Phishing:This is the most common delivery vector for ransomware. In phishing campaigns, ransomware is typically dropped onto the targeted machine using a malicious attachment.
- Pirated Software/Media: In this type of campaign, the ransomware 'piggybacks' into an endpoint hidden in a modified software installer package and is delivered when the software is downloaded and opened.
- Distribution through Other Malware: Many ransomware families have been using EKs, bots, and trojans (Emotet) to gain access. Using other weaponization techniques, attackers can come from all directions, allowing encryption of entire organizations, using the delivery malware to help the ransomware spread. Using other malware for infection can also aid in stealing credentials and pinpointing high value targets within the organization. Additionally, the use of the stealer capabilities of other malware can allow for theft of sensitive information, which can be used for both additional attacks and for profit on underground markets.
Ransomware Business Model
Ransomware as a Service (RaaS) has become the preferred method of monetization for ransomware developers. Given the recent high demand for ransomware, creative cyber-criminal entrepreneurs followed this industry trend and created RaaS models. Ransomware developers hire affiliates to spread and distribute ransomware. They share a portion of the proceeds with the affiliates, while keeping the larger portion for themselves. This increases the chances of infection as the targets and attackers are spread over various teams using multiple attack vectors.
Ransomware is incorporating additional functionality within the ransomware itself. For example, stealing sensitive information for other monetization opportunities. Ransomware developers are also including disk wipers to increase the damage inflicted.
Some notable ransomware in September 2019 includes:
REVIL/SODIN: After raking in approximately $2 billion in ransom payments, and the release of a free decryption tool, the group behind GandCrab announced their retirement earlier in the year; however, strong evidence suggests that the code is still in use in REvil/Sodin/Sodinokibi. The attackers have been observed exploiting Oracle Web Logic servers, RDP attacks, and of course, phishing campaigns.
ROBBINHOOD: Operators behind the RobbinHood ransomware have changed the tone of ransom notes attempting to rob victims of all hope of decrypting files for free. The new messages are reported to be “boastful” and “arrogant” and point to previous incidents which resulted in victims paying much more than the ransom demand when trying to recover the encrypted data on their own. To make sure victims get their message, the cybercriminals direct them to search for two incidents earlier this year involving RobbinHood, which affected systems in Greenville, North Carolina, and the more famous one on 7 May impacting the servers of the City of Baltimore.
According to CBS Baltimore in June, the city "put more than $18 million into the attack." In more recent news, the administration at the end of August, voted to spend $6 million on "cyber-attack remediation and hardening of the environment," informs the Baltimore Sun. It should be noted, though, that a bill this large was not only RobbinHood's doing. How the incident was managed and the poor security defenses before the attack are the main reason for the high costs.HDDCRYPTOR/MAMBA RANSOMWARE: Trend Micro spotted a new variant of HDDCryptor (AKA Mamba), which has been known to use DiskCryptor to encrypt disk and network files and overwrite the Master Boot Record (MBR). Iterations of the ransomware were previously seen in attacks against the San Francisco Municipal Transport Agency (SFMTA) in 2016 and a number of victims in Brazil and Saudi Arabia in 2017.
The new variant now contains a modified DiskCryptor component that can encrypt resources in network shares such as entire drives, folders, files, printers, and serial ports. Worryingly, some adversaries deploying ransomware are now scanning and attempting to recognize and identify backups and destroy those too. Experts advise organizations to avoid storing backups in the same physical location as, or connected to, production or development systems.
BlueVoyant recommends the use of a trusted third-party backup. At the very least, the connection needs to be completely severed from the production network to ensure security. Experts caution against cloud-based backups such as AWS or Azure, etc.