Guest Author: David Balaban.
Extortion went cyber with the emergence of ransomware in 2006. The Archiveus Trojan broke new ground by leveraging asymmetric cryptography to lock down files in a victim’s “My Documents” folder. Although its code contained an easily crackable one-size-fits-all decryption password, it became a wakeup call. Back then, few people could imagine how impactful this style of attack would become down the line.
Let us fast forward to 2020. Ransomware is keeping businesses, healthcare organizations, educational institutions, and governments on their toes. Coding and encryption slip-ups are a thing of the past. The ransoms reach millions of dollars per infiltrated computer network, and extortionists wreak vengeance on non-paying victims by publishing their sensitive data online.
Ransomware Transformations over Time
There is a huge gap between the above-mentioned Archiveus Trojan and today’s enterprise-targeting ransomware strains such as Sodinokibi, Maze, and Ryuk. Several game-changing milestones in the evolution of this disgusting phenomenon paved its way toward the sophistication we are witnessing today.
● Screen Lockers Splash onto the Scene
The first massive ransomware outbreak did not involve data encryption. 2012 saw a surge in FBI-themed Trojans that prevented users from accessing their Windows desktop or web browsers. The lock screen would accuse the victim of distributing copyrighted materials or child porn. To avoid legal proceedings, the person was coerced into paying a fine via prepaid cards such as MoneyPak or Ukash.
This trickery hinged on Reveton, a strain of malware that fetched its victim’s geolocation details as well as the IP address and operating system version. This information was reflected in the ransom alert to enhance the scare effect. The silver lining was that the lock screen could be easily bypassed in Windows Safe Mode, and the cleanup was as easy as restoring the system to its earlier condition.
● Malicious Encryption Changes Everything
In 2013, online extortionists took their schemes to the next level by releasing CryptoLocker. This was the first mainstream ransomware sample that encrypted its victims’ files using the RSA cryptosystem. To top it off, it generated a unique public-private key pair for each infected computer and stored this information on a Command & Control server rather than locally.
CryptoLocker was a spam-borne threat, arriving with toxic email attachments sent to numerous users via a monstrous botnet called Gameover ZeuS. Having crippled important data on a contaminated PC, it would instruct the victim to buy the decryption key using Bitcoin or prepaid online payment service.
This peril vanished from the radar in June 2014 as a result of an international law enforcement operation. But it cleared the way for other file-encrypting infections like CryptoWall and CTB-Locker, whose makers kept refining the evil tactics through better operations security (OPSEC) and stronger ciphers.
● Ransomware-as-a-Service and Massive Outbreaks
Several extortion gangs adopted a clever mechanism called Ransomware-as-a-Service (RaaS) in 2015. It introduced an affiliate approach in which the developers outsourced the distribution job to interested parties and earned up to 40% of the ransoms paid by victims.
These turnkey platforms included affiliate dashboards displaying real-time infection stats and allowing crooks to build custom ransomware versions in a few clicks. The distributors were also offered to use readily available exploit kits that would piggyback on known software vulnerabilities to contaminate systems.
This move led to a boom in ransomware deployment as it lured both seasoned cybercrooks and numerous wannabe extortionists. In 2016, it gave rise to the Cerber RaaS that quickly gained traction among black hats and was raking in unprecedented profits for more than a year. The Locky, CryptXXX, and CrySiS lineages exploded with highly impactful propagation campaigns around the same time.
The golden age of ransomware culminated with the notorious WannaCry and NotPetya outbreaks in 2017. They weaponized the DoublePulsar and EternalBlue hacking tools, which were reportedly masterminded by the NSA and fell into the wrong hands. These attacks hit hundreds of thousands of machines around the world, and the total estimated losses reached billions of dollars.
● Extortion Fueled by Data Breaches
In 2018, the online extortion epidemic was dwindling due to a dramatic drop in Bitcoin value and cybercrime’s shift toward more lucrative crypto mining stratagems. The decline turned out to be the lull before the storm, though. Ransomware operators started targeting enterprise networks on a large scale rather than individual users.
Things got worse in late 2019 when malefactors began stealing organizations’ data before encrypting it. The Maze ransomware was the first one to take this post-exploitation route. If a victim rejects the original ransom demands, crooks threaten to leak their files via specially crafted sites or hacker forums.
The double extortion method became so effective that about 20 gangs have jumped on the hype train and are now pressuring the infected companies through extra ultimatums. The newsmaking strains on this list include Sodinokibi, Nemty, DoppelPaymer, Netwalker, and LockBit. The authors of a lesser-known sample called Ako ransomware took the foul play further by demanding two ransoms: one for decryption, and the other for erasing the stolen data.
● DDoS Added to the Mix
In mid-August 2020, thousands of businesses from different industries, including retail, finance, and e-commerce, received ransom notes from perpetrators claiming to represent Advanced Persistent Threat (APT) groups such as Armada Collective and Fancy Bear. The crooks threatened to knock the victims’ websites offline via DDoS attacks unless they paid 10 BTC (roughly $109,000 at the time of writing).
