Business Continuity Management / Disaster Recovery , Endpoint Security , Fraud Management & Cybercrime

Ransomware Keeps Ringing in Profits for Cybercrime Rings

SamSam, Dharma, GandCrab and Global Imposter Make for Ongoing Bitcoin Paydays
Ransomware Keeps Ringing in Profits for Cybercrime Rings
Ransom note on a PC infected by GandCrab (Source: Malwarebytes)

Criminals continue to earn an illicit payday - at victims' expense - thanks to crypto-locking ransomware, security experts and cyber insurance firms warn.

See Also: Preparing for New Cybersecurity Reporting Requirements

One insurer says it's seen the number of cyber insurance claims for ransomware increase in recent months.

From July to September, security researchers counted at least 39 new types or variants of ransomware. (Source: Malwarebytes)

"In September, our insureds were hit particularly hard, with notifications to Beazley of ransomware attacks more than doubling relative to August," Beazley Breach Response Services, which is part of London-based insurance business Beazley, says in a blog posted on Thursday. "It is unclear if this spike will continue, as up until September the overall number of ransomware incidents in 2018 have been holding steady with 2017 numbers."

Barriers to entry for would-be ransomware users remain low, enabling attackers with scant technological ability or knowledge to make use of ransomware as a cybercrime revenue stream (see: Why Cybercrime Remains Impossible to Eradicate).

Ransomware called Kraken Cryptor, for example, gets distributed as part of an affiliate arrangement that allows "partners" to sign up for $50, receive customized versions of the ransomware with their preset ransom amount that they distribute. In return, they agree to automatically remit 20 percent of every ransom paid to Kraken's development team. Information security firms say such ransomware tends to be distributed via spam or phishing attacks (see: Crypto-Locking Kraken Ransomware Looms Larger).

Advanced Attackers: SamSam

Consumer/business ransomware detections from January 2018 to September 2018. Note: Vertical axes have different units of measurements. (Source: Malwarebytes)

But experts also continue to track a number of more advanced - and targeted - campaigns in a shift away from consumers and toward business targets (see: SamSam Ransomware Offers Volume Decryption Discount).

Security firm Symantec says that as of last week, it counted 67 attacks that infected global organizations with SamSam ransomware. Strains of the ransomware have been linked to the March attack against the city of Atlanta. The city declined to pay the ransom and said incident response and security overhaul costs could hit $17 million.

SamSam was also tied to a February attack against the Colorado Department of Transportation, leading to state officials opting to take more than 2,000 systems offline. The state said it did not pay the ransom, and it budgeted up to $2 million for cleanup costs.

Hardest Hit: Healthcare

SamSam attacks target all sectors, but Symantec says that healthcare was the hardest hit, accounting for one-quarter of all successful attacks. It also notes that 56 of the 67 attacks it saw targeted U.S. firms, with a small number of attacks against targets in Portugal, France, Australia, Ireland and Israel.

Beazley says that based on claims made by cyber insurance policyholders, healthcare remains the sector hardest hit by ransomware, accounting for about one-third of all claims. "In the first nine months of 2018, 71 percent of ransomware incidents handled by BBR Services impacted small and medium-sized businesses," Beazley says.

In general, attackers wielding Ryuk and BitPaymer ransomware demand the biggest ransoms, Beazley says.

Ransom Demands: Bitcoin, Please

Ransomware response firm Coveware, based in Westport, Connecticut, says that 98 percent of the ransomware attacks to which it responded in the third quarter involved ransom demands payable in bitcoin. A small number demanded payment in dash or other cryptocurrencies with additional privacy features.

Coveware says the average ransom paid by firms that it worked with was about $6,000, although that was sometimes lower than the initial amount that a ransomware gang demanded. The firm declined to say how many firms it had worked on behalf of to resolve ransomware issues. "Because we are a young private company in a competitive industry, we do not publish case volume," CEO Bill Siegel tells Information Security Media Group. "I can tell you that the number is large enough to be more than statistically significant."

In the third quarter of this year, Coveware says the average ransom paid to attackers was $5,974. (Source: Coveware)

Coveware says that from July through September, the most common ransomware attacks that it tracked were Dharma/CrySiS, GandCrab and Global Imposter.

Cryptomining: Still a Threat

Warnings about the ongoing threat posed by ransomware come despite many attackers shifting to malware designed to mine for virtual currency by surreptitiously using an infected PC or server's CPU cycles.

In September, Europol - the EU's law enforcement intelligence agency - warned that while "cryptomining malware is expected to become a regular, low-risk revenue stream for cybercriminals," ransomware continues to remain "the key malware threat" being seen by both law enforcement agencies and information security firms (see: Cybercrime: 15 Top Threats and Trends).

"Broadly speaking, we've seen ransomware as one of the dominant forms of attack throughout the last year, though it's starting to slow down a little and lose something in terms of innovative attacks," Christopher Boyd, lead malware intelligence analyst at security firm Malwarebytes, told ISMG in September.

