Like what you've read?

On Line Opinion is the only Australian site where you get all sides of the story. We don't
charge, but we need your support. Here�s how you can help.

  • Advertise

    We have a monthly audience of 70,000 and advertising packages from $200 a month.

  • Volunteer

    We always need commissioning editors and sub-editors.

  • Contribute

    Got something to say? Submit an essay.


 The National Forum   Donate   Your Account   On Line Opinion   Forum   Blogs   Polling   About   
On Line Opinion logo ON LINE OPINION - Australia's e-journal of social and political debate

Subscribe!
Subscribe





On Line Opinion is a not-for-profit publication and relies on the generosity of its sponsors, editors and contributors. If you would like to help, contact us.
___________

Syndicate
RSS/XML


RSS 2.0

Important stages of ransomware evolution

By David Balaban - posted Wednesday, 23 December 2020


From rudimentary screen lockers to sophisticated digital predators that haunt large computer networks, ransomware has matured into a terrifying cyber-crime phenomenon over the years. As if malicious data encryption were not destructive enough, these attacks now involve data breaches and DDoS threats. They are also intertwined with a great deal of pressure through fraudulent ad campaigns on social media, making victims deal with serious reputational risks.

This article will give you the lowdown on the main milestones in the evolution of ransomware. It will also provide effective protection tips that will help you stay on the safe side.

Screen lockers make their debut

Advertisement

Early strains of mainstream ransomware did not encrypt data. Instead, they displayed scary alerts stating that the user had been violating copyright or distributing prohibited materials such as child pornography.

FBI-themed ransomwarebecame the wake-up call. It emerged in 2012 and locked victims out of their Windows desktops or web browsers, showing a ransom screen that impersonated the famous law enforcement agency. The message would demand a fee amounting to $100 worth of Ukash or MoneyPak prepaid cards.

To create a false sense of legitimacy, the underlying Trojan called Reveton determined the victim's IP address, OS version, and geographic location and displayed this information on the lock screen. Fortunately, these culprits were ridiculously easy to defeat. Restoring the system to an earlier state or running a garden-variety antivirus tool in Safe Mode did the trick.

Encryption kicks in

A game-changing tweak in extortionists' modus operandi took place in 2013. They started leveraging ciphers to scramble victims' data. CryptoLocker was the first-ever ransomware species that implemented this tactic.

It did the rounds through contagious attachments arriving with malicious spam messages disseminated by the infamous GameOver Zeusbotnet. The pest used the asymmetric RSA cryptosystem that could not be cracked without the private key stored on the crooks' Command & Control (C2) server. It also pioneered in accepting Bitcoin as a payment method.

Advertisement

In the summer of 2014, the CryptoLocker campaign came to a standstill due to a well-coordinated international police initiative dubbed Operation Tovar. However, it showed that the extortion model with encryption at its heart was viable and encouraged bad actors to launch numerous copycats and new Trojans that followed in the footsteps of the progenitor, including CTB-Locker and CryptoWall.

Ransomware-as-a-Service causes an extortion boom

In 2015, a few high-profile extortionist groups switched to a clever tactic known as Ransomware-as-a-Service (RaaS). It was an affiliate scheme of a kind, where the creators of these dodgy programs allowed other criminals to take up the distribution role and shared the earnings. The developers' cut could reach 40% of every ransom, and the rest would go to the malefactors who deposited the harmful code on a computer.

RaaS platforms had plenty of bells and whistles under the hood, including affiliate dashboards reflecting real-time contamination statistics, turnkey spreading mechanisms such as exploit kits, and features allowing the "partners" to generate custom payloads.

This new principle caused the ransomware epidemic to skyrocket. Disastrous strains like Cerber and Locky surfaced in the wake of RaaS adoption. The boom reached its peak in 2017 with the WannaCry and NotPetya global outbreaks that raided hundreds of thousands of computers via leaked NSA exploitscodenamed DoublePulsar and EternalBlue.

Data breaches added to the mix

As the price of Bitcoin – the primary ransom payment channel – took a nosedive in 2018, ransomware gangs tried to survive the crisis by zeroing in on enterprise networks rather than individuals. These are juicier targets that can afford to pay large ransoms. This shift has been the driving force of ransomware evolution ever since.

In 2019, extortionists enhanced their tactics with another revolting quirk. They started stealing companies' data as part of the attack. The operators of a ransomware specimen called Maze were the first to implement this technique.

The fact that attackers possess a victimized organization's files gives them an extra advantage in the ransom negotiations. If the target refuses to pay for data decryption, crooks threaten to publish the pilfered files on special leak sites or hacker forums.

The double-blackmail approach is currently gaining traction in cybercriminal circles. At least 20 ransomware groups have already taken this route, and the number is growing. A few ill-famed samples from this category are REvil (also referred to as Sodinokibi), DoppelPaymer, LockBit, and Nemty.

