9 Ransomware ‘Boosters’ and Strategies to Fight Them

The ransomware business is still going strong, thanks to a thriving cybercrime-as-a-service ecosystem.

Some of these services are largely based on criminals exploiting known vulnerabilities that organizations haven’t patched, or forcing access to Remote Desktop Protocol (RDP) connections and then selling that access to others. In this situation, improving patch management and RDP security practices are proven defenses.

However, unless strong measures are taken, other ransomware “boosters” are likely to continue to flourish. Disrupting cybercriminal forums where ransomware operators recruit experts and sell services often requires law enforcement intervention.

Next, we will introduce 9 kinds of ransomware “boosters” and the countermeasures you can take:

1. New forums fuel ransomware

At times, the cybercriminal community seems to follow the principle of “self-policing” — at least in theory. For example, in May, some of the largest Russian-language cybercrime forums — including XSS and Exploit — have officially banned any ransomware-involving attacks, following the political fallout from DarkSide’s attacks on the Colonial Pipeline in the United States and Conti’s attacks on the Irish health service. communication.

However, some security experts say that workarounds are always found in many forums, such as advertisements for “penetration testers” and “access proxies,” as long as the ads don’t specifically mention crypto-locking malware.

While some of the larger forums have banned discussions of ransomware, some smaller players don’t seem to reject them, including a few new ones.

On July 12, the Babuk ransomware operator’s data breach site (renamed Payload.bin from Babuk in June) was once again turned into a cybercrime forum called RAMP, according to Israeli threat intelligence firm Kela. Victoria Kevilevich, a threat intelligence analyst at Kela, said in a new research note.

According to the official introduction, RAMP stands for “Ransom Anon Mark Place (ransomware anonymous market)”, but in fact it is also a tribute to the defunct “Russian Anonymous Marketplace” (Russian Anonymous Marketplace, referred to as RAMP, closed in 2017).

The new forum says it is designed to support ransomware-as-a-service (RaaS) operations, the dominant business model involving ransomware today. In the RaaS model, operators or administrators are responsible for developing crypto-locking malware, which affiliates acquire through a portal to infect victims and take a commission for each ransom paid.

A new administrator, originally named “TetyaSluha” – now “Orange”, announced that it is now a place to protect ransomware affiliates from unscrupulous RaaS programs, Kela said. The administrator claims that he wants to create a new community after other forums banned ransomware communications, noting that the forum already has sections dedicated to initial access brokers, ransomware vendors, and affiliate programs.

Kela added that RAMP was taken offline at the end of July after a spam attack, but a message on the website said it would be back on August 13. When it resumes operations again, it will no doubt continue to be a target for threat intelligence companies wanting to eavesdrop on discussions, and possibly also for law enforcement agencies seeking to identify members of the cybercriminal underground and try to arrest them.

2. The ransomware community has other communication strategies/channels

Bob McArdle, director of cybercrime research at security firm Trend Micro, said larger ransomware-operating groups may also have built extensive connection lists and well-established relationship topologies, so they are less reliant on forums.

Likewise, threat intelligence firm Flashpoint said ransomware operations have historically been recruited through multiple channels. It said some groups, like Black Shadow, rely primarily on Telegram accounts; others, like LockBit 2.0, conduct ransomware-as-a-service recruiting on their forums.

Meanwhile, the AvosLocker ransomware operator recently used a service that distributes spam via Jabber and Telegraph to advertise its ransomware partner program, according to the security firm.

picture

3. Experts provide on-demand services

Security experts say ransomware operators aren’t just looking to recruit new affiliates. Some of the larger and more sophisticated operations — such as REvil, DarkSide, and Ryuk — also recruit different specialists to increase attack success and help extortion businesses thrive.

Ransomware incident response company Coveware said that for a complete ransomware attack campaign, there may be more than a dozen unique actors involved, each with different expertise and contributing to different stages of the attack. When ransomware groups focus on a specific intrusion method, they are likely to seek out upstream experts who are selling network access to future victims who fit the characteristics of the RaaS group. These upstream experts have sold this access more than once, so Ability to influence the network by gaining a competitive advantage over competitors.

However, not all experts are involved in direct intrusion into groups. Some simply provide ancillary services, such as negotiating with victims. Others can put other types of payment pressure on victims, for example, by distributing denial-of-service attacks that don’t seem to require top technical skills.

Threat intelligence firm Intel 471 said it once tracked a cybercriminal who first appeared in January on a prominent cybercrime forum that became notorious again after the Colonial Pipeline attack was shut down. An associate of the DarkSide operation. According to the criminal, he was mainly responsible for launching DDoS attacks on DarkSide victims. At any given time, 10 to 20 targets are DDoS attacked, and the attacks can last anywhere from 1 to 21 days, with victims earning between $500 and $7,000 each time they pay the ransom.

4. The initial access to the broker paves the way for you

Among the various specialists used by ransomware attackers is a role called the “initial access broker,” which is a fancy way of describing a hacker gaining access to an organization’s network and then selling that access to others. For attackers using ransomware, buying access means they can spend more time infecting victims without having to break into their systems first.

