2020 has been a roller coaster ride so far, and with all the news coverage of all the events that have impacted us (so far) ransomware has been sneaking into our world at a remarkable rate. Some sources say that ransomware spiked 25% in Q1 2020 over the previous quarter. (source)
Here Are The Top Ransomware Threats in 2020:
- SNAKE (EKANS)
- Qakbot trojan
- Mailto (aka Netwalker Ransomware)
- Ragnar Locker
According to an FBI advisory to the private sector, “Unknown cyber actors have targeted multiple US and international businesses with Maze ransomware since early 2019. Maze encrypts files on an infected computer’s file system and associated network file shares. Once the victim has been compromised, but prior to the encryption event, the actors exfiltrate data.”
“After the encryption event, the actors demand a victim specific ransom amount paid in Bitcoin (BTC) in order to obtain the decryption key. An international Maze campaign targeted the healthcare sector, while its deployment in the US has been more varied.”
“The FBI first observed Maze ransomware activity against US victims in November 2019. From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors. Maze was initially distributed via the Spelevo Exploit Kit which targets known vulnerabilities in Internet Explorer and Adobe Flash such as CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878.”
You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.
Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked.
A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.
Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.
Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2 and Rod Stewart are among those whose personal information may have been compromised.
The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.
SNAKE (EKANS) Ransomware
Ekans Ransomware is a malware variant that infects industrial control systems to disrupt factory operations until a ransom is paid. Security analysts say that Ekans is a spin-off of Snake Ransomware and has so far infected factories related to the automobile and electronics sector, most notably Honda.
Reports are in that hackers have targeted the Honda servers with a file encryption malware variant dubbed Ekans forcing the company authorities to send the production unit workers to home as the installed automated devices became non-operational.
Although Honda never admitted that its servers were disrupted due to a cyberattack, it did agree that it’s IT infrastructure was down due to unspecified reasons.
“On Sunday, June 7th, 2020, Honda experienced a disruption in a computer network which affected the operations across Europe and Japan. And we are currently investigating and assessing the situation” said a spokesperson in a statement released on June 8th, 2020.
A new ransomware strain called Tycoon is seeking to wheel and deal its way into the Windows and Linux worlds, using a little-known Java image format as part of its kill chain.
The ransomware is housed in a trojanized version of the Java Runtime Environment (JRE), according to researchers at BlackBerry Cylance, and has been around since December. Its victims so far have largely consisted of small- and medium-sized organizations in the education and software industries, researchers said, which it targets with customized lures.
“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims,” the researchers noted, in a posting on Thursday. “This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived as more successful in specific environments.”
A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.
Started as a banking Trojan, the TrickBot has evolved to perform a variety of malicious behavior.
This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more. TrickBot also partners with ransomware operators, such as Ryuk, to give access to a compromised network to deploy ransomware. Read more.
Qakbot is a banking trojan that has been active for over a decade and relies on the use of keyloggers, authentication cookie grabbers, brute force attacks and windows account credential theft, among other techniques.
One of the authors of the research regarding the Qakbot trojan explained the following reasons why cybercriminals are relying on trojans such as Qakbot to launch ransomware attacks:
“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system, find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data), and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials—plus the stolen data helps force infected companies to pay the ransom.”
Microsoft has warned organizations globally about a new type of data-stealing Java-based ransomware dubbed “PonyFinal”. The tech giant described the malware as human-operated ransomware, which is distributed in an automated way by attackers.
“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware is not unheard of, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered,” Microsoft said in a post.
Mailto (aka Netwalker Ransomware)
NetWalker appeared on the scene in mid-2019. Similar to other well-supported ransomware families, the operators target high-value, global, entities. The group’s targets range across multiple industries and span the education, medical, and Government sectors.
As we have seen with Maze, Ragnar, REvil and others, NetWalker harvests data from its targets and is used by the operators as leverage via threats to post or release the data in the event that the target does not comply with their demands. To date, stolen data belonging to twelve different NetWalker victims has been publicly posted. The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits, and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible. These tools can include mimikatz (and variations thereof), various PSTools, AnyDesk, TeamViewer, NLBrute and more.
Over the last few months, we have seen NetWalker transition to a RaaS (Ransomware as a Service) delivery model, which will potentially open up the platform to an increased number of enterprising criminals. More recently, we have observed NetWalker spam campaigns using COVID-19-related lures to entice victims into initiating infection.
Ragnor Locker Ransomware
A ransomware called Ragnar Locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stopped.
Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks.
According to the attackers, one of these pre-deployment tasks is to first steal a victim’s files and upload it to their servers. They then tell the victim that they will release the files publicly if a ransom is not paid.
“Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view !,” the attackers state in the Ragnar Locker ransom note.
When ready, the attackers build a highly targeted ransomware executable that contains a specific extension to use for encrypted files, an embedded RSA-2048 key, and a custom ransom note that includes the victim’s company name and ransom amount.
Ragnar Locker is specifically targeting remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.
Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Although it’s clearly based on the same code and shares most of its features with its predecessors, the campaign that it’s been part of differs significantly from campaigns involving the previous versions of this malware.
The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin – with compilation timestamps no earlier than November 6, 2019 – were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S. In a stark opposition to the Vega campaign, all Zeppelin binaries (as well as some newer Buran samples) are designed to quit if running on machines that are based in Russia and some other ex-USSR countries.
Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There are reasons to believe at least some of the attacks were conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used a ransomware called Sodinokibi.
The strain dubbed TFlower splashed onto the scene in late July 2019. It infects organizations through unprotected or poorly secured RDP ports. As soon as the furtive infiltration takes place, the ransomware runs a number of commands to disable Volume Shadow Copy Service (VSS) and thereby thwart easy data recovery. When traversing the plagued computers for valuable data to be encrypted, it ignores critical system files and objects stored in the Sample Music folder.
This pest does not modify the names of hostage files. However, when analyzed using a hex editor, every encrypted item turns out to have a “tflower” file marker at the beginning of its deep-level data representation. The ransomware also sprinkles a bevy of rescue notes named “!_Notice_!.txt” across all affected folders. Although TFlower ransomware doesn’t appear to be a particularly sophisticated sample, it encrypts files flawlessly and thus poses a serious risk to companies.
MegaCortex made its debut in May 2019. It mainly targets businesses located in the US, Canada, the Netherlands, and France. According to security experts’ findings, MegaCortex affects enterprise networks previously compromised by notorious info-stealing Trojans called Qakbot and Emotet. This fact suggests that the distribution of this ransomware might rely on backdoors created by other malware in a business ecosystem.
The convoluted infection methodology MegaCortex employs leverages both automated and manual components and appears to involve a high amount of automation to infect a greater number of victims. In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initially dropped malware) on specified machines.
The attack was triggered, in at least one victim’s environment, from a domain controller inside an enterprise network whose administrative credentials the attacker seems to have obtained, in what appears to be a hands-on break in.
The malware’s name is a misspelled homage to the faceless, bureaucratic corporation where the character Neo worked in the first Matrix movie. The ransom note reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.
According to KrebsOnSecurity, Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations.
An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.
For example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware that infected servers at Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their malware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without paying the ransom.
Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network.
The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand.
A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim’s files before encrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom.
This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom.
The most recent victim of the DoppelPaymer Ransomware Gang is the City of Florence, AL.
Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.
Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.
Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.
Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, shared with Threatpost.