Menu
Recent ransomware attacks define the malware's new age

Recent ransomware attacks define the malware's new age

By 2018, the ransomware boom seemed to have peaked. But over the past 24 months, shifts in hacker tactics have resulted in a resurgence of ransomware attacks

Credit: ID 72775991 © Ducdao Dreamstime.com

Analysts believe that the Ryuk source code is largely derived from Hermes, which is a product of North Korea's Lazarus Group. However, that doesn't mean that the Ryuk attacks themselves were run from North Korea; McAfee believes that Ryuk was built on code purchased from a Russian-speaking supplier, in part because the ransomware will not execute on computers whose language is set to Russian, Belarusian, or Ukrainian. How this Russian source acquired the code from North Korea is unclear.

3. PureLocker

PureLocker is a new ransomware variant that was the subject of a paper jointly put out by IBM and Intezer in November 2019. Operating on either Windows or Linux machines, PureLocker is a good example of the new wave of targeted malware. Rather than taking root on machines via broad-range phishing attacks, PureLocker appears to be associated with more_eggs, a backdoor malware associated with several well-known cyber-criminal gangs. In other words, PureLocker is installed on machines that have already been compromised and are fairly well understood by their attackers, and then proceeds to make a number of checks on the machine where it finds itself before executing, rather than opportunistically encrypting data wherever it can.

While IBM and Intezer didn't disclose how widespread PureLocker infections were, they did reveal that most took place on enterprise production servers, which are obviously high-value targets. Because of the high-skill human control this kind of attack entails, Intezer security researcher Michael Kajiloti believes that PureLocker is a ransomware as a service offering that's only available to criminal gangs who can pay well up front. 

4. Zeppelin

Zeppelin was is an evolutionary descendent of the family known as Vega or VegasLocker, a ransomware-as-a-service offering that wreaked havoc across accounting firms in Russia and Eastern Europe. Zeppelin has some new technical tricks up its sleeve, especially when it comes to configurability, but what makes it stand out from the Vega family is its targeted nature. Where Vega spread somewhat indiscriminately and mostly operated in the Russian-speaking world, Zeppelin is specifically designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Zeppelin can be deployed in a number of ways, including as an EXE, a DLL, or a PowerShell loader, but it appears that at least some of its attacks came via compromised managed security service providers, which ought to send a chill down anyone's spine.

Zeppelin began to appear on the scene in November 2019, and as more proof of its difference from Vega, its targets semeed carefully chosen. Victims were mostly in the health care and technology industries in North America and Europe, and some of the ransom notes were written to specifically address the infected target organization. Security experts believe the shift from Vega's behavior is the result of the codebase being used by a new and more ambitious threat actor, probably in Russia; while the number of infections isn't that high, some believe what we've seen so far has been a proof of concept for a larger set of strikes.

5. REvil/Sodinokibi

Sodinokibi, also known as REvil, first emerged in April of 2019. Like Zeppelin, Sodinokibi appeared to be the descendent of another malware family, this one called GandCrab; it also had code that prevented it from executing in Russia and several adjacent countries, as well as Syria, indicating that its origin is in that region. It had several methods of propagation, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN.

Sodinokibi's spread again indicated an ambitious command and control team behind it, probably as a ransomware as a service offering. It was responsible for shutting down more than 22 small Texas towns in September, but it truly hit notorious status on New Year’s Eve 2019 when it took down the UK currency exchange service Travelex, forcing airport kiosks to resort to pen and paper and leaving customers in limbo. The attackers demanded a stunning $6 million ransom, which the company refuses to confirm or deny it paid.

When I asked Juniper's Hahad for his pick for the worst ransomware of 2019, Sodinokibi was his choice, because of an extra twist that Sodinokibi's controllers put into their attacks. "The one thing that really makes this a little bit special is that this particular group has taken on a new approach of not only telling people, 'You're not going to get your data back if you do not pay the ransom,' but also, 'We are going to publish that confidential data on the web or sell it in an underground forum to whomever is the highest bidder.' That takes the ransomware approach to the next level in their business model." This is a huge departure from the usual ransomware model — after all, one of its big advantages is that you can lock down your victim's data without going through the difficult process of exfiltrating it — but they've already followed through on the threat at least once. The new era of hyper-targeted, custom-tailored ransomware appears to be reaching new and dangerous depths.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments