The ransomware threat has been present for years, evolving to try and outpace new security solutions and profit from compromised victims. This evolution continues into 2019: New data shows that the volume of threats seem to have dropped, and the scope of targets has changed. Malware creators have adopted new evasion tactics, refined their objectives, and are experimenting with new distribution methods.
With these new techniques come real costs for victims — ransom payment, repair and restoration, and mitigation costs. In such a volatile threat landscape, what should stay constant are the safeguards against all forms of ransomware. Being aware of new developments, finding the right security, and staying prepared are essential as ransomware continues to be a serious danger to users and enterprises across the world.
What has changed?
Ransomware has typically been spread through spam emails, with other popular distribution methods being malicious URLs hosting ransomware and exploit kits. The main goal was quantity — malware distributors wanted to find the easiest and fastest way to infect as many as possible. But in recent years, cybercriminals have taken a different approach. In 2017, the most infamous and widely spread ransomware, WannaCry and Petya, used the exploit EternalBlue to spread.
In 2019, the use of spam and exploits continues; but attacks have taken a more targeted approach. Unlike with WannaCry, the current ransomware families are targeting and spreading through local networks rather than over the internet. It appears that cybercriminals are aiming for higher-value targets, focusing their efforts on finding a victim and moving laterally through its network. Attackers might deploy RDP brute-force attacks, or leverage an already compromised system to try and look for a valuable target such as the domain controller, and then spread from there.
According to some news outlets, these recent ransomware attacks have had higher payouts per victim, and this is probably because the nature of newer attacks is to infect as many endpoints of a victim as possible. This causes a much bigger disruption for targeted enterprises, motivating them to pay the ransom.
Here are some recent ransomware, and their notable elements:
It was seen introduced into the system via remote code execution of CMD or the system administration tool PsExec, indicating that the attacker was performing lateral movement in the system and perhaps looking for a high-value target in the network.
It was seen being spread via a compromised active directory in the network and may have been the result of a previous infection. The attacker may have intentionally targeted the active directory to spread the ransomware, a tactic not typically seen in ransomware attacks.
The Clop ransomware claimed to target entire networks instead of individual devices.
Reports show that this ransomware spreads via a compromised domain controller within the victim’s network. It drops a core ransomware, a batch file (launcher), and a renamed PsExec (for remote execution) on other computers on the network. It then tries to execute on the infected machines.
Security researchers observed that hackers were able to compromise an enterprise host and gain access to the domain controller. Through this access, they used the enterprise’s systems management software to spread GandCrab across the network.
The GandCrab operators claimed to have earned around US$2 billion from ransomware payments; and with their “success” the team behind the ransomware also announced that they are retiring.
The malware TrickBot was used for lateral movement via the EternalBlue vulnerability and harvested credentials, and the attackers were able to deploy the Ryuk ransomware to as many machines as possible. Another incident shows how attackers gained administrative access and used Powershell to move laterally to infect targets.
Aside from the notable tactics above, these strains of ransomware have also been implementing different techniques to try and evade security solutions. Clop, MegaCortex, and some versions of LockerGoga are digitally signed using valid certificates — giving them a veil of legitimacy and allowing them to enter and operate on some systems. This also indicates that there was a previous compromise or some organizations lost access to their signing keys.
Another technique, used by LockerGoga and MegaCortex, is making use of instance-based encryption. The malware spawns a child process to do the encryption for a limited number of files then terminates and repeats the process. This technique could be a defense mechanism against certain security solutions that might terminate the child process and a way to leave the core ransomware running and able to spawn another child process for the encryption routine.
Figure 1. MegaCortex infection chain
Ransomware in numbers from 2016-2019
Ransomware data collected from 2016 to 2019 shows how ransomware has changed. Broadly, the number of new families has been on the decline but the number of threats seems to be picking up pace again. However, the details of the ransomware families, as well as new techniques that they have been using, present a clearer picture of ransomware in 2019.
Overall ransomware threats
2019 (Jan to Apr)
Table 2. Ransomware threat detections from 2016 to early 2019
Total ransomware threat detections in the first four months of 2019 is almost equal to the total for 2018. A possible reason for the acceleration is that current ransomware is more effective in infecting endpoints as compared to 2018. As discussed above, current ransomware incidents show that cybercriminals are deploying targeted ransomware: They try and attack large enterprises and gain access to the local network. Once in, they try to spread their payload to all connected endpoints. In the past, the ransomware might not have been as successful. In 2018, with increased awareness of the threat and users implementing better security solutions, ransomware might not have gotten past the download stage. Malicious documents from email attachments were likely detected and then blocked.
2019 (Jan to Apr)
Table 3. Comparison of new ransomware families detected from 2016 to early 2019
At the time of writing, there were 40 new ransomware families found in the first four months of 2019. As the year progresses, we might be seeing these families adopt techniques leveraged by widespread ransomware like GandCrab, Clop, LockerGoga, and MegaCortex.
The new tactics being used by ransomware in 2019 are more sophisticated and may need more advanced security solutions. Ransomware like Ryuk, MegaCortex, and GandCrab, which abuse regularly used tools and applications within enterprise networks, can be detected and blocked by deploying a behavior monitoring mechanism on endpoints. This helps prevent and limit data leakage and malware infection by monitoring and blocking malicious behaviors and routines associated with malware, as well as unusual modifications to the OS or software/applications. A good behavior monitoring system looks not only into an application’s behaviors but also anomalies in the process chain, like how Explorer launches Command Prompt to invoke a malicious PowerShell script.
These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).