Recent ransomware attacks define the malware's new age
- 24 February, 2020 11:27
Ransomware, a type of malware that holds data for ransom, has been around for years. In 1991, a biologist spread PC Cyborg, the first ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid '00s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early 2010s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught.
In the 2010s, a new ransomware trend emerged: the use of cryptocurrencies as the ransom payment method of choice by cybercriminals. The appeal to the extortionists is obvious, as cryptocurrencies are specifically designed to provide an untraceable, anonymous payment method. Most ransomware gangs demanded payment in bitcoin, the most high-profile cryptocurrency, although some began shifting their demands to other currencies as bitcoin's popularity made its value more volatile.
Attacks shot up in the middle of the 2010s to crisis levels. But by 2018, the ransomware boom seemed to be on its way out, in favor of another illicit way to snag bitcoin that didn't require victims to figure out what a bitcoin wallet was: cryptojacking. Cryptojackers follow the script that spammers and DDoS attackers have been using for years: surreptitiously gaining control of computers without their owners knowing. In the case of cryptojacking, the compromised machines become bitcoin mining rigs, quietly generating cryptocurrency in the background and eating up idle computing cycles while the victim is none the wiser. Ransomware attacks declined over the course of 2018, while cryptojacking attacks shot up by 450 percent.
Ransomware attacks today
Over the past two years, however, ransomware has come back with a vengeance. Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks, sees two big drivers behind this trend. The first has to do with the vagaries of cryptocurrency pricing. Many cryptojackers were using their victims' computers to mine the open source Monero currency; with Monero prices dropping, "at some point the threat actors will realize that mining cryptocurrency was not going to be as rewarding as ransomware," says Hahad. And because the attackers had already compromised their victim's machines with Trojan downloaders, it was simple to launch a ransomware attack when the time was right. "I was honestly hoping that that prospect would be two to three years out," says Hahad, "but it took about a year to 18 months for them to make that U-turn and go back to their original attack."
The other trend was that more attacks focused on striking production servers that hold mission-critical data. "If you get a random laptop, an organization may not care as much," says Hahad. "But if you get to the servers that fuel their day-to-day business, that has so much more grabbing power."
These kinds of attacks require more sophistication — not necessarily in terms of the ransomware code itself, but in the skills needed by the attackers to infiltrate better protected systems to install the malware. "A spray and pray type of tactic isn't going to give them a lot of return on investment," says Hahad. "More targeted attacks with good lateral movement capability are going to get them there, and most of the time that lateral movement is not automatic. It's really about gaining initial intrusion points and then somebody manually going in there and sniffing around the network, moving files around, escalating privileges, getting credentials for some admin potentially to access another machine remotely."
With that in mind, let's take a look at the worst offenders in this new age of ransomware.
5 ransomware families: Their attack targets and methods
Attacks using software known as SamSam started appearing in late 2015, but really ramped up in the next few years, gaining some high-profile scalps, including the Colorado Department of Transportation, the City of Atlanta, and numerous health care facilities. SamSam is the perfect example of how attackers' organizational prowess is as important as their coding skills. SamSam doesn't indiscriminately look for some specific vulnerability, as some other ransomware variants do, but rather operates as ransomware-as-a-service whose controllers carefully probe pre-selected targets for weaknesses, with the holes it has exploited running the gambit from vulnerabilities in IIS to FTP to RDP. Once inside the system, the attackers dutifully work to escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.
Although the initial belief among security researchers was that SamSam had an Eastern European origin, the overwhelming majority of SamSam attacks targeted institutions within the United States. In late 2018, the United States Department of Justice indicted two Iranians that they claim were behind the attacks; the indictment said that those attacks had resulted in over $30 million in losses. It's unclear how much of that figure represents actual ransom paid; at one point the Atlanta city officials provided local media with screenshots of ransom messages that included information on how to communicate with the attackers, which led them to shut that communications portal down, possibly preventing Atlanta from paying ransom even if they wanted to.
