Improving Ransomware in 2017
Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of the more high-profile tools leveraged by adversaries, has undergone this same evolution, as we explain in the Cisco 2017 Midyear Cybersecurity Report. Delivery, obfuscation, and evasion are the core elements currently driving malware innovation—and many of these innovations, in turn, drive the use of ransomware by actors in the shadow economy.
Here’s a quick look at some of the key trends in ransomware we’ve observed during the first half of 2017:
Ransomware-as-a-Service (RaaS) platforms, such as Satan, are becoming commonplace, significantly decreasing the “barrier to entry” for threat actors who want to get into the ransomware business without doing the hard work of programming, or amassing network resources. The operators of the RaaS platforms take a portion of adversaries’ profits, similar to the way in which many legitimate software platforms work. Some of the operators even provide additional “customer service,” such as deploying the ransomware and tracking the progress of ransomware distribution campaigns over time, making it even easier for threat actors to launch and manage their ransomware campaigns.
Open-source ransomware codebases are also being leveraged by adversaries to help them launch new ransomware campaigns quickly. As covered in the MCR, several open-source ransomware codebases such as Hidden Tear and EDA2 have been released publicly “for educational purposes” Threat actors can simply tweak the code to suit their specific objectives and then deploy the malware to launch ransomware attacks. We know that this is a strategy used by some adversaries: many of the supposedly new ransomware families that Cisco has recently observed appear to be directly based on these open-source codebases.
Anonymized, decentralized infrastructure
In a bid to stay below the radar as their attacks find new victims, creators of ransomware and other malware campaigns are also leveraging new techniques for evading detection by defenders. One such technique is the use of anonymized and decentralized infrastructure and network protocols that can obfuscate command-and-control infrastructure. Cisco researchers have noted an increase in the use of services that leverage Tor, such as Tor2Web, which makes it easier for bad actors to use Tor without changing their malware code to natively support it. This also makes the command-and-control infrastructure more difficult to track and makes it more resilient to server takedowns.
A re-embrace of email as an attack vector
Another ransomware-related trend observed by Cisco and covered in the MCR: An uptick in spam volume globally, which parallels a decline in exploit kit activity. Emails with password protected Office documents, or PDFs containing embedded documents may require recipients to interact with the files, such as clicking “OK,” or inputting a password before any malicious activity is encountered which can help the messages bypass sandboxing technologies.
Some adversaries are also experimenting with extorting victims using the threat of distributed denial of service (DDoS) attacks. In these attacks, dubbed ransom denial of service (RDoS), the perpetrator threatens to disrupt the victim’s website or other services using a DDoS attack unless a ransom is paid. According to research by our partner Radware, nearly half of all companies suffered at least one cyber ransom incident in 2016—either a specific ransomware attack, or an RDoS attack (17 percent).
Radware research also shows that a cybercriminal group called the Armada Collective have been responsible for most RDoS attacks to date, with ransoms demanded ranging from 10 to 200 bitcoins (about US$3,600 to US$70,000).
Given the cleverness of adversaries, defenders can’t assume that when they’ve blocked one type of threat, bad actors won’t figure out a way around their defenses. As the Midyear Cybersecurity Report makes clear, staying a step ahead of this innovation is key to outwitting attackers.
By Edmund Brumaghin
(Source: Cisco Blog)