Ransomware is likely the type of cybercrime that made headlines in 2021 and 2022 looks set to follow that trend. Yet it is still evolving, and new ransomware appears to be more adaptive, resilient and industrialized.
According to Kaspersky in a new reportcybercriminals continue to use ransomware to threaten retailers and businesses nationwide, as old malware variants come back as new ones evolve.
A careful technological and geopolitical analysis of the end of 2021 and 2022 brings Kaspersky together a number of new trends in ransomware.
Ransomware tries to be as adaptive as possible
Hunting big game
The Hunting big game (BGH) model has made it so that ransomware threat actors have penetrated increasingly complex environments. As a result, these threat actors must deal with a variety of very different hardware and operating systems, and therefore must be able to run their malicious code on different combinations of architectures and operating systems.
To achieve that goal, some ransomware developers chose to write their code in cross-platform programming languages such as Rust or Golang. An interesting caveat is that Kaspersky mentions that such cross-platform code is also more difficult for defenders to analyze than code written in, say, plain C programming language.
continuous
continuous affiliated threat actors use different ransomware versions. A few Conti affiliates have access to a variant of the malware that: to beat ESXi systems with a Linux variant.
Black cat
Black cat ransomware is written in Rust, which makes it easier to compile on different platforms. According to Kaspersky, it didn’t take long after the Windows version of BlackCat came out to see a Linux version appear. The Linux version is very similar to the Windows version, with minor changes to adapt to Linux: the execution of the command with cmd.exe on Windows has been replaced by the Linux equivalent. Also, the Linux version can shut down the machine and delete ESXi virtual machines (VMs).
deadbolt
deadbolt comes as another example. This ransomware is written as an interesting combination of Bash, HTML and Golang, which makes it able to use cross-platform functionalities, although it only targets QNAP and ASUSTOR NAS devices.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Ransomware ecosystem is becoming more “industrialized”
Ransomware threats, like any other software company, are constantly evolving in an effort to make things faster and easier for themselves and their customers/affiliates.
lock bit is a highly successful ransomware-as-a-service (RaaS) that has shown constant evolution over the years (Figure A). As of 2019, it quickly evolved to welcome affiliates in 2020 and developed a leak portal, double extortion scheme, and data exfiltration before data encryption. Apart from the constant development in functionalities and ease of use, the infrastructure has also been improved over time to be more resilient and against attacks and DDoS attempts.
Image A
The StealBIT exfiltration tool is also a striking example of this industrialization phase. Although cyber criminals initially only used publicly available tools to exfiltrate data, they developed their own tool to be less detected, but also to significantly improve data transfer speed. The tool can also exfiltrate only selected files based on the file extensions. Finally, it contains a tracking number of a partner that is sent when the data is exfiltrated.
Ransomware Threat Actors Consider Geopolitics
For starters, geopolitical aspects are now taken into account when infecting targets. Headlines using COVID-19 or the war in Ukraine have been used in spam and phishing emails to trick users into opening attached files or clicking on compromised links.
While the use of COVID-19 in infecting emails was not personal, the war between Ukraine and Russia is different as cybercriminals take sides, with consequences. As an example, the conti leaking As a result, Conti was attacked and exposed by a pro-Ukraine attacker who targeted Conti for their position in the conflict. On February 25, 2022, Conti published a statement on its website saying that Conti would retaliate with full capacity against the critical infrastructure of any enemy if Russia became the target of cyber attacks.
On the other hand, communities such as the Anonymous, Ukraine’s IT military and Belarusian cyber partisans took positions in support of Ukraine.
Freeud, a brand new ransomware variant that supports Ukraine, includes a message in the ransom note stating that Russian troops should leave Ukraine. The ransomware also has erasing capabilities, in case it is configured with a list of files to be erased.
Other ransomware deployed since the start of this conflict has covered up destructive activity: GoRansom and HermeticWiperor DoubleZero Wiper to name a few.
SEE: Mobile Device Security Policy (Tech Republic Premium)
Ransomware Protection Recommendations
Some practical tips to improve your security are:
- Always keep all software and operating systems up to date, across all devices used by the company. This greatly helps against common exploits of vulnerabilities that can target any system or device.
- Outbound traffic needs to be monitored intensively to detect exfiltration of large files or suspicious network data transfers.
- Implement security solutions that can detect lateral movements. Those movements within the corporate network are mandatory for the attackers and must be detected at an early stage to prevent data exfiltration or destruction.
- In addition to XDR (eXtended Detection and Response) solutions, security solutions with a focus on ransomware must be deployed.
- Provide specific threat intelligence information to your SOC team.
- Deploy email protection/anti-phishing solutions as ransomware threats can use spear-phishing to attack the business.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.
