In 2022 ransomware is no less active than before: cybercriminals continue to threaten nationwide retailers and enterprises, old variants of malware return while the new ones develop /according to Kaspersky’s new report/.
Ransomware try to be as adaptive as possible
Big Game Hunting
The Big Game Hunting (BGH) model has made it so that ransomware threat actors have been penetrating more and more complex environments. As a consequence, those threat actors need to deal with a variety of very different hardware and operating systems, and therefore need to be able to run their malicious code on different combinations of architectures and operating systems.
To achieve that goal, some ransomware developers chose to write their code in cross-platform programming languages like Rust or Golang. On an interesting sidenote, Kaspersky mentions that such cross-platform code is also more difficult to analyze for defenders than code written in plain C programming language, for example.
Conti threat actor affiliates make use of different ransomware versions. A few affiliates of Conti have access to a variant of the malware that is hitting ESXi systems with a Linux variant.
BlackCat ransomware is written in Rust, which makes it easier to compile it on different platforms. According to Kaspersky, it did not take long after the appearance of the Windows version of BlackCat to see a Linux version pop up. The Linux version is very similar to the Windows version, with slight changes to adapt to Linux: the command execution using cmd.exe on Windows has been replaced by the Linux equivalent. Also, the Linux version is capable of shutting down the machine and deleting ESXi virtual machines (VMs).
DeadBolt comes as another example. This ransomware is written as an interesting combination of Bash, HTML and Golang, making it able to use cross-platform functionalities, although only targeting QNAP and ASUSTOR NAS appliances.
Ransomware ecosystem becomes more “industrialized”
Ransomware threat actors, just like any software company, are constantly evolving in an attempt to make it all quicker and easier for themselves and their customers/affiliates.
Lockbit has been a very successful ransomware-as-a-service (RaaS) that has shown constant evolution through the years. Starting in 2019, it quickly evolved to welcome affiliates in 2020, and developed a leak portal, double extortion scheme and data exfiltration before data encryption. Aside from the constant development in functionalities and ease of use, the infrastructure also improved over time to be more resilient and counter attacks and DDoS attempts against them.
StealBIT exfiltration tool is also a striking example of this industrialization stage. While initially cybercriminals did only use publicly available tools to exfiltrate data, they developed their own tool in order to be less detected but also to greatly improve the data transfer rate. Also, the tool is able to only exfiltrate selected files, based on the file extensions. Finally, it contains an affiliate tracking number which is sent when the data is exfiltrated.
Recommendations to protect against ransomware
Some best practices to improve your security are:
- Always keep all software and operating systems updated, on all devices used by the company. This greatly helps against common vulnerability exploitation that could target any system or device.
- Outgoing traffic should be monitored heavily, in order to detect large files exfiltration or suspicious network data transfers.
- Deploy security solutions capable of detecting lateral movements. Those movements inside the corporate network are mandatory for the attackers and should be detected at an early stage, to avoid data exfiltration or destruction.
- Security solutions with a focus on ransomware should be deployed, in addition to XDR (eXtended Detection and Response) solutions.
- Provide specific threat intelligence information to your SOC team.
- Deploy email protection/anti-phishing solutions, as ransomware threat actors might use spear phishing to target the company.