Tag Archive for: Ransomware

GRIT Ransomware Report: November 2022

/in


Report written by Drew Schmitt and Nic Finn

In November, GRIT observed 22 active groups accounting for 166 victims. Continuing their trend from previous months, Lockbit’s claimed victims fell by a massive margin, dropping 41% from their October haul. November represents Lockbit’s slowest month this year, falling even lower than they did during their June to July lull when switching from Lockbit2 to Lockbit3. Lockbit wasn’t alone in their slowdown, as eight other groups also saw at least a 40% decrease in reported victims. 

GRIT began tracking four additional groups this month, including Royal and MedusaLocker, who immediately jumped into the top five groups based on total reported victims. These four groups accounted for 43 reported victims in November. An additional six groups with no activity in October showed a minor resurgence, accounting for 26 victims in November. 

In addition to having less reported victims, November also saw less countries and industries targeted. Specifically, 33 industries were impacted this month compared to 36 in October. Similarly, 38 countries were impacted in November compared to 40 countries in October. These slight decreases suggest that there were no significant changes to targeting this month. While there were some shifts in the order of the most targeted industries, the most noteworthy changes included the Legal industry shifting into the top 10, knocking Government organizations off the list, and the Construction industry dropping from third place to tenth. In terms of countries targeted, GRIT noted that India and UAE were among the top ten victimized nations, pushing Spain and Australia out of the top ten.

GRIT’s data in this report includes updated insights into threat actor activity from October obtained from recently published leak sites that included historically compromised victims. The addition of this dataset had slight impacts to victim trends and statistics from previous months; however, it did not have significant impacts on trends or findings from previous reports.

Based on sources monitored by GRIT, there was a 12.6% decrease in the total number of victims from October to November….

Source…

Ransomware Business Models: Future Pivots and Trends

/in


RDP port 3389 remains a popular service abused by ransomware actors to gain initial access to systems located and connected to on-premise infrastructure. However, as more organizations shift to the cloud services for file storage and active directory systems, ransomware groups will look for more opportunities to develop and/or exploit vulnerabilities not yet leveraged at scale.

Evolutions

Gradual evolutions in the current modern ransomware models as we know them are expected to be tweaked in order to adapt to the triggers that prompt them. From a business perspective, these are “naturally occurring” movements that prompt movement from their current state.  In this section, we list two gradual evolutions that ransomware actors will likely be undergoing to adapt to the upcoming triggers in the short term. For the full list of evolutions and their respective discussions, you can download our paper here.

Evolution 1: Change of targeted endpoints – The internet of things (IoT)/Linux

The Mirai botnet, which emerged in 2016, was a decisive point that realized the possibility of expanding its reach to Linux devices and the cloud. While it’s not ransomware, the availability of the botnet’s source code allowed parties with the interest and skillset to simply download and recompile the code to infect Linux-based routers to create their own botnet. These address two points for this specific evolution:

  • They have the code ready to target Linux-based devices and can simply recode for other similar devices.
  • They are ready to use this capability as soon as there are visible targets with internet-facing security gaps.

From these two points, ransomware groups can find new Linux-based targets or tweak the threat they currently have at hand to target new platforms such as cloud infrastructures, prompting possible developments:

  • Ransomware groups focus their sights on regular Linux servers
  • Ransomware groups start targeting backup servers
  • Ransomware groups start targeting other IoT Linux-based devices

With the increased use of Linux-based servers, the cloud, and — as another entry point — the internet of things (IoT), ransomware groups have realized an opportunity in attacks against…

Source…

The Future of Ransomware – Noticias de seguridad

/in


Timeline of ransomware changes

Figure 1. Timeline of ransomware changes

In our research, ransomware’s history provides varying insights into the longevity and changes of cybercriminal business models. The timeline offers a perspective on specific points: changes on threat actors’ objectives of extortion, the mass market deployments to prioritize quantity in returns, law enforcement’s potential responses and actions, the development of currency and money laundering facilitation platforms vis-à-vis attacks’ expansion, and cybercriminals’ accumulation of skillsets and technical learning curves in relation to other cybercrimes, among others. Compared to traditional theft- and resale-based cybercrime business models in terms of popularity, this summarized history of ransomware ran in parallel and surpassed other business models through the years.

The differences in previous ransomware deployments’ goals wherein users were simply threatened and files were encrypted, to the targeted attacks with multiple extortion avenues, are staggering in terms of downtime, ransom, and recovery costs. At present, we consider the most dangerous ransomware attacks to involve targeted intrusions with ransomware payloads. From this standpoint, we see ransomware actors and their business models as having been anything but static. These attacks also shed light on the fact that defense solutions should not focus on the final payload’s delivery and execution but as far left to the infection chain as possible.

Today’s modern ransomware routines have building blocks that threat actors change at different points of their attack deployments, dependent on the research done on and the environment of the targets. Click on the buttons to know more about these building blocks.

  • Initial access

    Entry into the network can be established in multiple ways: previous infections from mass emails with backdoor payloads, social engineering, vulnerabilities in internet-facing computer servers, and purchase of data from the underground, among other means.

  • Lateral movement

    Attackers go deeper in the network for access to systems with standard or customized hacking tools.

  • Privilege escalation

    Attackers go deeper in the network for access to systems with…

Source…

Ransomware campaign targets popular open-source packages with cleverly hidden payload

/in


An ongoing ransomware campaign hides its payload in an uncommon way by targeting popular open-source packages that typically receive nearly 15 million installations per week, according to new findings by Checkmarx and Phylum.

In a blog post, Checkmarx researchers said the campaign uses a form of typosquatting to target the popular “requests” package on Pypi and the “discord.js” package on NPM, and includes embedded ransomware. When executed, the ransomware encrypts files on the victim’s computer and demands payment of $100 in cryptocurrency to unlock them.

Unlike most open-source attacks where malicious packages are being executed upon installation, Alik Koldobsky, security researcher at Checkmarx, told SC Media that the payload is hidden in multiple strategic locations and only executes when the victims use the actual functions of the packages, which makes the campaign hard to detect by many security scanners.

 The malware payload supports multiple operating systems, allowing the campaign to target a wider audience. In addition, attackers named the ransomware messages and infrastructure after the U.S. Central Intelligence Agency.

A detailed attribution has yet to be done, but researchers discovered clues through further investigation that imply the attacker is Russian — the Telegram user account associated with the attack has a Russian phone number, and the attacker interacts with researchers directly in Russian.

Screenshot of a conversation with the attacker in Russian (credit: Checkmarx)

Even after Checkmarx reported the attacks, the offender’s account is still able to publish potentially malicious packages on NPM and PyPi, where software supply chain attacks are rampant. Researchers say they will continue to monitor for any new activity.

Koldobsky warned that there would be more attacks from the same actors as well as copycats, simply because the method is easy and impactful.

Besides the campaign’s uncommon way of hiding its payload, it is rare yet not unknown for ransomware attackers to use open source as a delivery system, said Mike Parkin, senior technical engineer at Vulcan Cyber. In August, Sonatype discovered multiple malicious Python packages that embedded…

Source…