Ransomware is probably the most prominent type of cybercrime in 2021, and 2022 seems to follow that trend. However, it is still evolving, and the new ransomware seems more adaptive, more flexible, and more industrialized.
Follow Kaspersky in a new reportCybercriminals continue to use ransomware to threaten retailers and businesses across the country, as old malware variants return while new ones evolve.
A careful technological and geopolitical analysis from late 2021 and 2022 has included Kaspersky in the list of a few new trends in ransomware.
Ransomware tries to be as adaptive as possible
Big game hunt
The Big game hunt (BGH) model has led ransomware threat actors to infiltrate more and more complex environments. Those threat actors need to deal with very different hardware and operating systems, and thus need to be able to run their malicious code on different combinations of architectures and operating systems. .
To that end, some ransomware developers have chosen to write their code in cross-platform programming languages like Rust or Golang. On an interesting footnote, Kaspersky mentions that such cross-platform code is also harder to parse for defenders than code written in the pure C programming language, for example.
Conti
Conti Threat agent affiliates use different ransomware versions. Some Conti affiliates have access to a variant of the malware that is beaten ESXi system with a Linux variant.
Black cat
Black cat ransomware is written in Rust, which makes it easier to compile on different platforms. According to Kaspersky, not long after the Windows version of BlackCat appeared, a new version of Linux appeared. The Linux version is very similar to the Windows version, with minor changes to adapt to Linux: the command execution using cmd.exe on Windows has been replaced by the Linux equivalent. In addition, the Linux version has the ability to shutdown and delete the ESXi virtual machine (VM).
DeadBolt
DeadBolt is another example. This ransomware is written as an interesting combination of Bash, HTML and Golang, making it possible to use cross-platform functions, although only targeting QNAP and ASUSTOR NAS devices.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
The ransomware ecosystem becomes more “industrialized”
Ransomware threat actors, just like any software company, are constantly evolving in an effort to make it all quicker and easier for themselves and their customers/affiliates.
Lockbit is a very successful ransomware-as-a-service (RaaS) that has shown steady growth over the years (Figure A). Starting in 2019, it quickly grew to welcome affiliates in 2020 and developed a leak portal, double blackmail scheme, and data filtering before data encryption. In addition to the constant evolution in functionality and ease of use, the infrastructure also improves over time to be more resistant to attacks and DDoS to combat them.
Picture A
The StealBIT Wastewater Purifier is also a prominent example of this stage of industrialization. While initially cybercriminals only used publicly available tools to filter data, they have developed their own tools to make them less detectable, but also significantly improve data transfer rates. Also, this tool can only filter selected files, based on file extension. Finally, it contains an affiliate tracking number that is sent when data is retrieved.
Ransomware threat actors consider geopolitics
First, the geopolitical aspects are currently being considered for infecting targets. Headlines using COVID-19 or the war in Ukraine have been used in spam and phishing emails to entice users to open attachments or click on infectious links.
While the use of COVID-19 in infecting emails is not for personal gain, the war between Ukraine and Russia is different, as to which side the cybercriminals are on, leading to consequences. Eg, Conti leaked resulted in Conti being attacked and exposed by a pro-Ukrainian attacker targeting Conti because of their position in the conflict. On February 25, 2022, Conti published a statement on its website that Conti would retaliate with full force against any critical enemy infrastructure should Russia become a target. of cyber attacks.
On the other side, communities like Anonymous, Ukraine’s IT Army, and Belarus’ Cyber-Republican have taken pro-Ukrainian positions.
Freeud, a brand new ransomware variant that powers Ukraine, has a message in the ransom note saying that Russian troops should leave Ukraine. Ransomware is also capable of wiping, in which case it has been configured with a list of files to delete.
Other ransomware deployed since the start of this conflict have covered up destructive activities: GoRansom and HermeticWiperor DoubleZero Wiper to name a few.
SEE: Mobile device privacy policy (TechRepublic Premium)
Recommendations for protection from ransomware
Some of the best practices for improving your security are:
- Keep all software and operating systems up to date on all devices the company uses. This helps against exploits of a common vulnerability that can target any system or device.
- Outgoing traffic needs to be closely monitored, to detect large files intruding or transmitting suspicious network data.
- Implement security solutions capable of detecting lateral movements. Movements within the corporate network are imperative for attackers and need to be detected at an early stage, to avoid data intrusion or destruction.
- Ransomware-focused security solutions should be deployed alongside XDR (eXtended Detection and Response) solutions.
- Provide specific threat intelligence to your SOC team.
- Implement email phishing/protection solutions, as ransomware threat actors can use phishing to target companies.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
