Yonatan Striem-Amit, CTO, Co-founder, Cybereason, looks at the state of ransomware.
Back in 1989, ransomware made its initial debut by way of 20,000 floppy disks. Dubbed the AIDS Trojan, or the PC Cyborg, the malware was distributed by an evolutionary scientist, Dr. Joseph Popp, to thousands of AIDS researchers. Using simple symmetric cryptography, the malicious code restricted access to files and displayed a directive for a sum of $189 to be sent to a PO Box in Panama. Ransomware has since become much more sophisticated with ransom demands reaching tens of millions of dollars, covertly transferred via cryptocurrency. Among the most dangerous ransomware variants to emerge is Ryuk.
Having evolved from the modified source code of Hermes ransomware, Ryuk emerged in 2018, reaping ransom payments to the tune of US$150mn by early 2021. Typically, the threat actors behind this variant have employed a targeted approach, identifying institutions with critical assets such as government agencies and healthcare establishments. For instance, in September 2020, they brought Universal Health Services, a chain of over 400 US and UK healthcare facilities, to its knees.
The key behind their regrettable success, however, goes beyond their choice of victim. Rather, it is their innovation that has facilitated longevity. Indeed, they have continuously made advancements over the years with their tactics, techniques and procedures (TTPs). Since 2019, for example, TrickBot, Emotet and Ryuk have come almost hand-in-hand, posing as a triple threat.
An advanced banking Trojan, Emotet, had frequently been leveraged as a dropper of other trojans. In other words, it enables other malware to be delivered to a victim’s device and/or systems. In most cases involving Ryuk, Emotet would deliver the TrickBot trojan. TrickBot conducts reconnaissance to determine the value of the network before moving laterally through the network. In short, it attempts to infect as many systems as possible so that when the Ryuk ransomware payload is deployed, the disruption is widespread and the ransom demand can be increased. Equally important to note, is that as it extends its grip across the network, the trojan exfiltrates highly sensitive data and credentials along the way. Therefore, opening two avenues for extortion: not only do organizations lose access to their files through encryption, but the compromised data may be leaked online or sold off to the highest bidder if the ransom is not paid.
In time, however, security solutions and law enforcement caught on to this tactic and have been able to fine-tune their approach to spot the red flags early. Indeed, an international collaborative effort saw Emotet successfully dismantled in January 2020, prompting the threat actors to switch gears again. Within a few months, the BazarLoader Backdoor was introduced to Ryuk’s malicious operations. Unlike TrickBot, Bazar has mastered the art of evasion–utilizing anti-analysis techniques to circumvent detection by loading an encrypted backdoor directly within memory.
In all these cases, phishing emails have been the most common infection vector. While this continues to be the case, Ryuk’s administrators have recently supported similar attacks via phone calls. Otherwise known as “BazarCall,” the campaign attempts to trick victims into believing that a free trial subscription will expire soon and that they will be charged a monthly subscription fee unless they call to cancel. During the call, an operator directs the individual to a malicious web page where they are instructed to download a file that enables macros, facilitating the transfer of malware and eventually providing cybercriminals with hands-on keyboard control of the affected device.
According to Advanced Intelligence, 2021 has also seen a shift towards Remote Desktop Protocol (RDP) compromise, whereby Ryuk operators leverage brute-force or large-scale trial-and-error attempts to guess the credentials of exposed RDP hosts. This is coupled with the use of tools such as Bloodhound and AdFind, which offer an in-depth look into the organization’s Active Directory. That is an overview of the company’s environment, including what users and devices are engaged and their access privileges.
Worse still, the current state of Ryuk appears to have intensified as it adopted worm-like capabilities. Following an analysis by the French national cybersecurity agency, it was discovered that Ryuk has evolved to become increasingly more self-reliant. Instead of depending on other malware to spread across a network, Ryuk has begun to propagate itself.
The business of ransomware has grown exponentially in the last year, impacting thousands of businesses worldwide. Indeed, a recent survey found that 66% of organizations have reported a significant loss of revenue following a ransomware attack and 53% have indicated brand and reputation damage. In addition, an alarming 26% have been forced to shut down their business operations altogether. Considering recent developments and its history of reinvention, Ryuk ransomware shows no signs of slowing down as a prominent threat actor in the market.
- Stopping ransomware attacks before they can take place
- Ransomware surges in, and the data floods out
- Prevention is better than cure: the ransomware evolution
- Kaspersky’s top six tips to avoid ransomware attacks
However, if we have learned anything from the deluge of cyberattacks in 2021 that have made headlines–from Colonial Pipeline and JBS Foods–the public and private sectors need to invest now to ratchet up prevention and detection and improve resilience. Deploying XDR on all endpoints is a great place to start as it will immediately notify attackers that defenders see you, and we consider your unlawful attacks to be hostile acts.
Defenders will also work tirelessly to uncover your identities, your attack methods, and the names of any organizations that fund or otherwise support your activity. Let this be your notice that your next ransomware attack will likely be your last.