Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Sigma Ransomware Resurfaces Following a Three-Month Disappearance

Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.

New Name, Same People, Stronger Balance Sheet

Rohyt Belani, CEO & Co-founder, Cofense

So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

PhishMe is now Cofense.

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name phishme.com into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.

BadRabbit is not Petya. But…

Petya. NotPetya. Now BadRabbit. Ransomware keeps evolving and wreaking havoc worldwide.

There’s no evidence that phishing emails have delivered Bad Rabbit, the new ransomware strain which hit Russian, Eastern European and some U.S. networks this week. But nonetheless at PhishMe, BadRabbit has caught our eye.

Petya-like Ransomware Triggers Global Crisis with Echoes of WannaCry Attack

For the second time in as many months, networks around the world have been attacked using a worming ransomware that gains new infections by exploiting a recently-patched Windows SMB vulnerability among other proven techniques. What has been described a ransomware bearing significant similarities to the Petya encryption ransomware ravaged numerous companies and networks around the world with disproportionate impact in Ukraine and Eastern Europe but also inflicted harm to significant numbers of victims in Western Europe and North America.

WannaCry Highlights an Evolving Threat Landscape

The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries.

While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry ransomware, it is also important to keep in mind that WannaCry is one of three major incidents to arise in the past month. Lessons provided by WannaCry are only deepened by the additional context of the fake Google Docs malicious cloud application incident of May 4, 2017 and the introduction of the Jaff encryption ransomware on May 11, 2017. First and most obvious, both Jaff and WannaCry show that the ransomware business model is far from obsolete. There is still a great deal of value to threat actors in holding data for ransom. Second, the novel attack vectors for WannaCry and the fake Google Docs cloud application show that innovation in leveraging new attack surfaces is happening among threat actors. The challenge for defenders is to internalize these revelations and develop an agile security posture that incorporates defense against existing risks and emergent attack vectors.

Figure 1 – WannaCry combined classic ransomware elements with powerful propagation potential

The explosive growth of ransomware in 2016 marked a dramatic shift in how many threat actors monetize phishing attacks. While certain ransomware tools were delivered using other mechanisms, tools like Locky and Cerber set the tone for the ransomware business model. These ransomware tools were delivered by massive numbers of phishing email to reach the largest number of victims. This business model has been once again put into action by the Jaff encryption ransomware following its debut just one week ago on May 11, 2017. However, the worm functionality demonstrated by WannaCry puts a unique spin on that model by reducing the infrastructure and resource expenditure necessary for the threat actor to maximize their ability to infect new hosts. The goal for both Jaff and WannaCry threat actors is still to reach as many victims as possible to maximize the number of potential ransom payments, lending credence to the notion that ransomware is far from obsolete as an avenue for online crime.

Figure 2 – Jaff relies on commonplace and familiar phishing narratives to infect victims

Figure 3 – Although a new ransomware, Jaff brings few new features to the table

While the propagation mechanisms of the fake “Google Docs” application that made headlines on May 4, 2017 and the WannaCry ransomware worm differ dramatically, both show that virulence is an important aspect of their overall strategy. Furthermore, each of these incidents shows a significant level of innovation by harnessing relatively new attack vectors. The fake “Google Docs” incident took advantage of users’ reliance on cloud services to propagate while WannaCry leveraged a vulnerability only recently disclosed and made public. However effective these attacks were in their own right, the long-term impact will be the future attacks inspired by these innovations. Whether the payload is a ransomware or some other category of malware, threat actors are watching and learning from these attacks. Furthermore, neither innovation is exclusive of the use phishing email as a means for making a “first contact” with a victim as was the case with the fake “Google Docs” application. By combining these promising innovations with a tried-and-trusted attack vector, threat actors will continue to gain access to enterprise data and hold it for ransom.

Figure 4 – Phishing email was used as a vector for attacking cloud infrastructure using a fake Google Docs web application

The high profile events of the past month have provided some indication that threat actors are quickening the pace of innovation and looking to combine these innovations with existing attack models. Both phishing and the ransomware tools delivered via phishing emails have proven very successful for threat actors and continued use of both can be expected. However, as threat actors learn from events like those from the past month it can be expected that they will attempt to implement their own versions using creative re-combinations of these techniques to launch attacks of their own.

To anticipate and mitigate these new attack vectors, those tasked with defending enterprises must adapt their security posture to changing paradigms. It is important to ensure there are agile defense and response processes that incorporate protections for multiple attack surfaces and at various stages of the attack life cycle. This effort begins with the basics of regular patching and network hygiene. It also requires the anticipatory education and empowerment of email users to engage with messages critically and act on suspicions, reporting potentially-malicious emails to the enterprise’s defenders. These internal reports can then be compared to external observations and intelligence reporting to identify the most immediate risks to an organization. The threat landscape is evolving, but in the face of robust, holistic, and human-centered defense strategies, attackers can be overcome.

Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.

In the Shadow of WannaCry, Jaff Ransomware Arrives Using Familiar Phishing Techniques

Adding another entry to the ever-growing list of encryption ransomware, the Jaff Ransomware made its debut onto the threat landscape with large sets of phishing emails on May 11, 2017 – one day before the sensational impact of the WannaCry ransomware attack. However, the risks posed by the Jaff ransomware should not be overlooked. This, too, is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.

Locky Stages Comeback Borrowing Dridex Delivery Techniques

The ransomware that defined much of the phishing threat landscape in 2016 raged back into prominence on April 21, 2017 with multiple sets of phishing email messages. Harkening back to narratives used throughout 2016, these messages leveraged simple, easily-recognizable, but perennially-effective phishing lures to convince recipients to open the attached file.

How Dridex Threat Actors Craft Phishing Attacks, No Exploits Necessary

Threat actors using the Dridex botnet malware received a great deal of attention recently for their purported utilization of content exploiting a previously un-patched vulnerability in Microsoft Word. This exploit, which took advantage of unexpected behavior in the handling of certain document types, was reportedly used to deliver the Dridex botnet malware via documents attached to phishing emails. However, the bulk of Dridex campaigns leverage far more common delivery techniques that abuse the functionality that already exists in Microsoft Office and Adobe Reader rather than deploying some complex exploit content. This serves as a reminder that threat actors don’t always rely on exploit content because exploits of un-patched vulnerabilities are no longer required to break into an enterprise; simple phishing messages can accomplish this same goal.