This post is intended to provide a snapshot into recent ransomware activity, highlighting notable variants and recent trends within a relatively small time-window so that organizations can adopt appropriate information security countermeasures to the current Ransomware landscape.
Ransomware is a form of malware that alters files on an endpoint, database, or server, using encryption to change the format of files within a computer system. The encryption renders the files inoperable and effectively useless to the owner. This type of malware uses fraud and is time-based. The files can only be decrypted by a key that the attackers hold, within a time period set by the threat actors. The encryption key to permanently decrypt the files is exchanged for money in the form of cryptocurrency.
Ransomware is effectively simple in its approach and remains a popular attack. Its success is largely due to three main factors.
- Ransomware has high visibility. The sensational exploitation by the media elevates its exposure. Large paid ransoms are publicized and encourage others.
- Ransomware has low time investment. The malware allows threat actors to stage the payload within an identified infection vector and then wait for a victim to email them and serve notice of infection. It does not need to be maintained or monitored.
- Ransomware is effective. It employs strong encryption algorithms which are nearly impossible to break. Once ransomware infects a system, it automatically encrypts the files and in some cases, self-propagates to other systems.
Observed Ransomware since the start of 2019 includes:
- Malware: B0r0nt0K
- Malware: BlackRouter
- Malware: Cr1ptT0r
- Malware: Cryptomix Ransomware
- Malware: hAnt
- Malware: Phobos
- Malware: STOP aka DJVU
- Malware: FilesLocker
- Malware: GandCrab
- Malware: GarrantyDecrypt
- Malware: GinX
- Malware: Hermes
- Malware: JobCryptor
- Malware: LockerGoga
- Malware: MongoLock
- Malware: PayPal phishing ransomware
- Malware: Ryuk
- Malware: Troldesh aka Shade
Decryption Keys are publicly available for certain ransomware variants
The decryption keys become available either through a misconfiguration by the malware authors (key stored in the registry of the victim machine) or the keys are cracked by dedicated individuals with specialized software. Currently, decryption keys are available for the following variants:
- Malware Variant: Gandcrab 9VOO5U (before version 5.2)
- Malware Variant: Dharma 0lpi4i
- Malware Variant: Dharma 798678 (early versions)
- Malware Variant: JobCrypter d54510
- Malware Variant: JobCrypter Z3HN4X
Pirated software and software shared through torrent sites ( Popular Torrent Uploader 'CracksNow' Caught Spreading Ransomware New Rumba STOP Ransomware Being Installed by Software Cracks ) is another common delivery vector. In this type of campaign, the ransomware 'piggybacks' into an endpoint hidden in the modified software installer- package and delivered when the Software is downloaded and opened.
Notable Variants in 2019:
Ryuk has been a particularly damaging variant in 2019. It was first seen in the summer of 2018. Separate analysis by McAfee, FireEye and CrowdStrike trace the variant back to a Russian Cybercriminal group, possibly Wizard Spider or Grim Spider.
- Ryuk ransomware has been seen targeting a media company, a data aggregation company, and government entities. It has been successful in that many of its victims have paid the ransom for restoration and in turn has garnered a high profile from the media.
- Targeted Victim: Data Resolution
- Targeted Victim: Tribune Publishing Georgia County Pays Off Ransomware Infection
- The success has helped the ransomware spread further. It has been used to deliver other malware including Trickbot ( Ryuk Ransomware Partners with TrickBot to Gain Access to Infected Networks ). It has also been used by many threat actors.
- Other variants such as Malware: Clop ransomware has been developed with inspiration from Ryuk. Ryuk, in turn, may have been inspired from Hermes ransomware source code when it was publicly released.
MongoLock Ransomware is a particularly malicious variant because it acts more like a wiper, deleting files upon infection instead of encrypting. It is targeting databases with weak security settings. It still presents a ransom note in a further effort to deceive and monetize.
Ransomware as a Service (RaaS) has been trending in 2019.
Cybercriminals will ‘rent out’ the software on the dark web through unique licensing schemes and take a cut of the ransom. RaaS hasn’t seen a huge following yet, but it may increase in the future and it is spreading within the darkweb. One limiting factor for this is the decreased valuation of cryptocurrency (crypto). Cryptojacking, where crypto is farmed using illegitimately obtained resources, was a very popular and lucrative attack that spiked in activity after the Bitcoin explosion. Ransomware may be taking a larger share of the criminal activity market as a reaction to this. RaaS allows threat actors to distance themselves from blame and still make money. It allows RaaS allows Ransomware authors and developers to effectively outsource Ransomware campaigns rather than doing it themselves and incentivizes the development of unique families for profit.
Notable RaaS families in 2019 include:
EclecticIQ has seen an uptick in highly targeted ransomware. This is ransomware that targets very specific systems. A good example of this is the "hANT" variant. hANT is a highly targeted ransomware that infects CryptoMiners in China. China has very cheap electricity and this has driven a surge in cryptomining and cryptojacking activities within the country in 2018. Following on the heels of this development, ransomware authors of hANT have exploited this niche. The malware scans a system for 2 specific types of mining rigs and will only launch on matching endpoints. Other notable OS targeting includes:
- GinX: Able to infect MacOS in addition to Windows.
- B0r0nt0k and Cr1ptT0r: Specifically target Linux.
Ransomware Trends to Watch
Threat actors launching Ransomware partnered with other malware within the same campaign.
Bots and Trojans (et al) have been seen weaponized to deliver Ransomware. This increases ransomware penetration as this expands the ransomware attack surface, allowing it to be delivered beyond phishing attacks. As a subcategory of this, Ransomware as a module which can be dropped, among a selection of other modules, from a prior stage infection is increasing. Think of this as a selectable, second-stage malware infection with ransomware as one possible action and objective.
Big game hunting Ransomware will increase because they target victim infrastructure that is difficult and/or costly to replace. These attacks see high success rates and media attention, creating a positive feedback loop. High-value targets like government and healthcare entities will continue to be targeted. Current versions involved in these attacks include Ryuk and Lockergoga.
- As an interesting note: EclecticIQ Fusion Center Analysts have not observed reports of ransomware targeting banks and other high-level financial institutions. This is likely due to good segmentation of public facing networks, rigorous backup practices, and opting to implement more robust perimeter security technology. These organizations may provide good defense models for others.
Continued targeting of Windows to cast a wide net.
Windows will continue to be a target by ransomware developers. Cybercriminals often look for options that present high reward with minimal investment and Windows remains a popular OS in the consumer and business market.
Ransomware is declining from 2016-2017 and 2018-2019 as measured by total number of Ransomware infections. This is likely due to industry-wide security practices becoming more stringent with better standards also adopted. Cryptocurrencies have largely decreased in valuation since 2017 and crypto plays and important part in anonymizing this form of cybercrime.
This snapshot provides a window into current ransomware threats. The related structured threat intelligence will help organizations tailor their defenses to the current landscape and become more efficient at protecting against this type of threat.