Ransomware Landscape Has Adapted and Evolved

Author: Kyle Fedorek

Ransomware attacks have increased manifold over the years and so have the ransom demands. This year-over-year evolution of ransomware threats is primarily attributed to emerging tactics, techniques, and procedures adopted by attackers. Attackers are constantly adapting and getting more creative. They use all their resources to outwith detection and endpoint security put in place. Some even offer 50,000$ plus on underground forums such as exploit.in for certau\in anti-detection methods like reflective dll loading. This shows the lengths the operators will go to and also the money involved. Many high profile attacks have even demanded ransoms in the millions.

Most common intrusion point

According to a report from Group-IB, Remote Desktop Protocol (RDP) was the common point of intrusion for ransomware in 2019. Vulnerable Windows RDP ports were abused in 70-80% of all ransomware attacks in 2019 to gain an initial foothold.
Big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, and NetWalker used open RDP port to sneak into a company’s networks and servers. This can range from exploiting an old windows server bug or simply bruteforcing the RDP credentials of a weak box. Network Admins should create strict lockout policies if you do have to leave the RDP port open to the public. Also complex passwords help as well. They should use password lists like RockYou.txt which is a standard bruteforce dictionary that is used in these types of attacks as a guideline for passwords that should not be used.

Other attack methods

  • The report also highlighted that exploit kits, external remote services, spear-phishing attachments, and valid accounts are other attack techniques used by ransomware operators to gain access to victims’ computers.
  • More advanced ransomware actors rely on supply-chain compromise, exploiting unpatched vulnerabilities in public-facing applications, and compromising managed service providers (MSPs) to obtain access to valuable targets.

Further tactics adopted by attackers

Once attackers gain an initial foothold on targeted computers, they deploy their tools and move to the next stages for establishing persistence, escalating privileges, evading detection, acquiring credentials, mapping the network, stealing files, and then encrypting them.

Evasion techniques evolve

  • Evading detection while continuing to spread the ransomware remains the primary focus of threat actors.
  • Some of the widely used detection evasion techniques include disabling security tools on a victim’s computer, disguising ransomware as legitimate software, and bypassing User Account Control (UAC).
  • However, there are a few ransomware families that have evolved their anti-analysis techniques to spread stealthy across computers. For example, Netwalker operators leverage a reflective DLL Loading technique to improve ransomware’s anti-analysis capabilities. RagnarLocker operators use an Oracle VirtualBox Windows XP virtual machine to hide the ransomware.

Extortion method evolves

Recently, several ransomware actors opted to leak files of victims who failed to fulfill their ransom demands. The trend was started by Maze in November 2019 and later was followed by 12 other ransomware gangs including those behind REvil, Nefilim, DoppelPaymer, CLOP, Pysa, and RagnarLocker. This has become a newer and trending type of extortion some bigger ransomware groups are using as a means to get their victims to pay up. Before the ransom and locking of files they try to ex-filtrate any important or confidential data. This way they have the upper hand and threaten victims with leaking of this said data. REvil has done this recently with a popular celeb lawfirm breach.

Ako ransomware operators went beyond the ‘Name and Shame’ tactic to increase their profits by asking two ransoms: one for decrypting the files and another for not publishing the stolen files.

Final thoughts

Along with the evolution in intrusion and attack methods, there has also been a steep rise in the discovery of new ransomware. With threat actors scaling up their malicious operations with each passing year, it is feared that large companies will face several challenges in protecting their sensitive information and critical assets from ransomware attacks. It seems many new ransomware strains are coming out everyday. As a coder this isnt a very hard thing to accomplish I feel and the whole RaAS has proved to be very lucrative. Ransomware upticks have increased almost 50% in 2020 this year alone. It continues to be the biggest threat.