Ryuk is another targeted ransomware variant that hit big in 2018 and 2019, with its victims being chosen specifically as organizations with little tolerance for downtime; they include daily newspapers and a North Carolina water utility struggling with the aftermath of Hurricane Florence. The Los Angeles Times wrote a fairly detailed account of what happened when their own systems were infected. One particularly devious feature in Ryuk is that it can disable the Windows System Restore option on infected computers, making it all the more difficult to retrieve encrypted data without paying a ransom. Ransom demands were particularly high, corresponding to the high-value victims that the attackers targeted; a holiday season wave of attacks showed that the attackers weren't afraid to ruin Christmas to achieve their goals.
Read more on the next page...
Analysts believe that the Ryuk source code is largely derived from Hermes, which is a product of North Korea's Lazarus Group. However, that doesn't mean that the Ryuk attacks themselves were run from North Korea; McAfee believes that Ryuk was built on code purchased from a Russian-speaking supplier, in part because the ransomware will not execute on computers whose language is set to Russian, Belarusian, or Ukrainian. How this Russian source acquired the code from North Korea is unclear.
PureLocker is a new ransomware variant that was the subject of a paper jointly put out by IBM and Intezer in November 2019. Operating on either Windows or Linux machines, PureLocker is a good example of the new wave of targeted malware. Rather than taking root on machines via broad-range phishing attacks, PureLocker appears to be associated with more_eggs, a backdoor malware associated with several well-known cyber-criminal gangs. In other words, PureLocker is installed on machines that have already been compromised and are fairly well understood by their attackers, and then proceeds to make a number of checks on the machine where it finds itself before executing, rather than opportunistically encrypting data wherever it can.
While IBM and Intezer didn't disclose how widespread PureLocker infections were, they did reveal that most took place on enterprise production servers, which are obviously high-value targets. Because of the high-skill human control this kind of attack entails, Intezer security researcher Michael Kajiloti believes that PureLocker is a ransomware as a service offering that's only available to criminal gangs who can pay well up front.
Zeppelin was is an evolutionary descendent of the family known as Vega or VegasLocker, a ransomware-as-a-service offering that wreaked havoc across accounting firms in Russia and Eastern Europe. Zeppelin has some new technical tricks up its sleeve, especially when it comes to configurability, but what makes it stand out from the Vega family is its targeted nature. Where Vega spread somewhat indiscriminately and mostly operated in the Russian-speaking world, Zeppelin is specifically designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Zeppelin can be deployed in a number of ways, including as an EXE, a DLL, or a PowerShell loader, but it appears that at least some of its attacks came via compromised managed security service providers, which ought to send a chill down anyone's spine.
Zeppelin began to appear on the scene in November 2019, and as more proof of its difference from Vega, its targets semeed carefully chosen. Victims were mostly in the health care and technology industries in North America and Europe, and some of the ransom notes were written to specifically address the infected target organization. Security experts believe the shift from Vega's behavior is the result of the codebase being used by a new and more ambitious threat actor, probably in Russia; while the number of infections isn't that high, some believe what we've seen so far has been a proof of concept for a larger set of strikes.
Sodinokibi, also known as REvil, first emerged in April of 2019. Like Zeppelin, Sodinokibi appeared to be the descendent of another malware family, this one called GandCrab; it also had code that prevented it from executing in Russia and several adjacent countries, as well as Syria, indicating that its origin is in that region. It had several methods of propagation, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN.
Sodinokibi's spread again indicated an ambitious command and control team behind it, probably as a ransomware as a service offering. It was responsible for shutting down more than 22 small Texas towns in September, but it truly hit notorious status on New Year’s Eve 2019 when it took down the UK currency exchange service Travelex, forcing airport kiosks to resort to pen and paper and leaving customers in limbo. The attackers demanded a stunning $6 million ransom, which the company refuses to confirm or deny it paid.
When I asked Juniper's Hahad for his pick for the worst ransomware of 2019, Sodinokibi was his choice, because of an extra twist that Sodinokibi's controllers put into their attacks. "The one thing that really makes this a little bit special is that this particular group has taken on a new approach of not only telling people, 'You're not going to get your data back if you do not pay the ransom,' but also, 'We are going to publish that confidential data on the web or sell it in an underground forum to whomever is the highest bidder.' That takes the ransomware approach to the next level in their business model." This is a huge departure from the usual ransomware model — after all, one of its big advantages is that you can lock down your victim's data without going through the difficult process of exfiltrating it — but they've already followed through on the threat at least once. The new era of hyper-targeted, custom-tailored ransomware appears to be reaching new and dangerous depths.