RDP: Often Brute-Forced

Some gangs and individuals continue to distribute ransomware shotgun style, pummeling thousands of targets with spam and phishing emails that carry attached malware downloaders.

But security experts say some operators, including the gang behind SamSam, are more advanced. "The SamSam group's modus operandi is to gain access to an organization's network and spend time performing reconnaissance by mapping out the network before encrypting as many computers as possible and presenting the organization with a single ransom demand," Symantec's Security Response Attack Investigation Team says in a blog post.

All SamSam ransom notes feature the word "sorry" somewhere in their ransom demand, Malwarebytes says.

Incident response firms say groups such as SamSam often access targeted networks by either brute-forcing their way into systems that have remote desktop protocol enabled or purchasing RDP credentials that have been stolen or hacked by others.

In the right hands, RDP is a legitimate tool. But when attackers gain access to it, RDP provides easy, remote and often persistent access to an organization's network.

"In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company," the FBI's Internet Complaint Center, IC3, says in an RDP alert published in September. "The ransomware was able to encrypt thousands of machines before detection."

Attackers can purchase hacked RDP credentials via cybercrime marketplaces (see: How Much Is That RDP Credential in the Window?). And the FBI says attackers are increasingly opting to do so.

"Remote administration tools ... as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP access," IC3's September alert states. "Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom other sensitive information."

Examples of RDP threats (Source: FBI's Internet Complaint Center)

Coveware says that while it does not perform the digital forensics part of a ransomware incident response, more than 90 percent of the attacks that it saw from July to September appeared to involve attackers gaining access to an organization's network via RDP.

Given the danger of RDP attacks and difficulty of spotting them, the FBI says organizations should consider disabling the protocol if it's not required. Otherwise, it says organizations should avoid using weak passwords and outdated versions of RDP, not allow unrestricted access to RDP ports - TCP 3389 is the default - as well as block unlimited access attempts.

More Legitimate Tools: Suborned

After gaining access to a network, an attack group may use legitimate administrator tools to disguise their reconnaissance and infection activities.

Symantec says that in a February SamSam attack it investigated, attackers gained access to an organization's network, used PsInfo - a legitimate Microsoft tool - to study the network and ran the freely available hacking tool Mimikatz to steal passwords from some systems. Two days later, attackers returned and installed two versions of SamSam - likely one was a backup, in case the other got detected - and one hour later, it was pushed out to about 250 other systems using another legitimate Microsoft tool called PsExec. About five hours later, all of the affected systems had been cryptolocked.

These tactics have been previously seen in attacks attributed to nation-states, Symantec says. For example, the NotPetya malware outbreak that began in June 2017 and was attributed to Russia, had the ability to spread via PsExec as well as to use Mimikatz to steal passwords (see: Maersk Previews NotPetya Impact: Up to $300 Million).

Backups: Keep Them Disconnected

Besides keeping their anti-virus systems updated, security experts say it's essential for all firms to also maintain up-to-date, disconnected backups. Doing so can help them to rapidly wipe and restore any systems that suffer a crypto-locking malware infection.

In some cases, infected organizations may get lucky if they get hit by a strain of crypto-locking malware for which a free decryptor is available (see: Fresh GandCrab Decryptor Frees Data for Free).

Organizations that need to recover quickly, or which have no one other options except seeing crypto-locked data get lost, sometimes do the math and opt to pay attackers a ransom for the promise of a decryption key (see: Connecticut City Pays Ransom After Crypto-Locking Attack).

But information security experts warn that paying attackers directly funds further ransomware attacks, may lead attackers to launch further attacks against the organization and is no guarantee that the victim will either receive a decryption key - or that it will work (see: Please Don't Pay Ransoms, FBI Urges).

Cybersecurity services firm Kivu in May warned that it had seen an increase in poorly coded ransomware that left at least some crypto-locked data unrecoverable. In particular, it reported seeing problems with such strains as Rapid, Triple M, Sigma, Thanatos, Mamba and BitPaymer.

In the case of Rapid, for example, the encryption process used by the ransomware left simpler file types recoverable, but irrevocably damaged more complex types of files. "The initial encryption process permanently corrupts SQL databases, email folders and virtual drives. These will remain partially or completely corrupted even after the attackers' decryption tools are run," Kivu reported. "At a minimum, even if you pay a ransom - typically 1 bitcoin - you're looking at extensive restoration of the corrupted files, which can take weeks."

Infection: May Mask Bigger Problems

Organizations hit by ransomware may also only be seeing the final stages of a more long-running attack. Before systems get crypto-locked, attackers may have already ransacked an organization's systems for monetizable information.

"We have seen cases where the RDP endpoint has been compromised by a different threat actor and access to the compromised site maintained for a period of weeks before being used for a ransomware attack," incident response expert David Stubley, CEO of cybersecurity testing and consultancy firm 7 Elements in Edinburgh, Scotland, has told ISMG. "Presumably they sold access once finished with whatever they wanted from the compromised server or environment."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.