7 Families of Ransomware
1. SamSam
This crypto-ransomware encrypts user data with AES / RSA and then demands a ransom of 1 bitcoin or more to get the files back.
Original title: SamSam.
The file says samsam.exe.
Remote attackers use the JexBoss hacking tool to automatically detect vulnerable systems with outdated JBOSS versions and then launch an attack to remotely install SamSam ransomware on victims' computers. The malware supplied by SamSam is distributed to Windows systems by exploiting vulnerabilities in unpatched JBoss servers. Then it installs a web shell, identifies other systems connected to the network, and implements the SamSam ransomware to encrypt files on the network devices.
Source - https://id-ransomware.blogspot.com/2016/03/samsam.html
SamSam attacks started appearing in late 2015. In the past few years, they have seriously increased. For example, large enterprises such as the Colorado Department of Transportation, the city of Atlanta, and numerous medical institutions around the world have been affected by this ransomware attacks. SamSam is a great example of how the organizational prowess of attackers is just as important as their programming skills. SamSam does not indiscriminately look for a specific vulnerability, as some other variants of ransomware do, but rather works like a Ransomware-as-a-Service, carefully checking pre-selected targets for weaknesses, as well as applying holes that can be exploited to exploit vulnerabilities in the FTP and RDP protocols on the IIS server.
Initially, security researchers assumed SamSam was of Eastern European origin, as the vast majority of its attacks were directed against institutions in the United States. In late 2018, the United States Department of Justice indicted two Iranians who they claimed were behind the attacks. The indictment says the attacks resulted in more than $ 30 million in losses. But it is unclear exactly how much of this amount the authorities paid to the extortionists. At one point, the city government of Atlanta provided local media with screenshots of ransom messages that provided information on how to contact the attackers. This action led to the loss of a communication channel with the scammers, which may have prevented Atlanta from paying the ransom.
2. Ryuk
Ryuk is another variant of the ransomware virus that became widespread in 2018 and 2019. Its victims were organizations for which downtime is extremely critical. For example, the editors of the daily news, as well as the North Carolina water utility, which at the time was struggling with the aftermath of Hurricane Florence. The Los Angeles Times has written a detailed account of what happened when their own systems were infected with the virus. One of Ryuk's most insidious features is that it can disable Windows System Restore on infected computers, making it even more difficult to obtain encrypted data without paying a ransom. The requirements for capping were especially high, which corresponded to the level of the selected victims. The wave of attacks during the holiday season showed
Analysts believe Ryuk's source code is largely taken from Hermes, which was developed by the North Korean Lazarus Group. However, this does not mean that the Ryuk attacks themselves were carried out from North Korea. McAfee believes Ryuk was built on code purchased from a Russian-speaking vendor, in part because the ransomware virus does not support computers running Russian, Belarusian, or Ukrainian. But how exactly this Russian hacker (s) obtained the code from North Korea is unclear.
3. PureLocker
PureLocker is a new variant of ransomware that was the subject of this article jointly released by IBM and Intezer in November 2019. Running on Windows or Linux computers, PureLocker is a good example of a new wave of targeted malware. Rather than infiltrating computers with widespread phishing attacks, PureLocker appears to be tied to more_eggs backdoor malware, which has been used by several well-known cybercriminal gangs on more than one occasion. In other words, PureLocker is installed on computers that have already been compromised and are under some control of attackers. And instead of immediately starting to encrypt all the data it can access, it first runs a series of checks and identifies the most critical information. PureLocker does not show itself when run in sandboxes or malware research programs.
While IBM and Intezer did not disclose how widespread PureLocker infections are, they did show that most of them occurred on corporate production servers, which are obviously very important targets. Security researcher Intezer Michael Kajiloti believes that PureLocker is ransomware as a service, which is only available to criminal gangs that can pay in advance, as attacks using this software require participation and constant monitoring of highly qualified specialists.
4. Zeppelin
Zeppelin is a descendant of a family of viruses known as Vega or VegasLocker (another ransomware as a service) that has caused havoc among audit firms in Russia and Eastern Europe. Zeppelin has a number of new technical tricks, in particular, according to its configuration. But the main distinguishing feature of this ransomware from the Vega family is the ability to carry out targeted attacks. While Vega was distributed chaotically and mainly operated in a Russian-speaking environment, Zeppelin was not designed to run on computers in Russia, Ukraine, Belarus, or Kazakhstan. Zeppelin is distributed in several ways, including in the form of EXE, DLL, or PowerShell loader, but at least some of its attacks have been carried out using compromised managed security providers.