This scorched-earth strategy, known as Ransom DDoS (RDoS), has been around since 2018 but has stayed mostly marginal until now. Besides APT groups, criminals in charge of long-running ransomware operations are starting to complement their repertoire with threats like that.
In October 2020, malicious actors behind a ransomware family called SunCrypt used DDoS to bring down a victim’s site after the initial payment negotiations failed. The infected organization reportedly coughed up the money in the aftermath of this assault.
Targets
At its dawn, the ransomware plague zeroed in on home users. Crooks relied on spray-and-pray techniques, pumping out numerous spam messages that contained booby-trapped attachments. The downside of this approach was that the infection rate was low. Furthermore, individuals could not afford to pay large ransoms.
These factors made ransomware gangs rethink their tactics and focus on attacking enterprise networks. The significant shift took root in late 2018 and continues to be the case nowadays. Computer infrastructures of SMBs, international corporations, hospitals, universities, and charities ended up in attackers’ spotlight. The 2019 incursion against 22 Texas municipalities demonstrated that towns could be low-hanging fruit as well.
Attack Vectors
Payloads disguised as harmless email attachments have been the “classic” ransomware contagions since 2012. Combined with social engineering, this method can be incredibly effective. There are quite a few more infection mechanisms, though.
Exploit kits allow threat actors to use security loopholes in outdated software as a network entry point. Remote Desktop Protocol (RDP) hacks are an increasingly common mechanism for infiltrating large digital environments.
In many cases, criminals execute phishing attacks to gain a foothold in computer systems of managed service providers (MSPs). This access eventually becomes a launchpad for contaminating multiple organizations that do business with the MSP. That is precisely what happened in the above-mentioned Texas snafu.
Ransom Amounts
When mainstream ransomware debuted with screen lockers impersonating law enforcement, the size of the ransom did not go beyond $100 worth of prepaid cards. CryptoLocker victims had to pay $600 for decryption. When file-encrypting ransomware matured into a firmly established phenomenon, the ransoms reached $2,000 in Bitcoin or Monero cryptocurrency.
As criminals switched to polluting enterprise networks, the amounts started soaring. In January 2017, the Los Angeles Valley College paid $28,000 to restore its systems raided by ransomware. Six months later, South Korean web hosting company Nayana sent an eyebrow-raising $1 million to operators of the Erebus ransomware that had encrypted its Linux servers.
In June 2019, Riviera Beach City, Florida, paid $600,000 to recover from a ransomware incident that affected its email system and 911 services. In the first quarter of 2020, the average ransom payment across the board amounted to $111,605.
How to Stay Safe in 2020
Although ransomware authors are thinking outside the box to boost their attacks, the prevention and mitigation techniques aren’t too complicated. The following 10 tips will help you enhance your organization’s defenses against this ever-evolving menace.
● Step up your email security. Configure the email service to filter out spam, phishing emails, and messages that contain executables.
● Maintain backups. You can easily get back on track as long as you have up-to-date data backups in place. However, this practice will no longer save you from growingly widespread double extortion that involves data leaks.
● Secure your remote desktop services. With RDP compromise gaining momentum among ransomware distributors, be sure to safeguard these services using two-factor authentication, limit the number of unsuccessful access attempts, and restrict RDP sessions to a whitelisted range of IP addresses.
● Prioritize your data. Figure out what information poses the highest value and protect it accordingly. For instance, you can encrypt such data so that attackers cannot turn it against you by leaking it to the public.
● Enable a firewall. This way, you can prevent ransomware from interacting with its Command & Control servers, requesting encryption keys, and stealing your data.
● Beware of Microsoft Office macros. If you receive an email containing a Word or Excel file that says “Enable Content,” do not click on that button and close the document immediately. This is an old trick aimed at executing malicious macros that will quietly download ransomware.
● Nurture your personnel’s security awareness. Educating your employees is half the battle. Make sure they can identify a phishing attempt, follow safe authentication practices, and refrain from opening suspicious email attachments.
● Use an antimalware tool. Although this seems like a prosaic recommendation, trusted security solutions can pinpoint and block known ransomware strains before they cause damage.
● Leverage a DDoS mitigation service. This will add an important layer of protection against the escalating RDoS threat highlighted above. Combine an endpoint and a cloud-based web application firewall (WAF) to stay in the clear.
● Keep your systems up to date. Not only do software updates bring new features, but they also patch known vulnerabilities that may be exploited to inject ransomware behind the scenes.
By and large, ransomware is a huge cyber threat to organizations, and it is getting worse. As its dynamic evolution is underway, the best time to implement proactive defenses and become a moving target is now.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
https://www.linkedin.com/in/david-balaban/
The post The Formation and Development of Ransomware Operations appeared first on VIPRE.