The services of such brokers appear to be proliferating. Looking back at the 10 most popular Russian and English-language crime forums in the first three months of the year, security firm Positive Technologies counted nearly 600 access offers, compared with just 255 in the previous quarter.

That figure also doesn’t include all such sold access rights, as some ransomware operations partner with initial access brokers, or offer them “rebates” for first-reflection rights. Other brokers will list some of the “access rights” they offer for sale, but will tell potential buyers to contact them directly for information on other targets.

However, the increase in publicly available offers suggests that more organizations are at risk of falling victim to criminals who gain remote access to their networks and sell that access to the highest bidder.

5. Phishing and Remote Desktop Protocol (RDP) provide access

Coveware warns that for attackers using ransomware, phishing and brute-forcing RDP access credentials remain the two most common tactics used to gain initial access to a system.

Therefore, having a robust phishing solution and targeting RDP remains a smart move to strengthen your defenses.

6. Unpatched vulnerabilities also provide access

Third on the list of attackers using ransomware to gain access is to exploit security holes. From April to June, Coveware said it found that attackers particularly liked to exploit two vulnerabilities as entry points to gain remote access to an organization’s network. The vulnerabilities are a Fortinet FortiOS path traversal vulnerability (CVE-2018-13379) affecting SSL VPN appliances, and a vulnerability in the SonicWall SRA 4600 appliance (CVE-2019-7481).

FireEye’s Mandiant Incident Response Team said in a report that it observed a group of groups using FiveHands ransomware starting in February targeting vulnerabilities in SonicWall SMA 100 Series VPN appliances, before the vendor released a patch.

Intel 471 added that FiveHands members later took advantage of the VMware Sphere Client vulnerability (which the vendor patched in May) and the Windows Print Spooler Service known as “PrintNightmare” (which was fully patched by Microsoft in July) ).

The perpetual “patch or die” problem means that once a vendor releases a security fix, attackers race to reverse engineer it to find a vulnerability they might exploit, making it easy to focus on new victims who haven’t installed the update yet .

Intel 471 said cybercriminals are as concerned about CVEs as anyone else, and they are well aware of the delays organizations have in fixing vulnerabilities that give criminals the access they need to carry out their attacks.

7. Open source options spawn more attacks

Malware source code is often leaked or dumped in the wild, enabling criminals to reuse and adapt it. Examples abound: in 2011, for example, the source code of the infamous Zeus banking Trojan was leaked online for unknown reasons and was quickly abused by numerous criminals.

Just weeks after the Mirai botnet targeting the Internet of Things emerged in August 2016, its creators leaked the source code online, most likely to try to derail investigators. Unfortunately, many other criminals have quickly adapted and repurposed the malware.

In terms of ransomware, in 2015, security researcher Utku Sen built EDA2 and Hidden Tear as open-source ransomware and released the source code on GitHub. While researchers say the code was developed for educational purposes, it was quickly abused by criminals, and even spawned a malware variant with the theme of “Pokemon Go,” a game that incorporates AR technology.

However, this kind of thing is also a cautionary tale for security researchers: Never release proof-of-concept (PoC) ransomware in the wild.

8. Leaks meet the need for crypto-locking malware

Recently, someone leaked a Windows executable called “Babukbuilder,” which turned out to be the key piece of software used by Babuk.

This builder is used to generate a unique copy of the malware, in Babuk ransomware mode, to generate crypto-locking malware and decryption tools for each different victim organization.

The executable was first discovered by Kevin Beaumont, head of security operations at London-based fashion retail giant Arcadia Group, who reported that it generates malware and affects “Windows, VMware ESXi, Network Attached Storage x86 and ARM, as well as widely used VMware hyperviso and NAS devices”.

Security experts, including Beaumont, have confirmed the software’s effectiveness.

Apparently, some less advanced criminals also leaked their tools. Intel 471 reported that in late June, an operator using the information-stealing malware Vidar sent bots a ‘download and execute’ task designed to install a builder-generated variant of the Babuk ransomware.

9. Reusing Malware Shortens Development Cycles

It is clear that some malware developers are borrowing, sharing or stealing code. For example, Intel 471 reports that “there are multiple similarities in code between the Conti ransomware and BazarLoader,” a malware designed to provide remote access to compromised endpoints.

Such ransomware-wielding attackers have previously used such malware, including BazarLoader, to gain initial access to a device, then download and run other tools and malware, such as Ryuk and Vaet.

But Intel 471 said the people who developed Conti appear to have borrowed some code from BazarLoader. One particular similarity, it said, is that the code allows Conti to evade analysis in an isolated instance such as a sandbox or virtual machine. The code for this function is almost identical to the code used by BazarLoader, both functions follow the exact logic and execute in the same way when searching for hooks.

Unfortunately, once such code is abused, there is no easy way to eliminate it. In some cases, however, security companies can deduce ways to spot it running in the wild based on how it works to help organizations defend against it.

The Links:   NL8060BC26-17 NT156WHM-N32 NEC-LCD