Zeppelin became widespread in November 2019, and a carefully curated list of its victims is further proof of its difference from Vega. The victims were healthcare organizations in North America and Europe. The ransom requirements were prepared to take into account the specifics of the area and specific to the infected organization. Security experts believe the move away from Vega's behavior is the result of a new and more ambitious actor, probably in Russia, using the codebase. Although the number of infections is not that high, experts believe what we have seen so far is confirmation of the possibility of more attacks using this virus.
5. REvil / Sodinokibi
Sodinokibi, also known as REvil, first appeared in April 2019. Like Zeppelin, Sodinokibi is a descendant of another virus family called GandCrab. He, too, had rules against enforcement in Russia and several neighboring countries, as well as in Syria, indicating his Russian origin. It had several distribution methods, including exploiting holes in Oracle WebLogic servers or Pulse Connect Secure VPN.
The spread of Sodinokibi again pointed to an ambitious team of creators, possibly also positioning the virus as ransomware as a service. Its spread caused problems in 22 small towns in Texas, but it gained notoriety when it shut down Travelex currency exchange in the UK on the eve of 2019, forcing operators to use calculators and notebooks instead of computers. The extortionists demanded a crazy $ 6 million ransom, although Travelex refuses to confirm or deny this.
6. Robinhood
In early May, the administration of the American city of Baltimore was confronted with ransomware that infected a number of municipal computers. Some of the city services were completely paralyzed. Soon a message appeared on the city's website stating that the authorities could only be contacted by phone. The culprit is a ransomware program called Robinhood. The impact of the virus was estimated at $ 18 million.
In particular, in Baltimore, they wrote about such problems as:
the opportunity to submit an appeal to the mayor's office was lost since officials lost access to e-mail;
transactions for the sale of real estate were suspended (about 1.5 thousand);
the possibility of online payment of fines for incorrect parking and traffic violations was lost, which led to a violation of the payment deadlines;
the databases of the system of payment of utilities and taxes on real estate were affected. As a result, it turned out to be impossible to write and pay bills, as well as to receive a receipt on the absence of debts from the persons selling houses and apartments.
Source - https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-ransomware-email-20190529-story.html
7. LockerGoga
On March 18, 2019, one of the world's largest aluminum producers, the Norwegian company Norsk Hydro, was attacked by a ransomware. All factories were successfully isolated, the processes were transferred to manual control where possible (at the factories for extrusion of aluminum profiles, it was possible to establish only 50% efficiency). The investigation into the attack required the involvement of local authorities and law enforcement agencies (National Security Authority / NorCERT, Norwegian Police Security Service, National Criminal Investigation Service), as well as a number of commercial companies. The reconstruction of the infrastructure has not yet been completed and some production facilities (for example, extrusion of aluminum profiles) are still operating at half their capacity.
According to the Norwegian Computer Emergency Response Team (Norwegian Computer Emergency Response Team), this is ransomware called LockerGoga.
Total
All existing ransomware works in a similar way: they penetrate the attacked system by hacking through an unprotected RDP configuration using e-mail spam and malicious attachments, spoofing downloads, exploits, web injections, fake updates, repackaged and infected installers, encrypt files from certain extensions, which can supposedly contain useful information, and then require a ransom to the cybercriminals' crypto wallets in order to return the files. Vulnerabilities in software and network protocols were often exploited for attacks against large objects, as attackers were willing to spend more resources to achieve large benefits.
In general, we can say that at the present time there is a high probability of targeted attacks on large organizations that are capable of paying large ransoms to cybercriminals. That said, hackers don't always develop hacking solutions and malware on their own. Attackers choose areas of activity in which disruption of business processes leads to maximum losses (for example, transport, critical infrastructure, energy).
How to Prevent this Malware
To prevent ransomware attacks, there are the following guidelines:
- Timely update of the software used;
- Conducting briefings with personnel, forming their understanding of which program can be ransomware;
- Maintaining a backup policy and protection of backups;
- Use of antivirus software from major vendors, as well as a ban on changing antivirus policies by an ordinary user.
From all of the above, we can conclude that the threat of ransomware is more relevant today than ever. Attackers take advantage of the fact that information owners are concerned with both its integrity and availability and confidentiality. Now they are telling the victim not only “you will not get your data back until you provide the ransom”, but also “we plan to post your confidential information on the Internet or sell it on the darknet to those who offer a higher price”. This takes ransomware to the next level in the business model they use and is also the most important innovation in their standard behavior. This restructuring of the business model ushers in a new era of hyper-targeted and custom-designed ransomware that will reach new and dangerous depths.
No comments:
Post a Comment