Published March 10, 2020
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
According to Verizon’s 2019 Data Breach Report, there were 500 reported cases of ransomware incidents in 2019. Most were delivered via email. Office documents were the most common attachments at 45%, although .zip and .rar archives were being used to bypass corporate security systems. Here are some of the most active types of ransomware of 2019.
1. STOP (DJVU)
Ransomware developers have teamed up with questionable websites to distribute STOP. These sites promote free programs that install adware bundles of unwanted software along with the STOP ransomware. STOP encrypts like any other ransomware, appends an extension, and drops a ransom note. The problem is the number of variants that have been released. More than 160 variants have been identified so far. The number of variants makes it impossible for researchers to provide a solution, so users are left paying the ransom of $490 that doubles after 72 hours unless they have taken precautions.
First, remove STOP, but be careful as it can alter the Windows Registry, create new keys, or install malicious files if not done carefully. Once removed, you can attempt to recover the files by restoring backups. You can try to decrypt files if you do not have backups, but as indicated previously, the variants make it difficult to ensure the files can be saved.
Although Dharma can be distributed through malicious spam or compromised downloads, the most used method exploits weaknesses in remote desktop protocol (RDP) credentials. Hackers may use brute force, but most buy already leaked credentials or conduct credential stuffing attacks. Some hackers attempt to acquire credentials through social engineering tactics.
Once inside, hackers can escalate privileges or create a back door for later use. The ransom note follows standard ransomware protocols; however, the ransom is usually less than $25,000 (US). Dharma targets specific industries, especially healthcare and government organizations.
Remove the ransomware first, then see if decryptor tools are available for the Dharma variant. Decryptors do not exist for the latest versions of Dharma, although they do exist for earlier variants.
Phobos appeared in December of 2019 and is based on the Dharma family of ransomware. Phobos may differ from Dharma in areas such as file extensions, but the methods, ransom notes, and communication tactics are almost identical. To protect against Phobos, use the same methods as recommended to guard against Dharma. As with the latest variants of Dharma, no decryptor tool exists for Phobos attacks.
GlobeImposter uses Word or Excel attachments with macros that run in the background once the user opens the document. You can attempt to remove GlobeImposter, but no decrypting tools exist for version 2.0.
In June of 2019, the people behind GandCrab said the ransomware as a service (RaaS) project would be closing. Claiming earnings of more than $150 million (US), the group said they were taking a well-deserved retirement. The authors indicated that the decryption keys would be deleted, meaning that victims without backups could not retrieve their data.
A decryption tool for version 5.2 of Gandcrab was released through law enforcement. Despite its closure, GandCrab was one of the most common forms of ransomware in 2019.
Appearing the month before GandCrab’s closure, REvil seems to be GandCrab’s replacement. It shares code with GandCrab and follows the same RaaS pattern of delivery. REvil can exfiltrate data before encryption, giving hackers another avenue for collecting a ransom. Criminal actors threaten to publish or release data if the ransom is not paid.
Because REvil operates as a RaaS, attackers can fine-tune the payload using configurable options such as:
- Exploit vulnerabilities to elevate privileges
- Terminate blacklisted processes and wipe blacklisted folders
- Exfiltrate basic information
REvil is distributed through malicious spam emails and RDP attacks. As of now, no decrypting tool is available for REvil.
Hackers send malicious emails during non-working hours with attachments disguised as .zip or .rar archive files. The necessary security codes, such as passwords, are included or sent as a separate email. When opened, Troldesh operates like most ransomware by encrypting files and demanding a ransom. Newer versions of Troldesh appear to mine cryptocurrency and create false traffic on websites for ad-fraud.
Troldesh is sold or rented and is updated continuously to add new functionality. Decryptor tools may be available for some variants of the malware.
According to the Center for Cyber Security, Ryuk was THE threat in the Fall of 2019. Hermes derivative Ryuk targets enterprise environments. Since its appearance in August, it has netted close to $4 million (US). Ryuk is often the last piece of malware dropped in an infection cycle that starts with TrickBot.
Once Ryuk is active, the initial malware is deleted and begins to compromise processes such as remote access. With access to shadow services, it deletes all shadow copies, including those used by third-party applications. The presence of multiple malware infections only complicates recovery, making it difficult to restore systems to a pre-infected state. Ryuk will also delete multiple files with backup-related extensions as well as any backups on the infected machine or network. Without an external backup that is stored offline, it is nearly impossible to recover from a Ryuk attack.
Ransomware Attack Prevention
The first step in any malware attack is to contain the ransomware. Once contained, encrypted files may be analyzed for potential recovery.
To prevent ransomware attacks, consider the following:
- Lockdown the RDP with strong passwords
- Enable network-level authentication
- Limit the number of people given remote access
- Maintain an offline backup of data
- Train employees on cybersecurity tactics
Cyber attack vectors are constantly evolving. Contact us for SAST and SCA solutions to build more secure applications.