Business Continuity Management / Disaster Recovery, Cybercrime, Fraud Management & Cybercrime
Crypto-blocking malware used by even more types of blackmailers
Mathew J. Schwartz (euroinfosec) •
August 24, 2020
Ransomware-angry gangs continue to collect new victims and make record sales. This is driving new players of all sizes and experiences – beginners, criminals already experienced in the ransomware ecosystem, and advanced attackers – to try their hand at crypto-blocking malware and data-exfiltration thugs.
See also: Automate security processes
For criminals, the appeal of ransomware is easy to see: Using crypto-locking malware to blackmail businesses continues to pay off – now averaging nearly $ 180,000, according to ransomware incident response firm Coveware, based on the cases that she examined in April through June. The average amount increased by 60% compared to the first quarter of the year (see: Ransomware Payday: Average Payments Soar to $ 178,000).
Despite the ongoing economic chaos caused by the COVID-19 pandemic, ransomware is clearly on the rise. In large part, of course, this is because some victims pay their attackers to promise a decryption key to remove their name – and possibly exfiltrated data – from a “Name and Shame” site for a promise by attackers to delete it stolen data, or possibly all of the above.
On Thursday, the University of Utah announced that it had been hit by an unspecified strain of ransomware in July releasing encrypted data to “employee and student information”.
Other examples: Blackbaud, which develops marketing, fundraising and customer relationship management software, claimed last month it “recently stopped” a ransomware attack by paying its attackers. Garmin, which makes fitness trackers and navigation devices, has also reportedly paid an undisclosed amount of ransom to attackers who successfully encrypted its systems with WastedLocker.
Constantly growing list of victims
Of course, not every ransomware attack results in victims paying. But many attackers seem to be playing on the numbers. By trying to name and shame victims who haven’t paid, especially if they are household names, gangs also earn free marketing for their operations, potentially creating a buzz that could lead future victims to quick pay to make them disappear.
The list of ransomware victims keeps growing. Recent victims include Brown-Forman, a Louisville, Kentucky-based alcoholic beverage maker – including Jack Daniels – who was recently hit by Sodinokibi, aka REvil, who claimed to have stolen 1TB of data, including sensitive ones Employee records. Braun Forman vowed not to pay A ransom.
The ransomware-as-a-service operation Sodinokibi has also listed the GSMLaw law firm as victims and new victims in the insurance, advisory, and oil and gas sectors on its dedicated data leak site, Happy Blog. Sodinokibi is one of several operations that steal data from crypto-locking systems and then threaten to leak or auction stolen data unless victims pay (see: Avaddon Ransomware joins the data leaking club).
Meanwhile, Carnival, the world’s largest cruise line, suffered the second ransomware outbreak of the year on August 15, warning in a US stock exchange filing that both customer and employee data were likely to have been stolen.
Other ransomware victims of late include Boyce Technologies, which builds traffic communication systems – and recently ventilators – and was hit by the DoppelPaymer gang, and Canon USA, which was hit by the Maze gang.
Attracted by the potential winnings, new players keep coming onto the stage. Kaspersky warned last month that North Korean hacking team Lazarus Group has now apparently expanded into ransomware, which it drops after using malware to gain a foothold on a network and steal Active Directory credentials.
Another new ransomware operation called DarkSide appeared earlier this month, but it claimed that its members were not newbies. “We’re a new product on the market, but that doesn’t mean we have no experience and came out of nowhere,” the group claimed in a post on a hacker forum posted by Malwrhunt team Security researcher. “We’ve made millions in profit by partnering with other well-known crypto lockers.”
In the “press release” announcing their arrival, the gang says they are only targeting organizations “that can pay the requested amount”. It adds, “We don’t want to kill your business.”
Beeping computer reports that the operation appears to have requested ransom payments of between $ 200,000 and $ 2 million.
Security experts say there are some similarities between DarkSide and REvil, although not a smoking weapon that would prove DarkSide is a renegade operation. For example, DarkSide’s ransom note is very similar to REvil’s, but such text is easy to cut and paste. Bleeping Computer also reports that DarkSide uses a coded PowerShell script that is identical to REvil but could in turn be copied.
DarkSide ransomware also contains code to scan for CIS countries …
What a surprise, right?
What’s interesting is that it uses both GetSystemDefaultUILanguage and GetUserDefaultLangID, which is very rare in RWs. Made first by GandCrab and then by REvil before I think …
– MalwareHunterTeam (@malwrhunterteam) August 11, 2020
Additionally, both types of ransomware scan infected PCs to make sure they are not in any of the member states of the post-Soviet Commonwealth of Independent States. The CIS includes Russia as well as Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and the Ukraine (see: Russia’s Cybercrime Rule: Never Hack Russians).
‘Iranian Script Kiddies’ run Dharma
However, some ransomware attackers appear to be newbies to the hacking scene in every way.
For example, in a relatively recent phenomenon, a group of Persian-speaking hackers operating out of Iran appears to be using Dharma ransomware for financially motivated attacks on targets in China, India, Japan and Russia, says cybersecurity firm Group-IB.
Dharma, aka CrySis, first appeared in 2016 as a ransomware-as-a-service operation and continues to “target entry-level cybercriminals, offering a number-based approach to break into and get started on victim networks.” Ransomware attacks “, Sean Gallagher, a senior threat researcher at Sophos, says in a recent research report (see: This is how the Dharma Ransomware-as-a-Service model works).
Several variants of Dharma have been in circulation since its debut. In March, the source code of such a variant was offered for sale online in a Russian cybercrime forum for $ 2,000, according to Sophos.
While Dharma was previously tied to relatively low ransom demands, Coveware has started seeing some six-digit ransom demands from Dharma-wielding attackers in recent months.
“The fact that the Dharma source code has become widely available has led to an increase in the number of operators using it,” said Oleg Skulkin, senior digital forensics and incident response analyst at Group-IB. “But it is surprising that Dharma fell into the hands of Iranian script children who used it for their financial gain, since Iran is traditionally a country of state-sponsored attackers who practice espionage and sabotage.”
Of course, this is not the first time Iranians have been linked to ransomware. In 2018, the U.S. Department of Justice charged two Iranians with using SamSam ransomware to attack more than 200 organizations and institutions – including Atlanta and other communities – and to collect $ 6 million in ransom and give victims more than 30 Causing millions of dollars in damage.
“The SamSam ransomware attacks were indeed a rare example of financially motivated crime in the Iranian cybercriminal scene,” Skulkin told the Information Security Media Group. “However, it cannot be ruled out that their capabilities were used in pro-government espionage campaigns due to the enormous scope of their attacks.
In contrast, he says, the Iranians practicing Dharma appear to be “new hackers” using relatively simple techniques, tactics, and procedures, such as Masscan’s free internet port scanner, to target potentially vulnerable hosts and then find the software called NLBrute to try to use brute force to guess valid credentials in order to establish a remote connection to the host (see: The not-so-secret attack vector used by ransomware gangs: RDP exploits). In some cases, he says, attackers attempted an exploit for CVE-2017-0213, a bug in the Windows COM Marshaller that Microsoft announced and patched in 2017 to extend the privileges.
After gaining access, these attackers used various tools to move sideways before finally finding Dharma and a note with a ransom payment – usually 1 to 5 bitcoins ($ 11,800 to $ 59,000) – in exchange for promising one Dropping decryption tools, says Group-IB.
Skulkin says this group of hackers did not appear to have exfiltrated any data which, along with “using myopic techniques that don’t go beyond getting the money here and now,” shows that “the threat actors appear to be very immature”.
But as described above, this cannot be said for all new operators and services in the ransomware space.