Ransomware is probably the type of cybercrime that has made headlines the most in 2021, and 2022 seems to follow that trend. Yet it is still evolving, and new ransomware seems more adaptive, resilient and more industrialized.
According to Kaspersky in a new report, cybercriminals continue to use ransomware to threaten nationwide retailers and enterprises, as old malware variants come back while new ones develop.
A careful technological and geopolitical analysis from late 2021 and 2022 brings Kaspersky to list a few new trends in ransomware.
Ransomware try to be as adaptive as possible
Big Game Hunting
The Big Game Hunting (BGH) model has made it so that ransomware threat actors have been penetrating more and more complex environments. As a consequence, those threat actors need to deal with a variety of very different hardware and operating systems, and therefore need to be able to run their malicious code on different combinations of architectures and operating systems.
To achieve that goal, some ransomware developers chose to write their code in cross-platform programming languages like Rust or Golang. On an interesting sidenote, Kaspersky mentions that such cross-platform code is also more difficult to analyze for defenders than code written in plain C programming language, for example.
Conti threat actor affiliates make use of different ransomware versions. A few affiliates of Conti have access to a variant of the malware that is hitting ESXi systems with a Linux variant.
BlackCat ransomware is written in Rust, which makes it easier to compile it on different platforms. According to Kaspersky, it did not take long after the appearance of the Windows version of BlackCat to see a Linux version pop up. The Linux version is very similar to the Windows version, with slight changes to adapt to Linux: the command execution using cmd.exe on Windows has been replaced by the Linux equivalent. Also, the Linux version is capable of shutting down the machine and deleting ESXi virtual machines (VMs).
DeadBolt comes as another example. This ransomware is written as an interesting combination of Bash, HTML and Golang, making it able to use cross-platform functionalities, although only targeting QNAP and ASUSTOR NAS appliances.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Ransomware ecosystem becomes more “industrialized”
Ransomware threat actors, just like any software company, are constantly evolving in an attempt to make it all quicker and easier for themselves and their customers/affiliates.
Lockbit has been a very successful ransomware-as-a-service (RaaS) that has shown constant evolution through the years (Figure A). Starting in 2019, it quickly evolved to welcome affiliates in 2020, and developed a leak portal, double extortion scheme and data exfiltration before data encryption. Aside from the constant development in functionalities and ease of use, the infrastructure also improved over time to be more resilient and counter attacks and DDoS attempts against them.
StealBIT exfiltration tool is also a striking example of this industrialization stage. While initially cybercriminals did only use publicly available tools to exfiltrate data, they developed their own tool in order to be less detected but also to greatly improve the data transfer rate. Also, the tool is able to only exfiltrate selected files, based on the file extensions. Finally, it contains an affiliate tracking number which is sent when the data is exfiltrated.
Ransomware threat actors take geopolitics into consideration
For starters, geopolitical aspects are now taken into consideration for infecting targets. Headlines using COVID-19 or the war in Ukraine have been used in spam and phishing emails to entice users to open attached files or click on infecting links.
While COVID-19 usage in infecting emails wasn’t personal, the war between Ukraine and Russia is different, as cybercriminals take sides, with consequences. As an example, the Conti leaks resulted from Conti being attacked and exposed by a pro-Ukraine attacker targeting Conti because of their position in the conflict. On February 25th, 2022, Conti published a statement on its website saying that Conti would retaliate with full capabilities against any enemy’s critical infrastructure if Russia became the target of cyberattacks.
On the other side, communities like the Anonymous, IT Army of Ukraine and Belarusian Cyber Partisans took positions supporting Ukraine.
Freeud, a brand new ransomware variant supporting Ukraine, contains a message in the ransom note saying that Russian troops should leave Ukraine. The ransomware also has wiping capabilities, in case it has been configured with a list of files to be wiped.
Other ransomware deployed since the beginning of this conflict have been covering up destructive activities: GoRansom and HermeticWiper, or DoubleZero Wiper to name a few.
SEE: Mobile device security policy (TechRepublic Premium)
Recommendations to protect against ransomware
Some best practices to improve your security are:
- Always keep all software and operating systems updated, on all devices used by the company. This greatly helps against common vulnerability exploitation that could target any system or device.
- Outgoing traffic should be monitored heavily, in order to detect large files exfiltration or suspicious network data transfers.
- Deploy security solutions capable of detecting lateral movements. Those movements inside the corporate network are mandatory for the attackers and should be detected at an early stage, to avoid data exfiltration or destruction.
- Security solutions with a focus on ransomware should be deployed, in addition to XDR (eXtended Detection and Response) solutions.
- Provide specific threat intelligence information to your SOC team.
- Deploy email protection/anti-phishing solutions, as ransomware threat actors might use spear phishing to target the company.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.