Ransomware cartels are the new black

Cybercrooks in charge of three independent ransomware operations (Maze, LockBit, and Ragnar Locker) joined their efforts and created a syndicate in June 2020. They use a single site called "Maze News" to leak files stolen from non-paying organizations.

This dodgy partnership is not restricted to sharing the same data leak service, though. The gangs also benefit from the collaboration by exchanging expertise accumulated over the years and accessing unique network infiltration instruments used by fellow-extortionists.

Phony ransomware incursions

Not every extortion attack is a real call to action. In April 2020, con artists claiming to be ransomware distributors sent blackmail notesto numerous WordPress site owners. Their narrative was as follows: the sites had been compromised, and copies of their databases had been dumped to servers under the attackers' control.

The self-proclaimed malefactors instructed webmasters to pay $2,000 during five days to prevent these materials from being leaked. It turned out, though, that these were empty threats as the fraudsters did not actually have access to the sites. However, the impostors' Bitcoin wallets did get a couple of incoming payments while this hoax was in full swing.

DDoS as an extortion element

Perpetrators may threaten to knock an enterprise network offline with a distributed denial-of-service attack unless the victim coughs up a ransom. Known as Ransom DDoS (or RDoS), this assault vector saw a major spikein August 2020. Attackers purporting to be from notorious Advanced Persistent Threat (APT) groups Fancy Bear and Armada Collective started sending such ransom notes to a plethora of companies from the retail, e-commerce, travel, and banking sectors.

The recipients were told to pay 10 bitcoins to avoid a disruption of their digital infrastructures through massive traffic floods. The good news is most victims did not encounter any DDoS issues after rejecting this demand. Some organizations did face small-scale attacks, though.

One way or another, RDoS is a serious menace and sometimes criminals carry through with their threats. In October 2020, the operators of a ransomware strain called SunCrypt brought down a victim's website via a powerful DDoS onslaught after the company refused to pay for data decryption. This move reportedly coerced the target to succumb to the original demands.

Facebook ads used to pressure victims

In early November 2020, criminals at the helm of the Ragnar Locker ransomware operation started mishandling compromised Facebook accounts to put an extra psychological burden upon their stubborn victims. In one such episode, the felons took over the account owned by Chris Hodson, a DJ from Chicago, and launched a fraudulent ad campaign on behalf of the user.

The ad contained information relating to a security breach of the Italian company Campari Group. Ragnar Locker operators claimed to have stolen roughly 2 TB worth of the target's data before encrypting these records. To regain access to its proprietary files, Campari Group was instructed to pay a whopping $15 million in cryptocurrency.

The ad campaign through the hacked Facebook account had generated more than 7,000 views before the social network's algorithms identified it as a fraud. It emphasized that the extortionists had a huge amount of the victim's data and would start spilling it if no payment were made. By and large, this is an entirely new way of adding publicity to ransomware incidents in an attempt to extort money from businesses more efficiently.

Printers spewing out ransom notes

A hugely exotic extortion trick was spotted in mid-November 2020. The operators of the Egregor ransomware, who had orchestrated a successful attack against the Chile-based retail giant Cencosud, somehow managed to make the receipt printers in its stores generate text containing a ransom alert along with data decryption demands.

Ransomware authors know that most businesses try to keep such incidents secret. With that in mind, they often sucker-punch noncompliant victims by letting employees, customers, and partners know about the breach. Such information can impact a company's reputation and entail serious financial losses.

Once attackers gain a foothold in an enterprise environment, they can execute a script that causes all network printers to disseminate ransom notes non-stop. Because this is a potential source for unwanted public attention, the victim is more likely to start cooperating.

Ransomware protection best practices

To stay safe amid the dynamic ransomware evolution, organizations should learn to be moving targets and have a plan B if things get out of hand. The following checklist will shine the light on the ways to avoid the worst-case scenario and keep your data intact.

  • Back it up. If ransomware cripples your data, you can easily restore it using a recent backup. The caveat is that this type of mitigation will not fully address the issue if you fall victim to double extortion involving data theft.
  • Keep your remote desktop services safe. Because RDP hacking is the pivot point of most ransomware assaults targeting the enterprise, it is in your best interest to secure these services. Set up multi-factor authentication (MFA) for remote access, restrict the number of failed connection attempts, and specify a list of allowed IP addresses.
  • Harden your email security. Tweak your email settings to block phishing attacks, spam, and messages with executable files onboard.
  • Stay away from Office macros. Refrain from opening Microsoft Word or Excel files attached to emails from unknown senders. These documents may contain Visual Basic for Applications (VBA) macros that execute harmful processes behind the scenes.
  • Prioritize your files. Determine what data is the most important and secure it with an additional protection layer. Encrypting such information is a good call because crooks cannot turn it against your company even if they manage to steal it.
  • Make the most of a firewall. A reliable firewall solution will block malicious Internet traffic that occurs when ransomware is communicating with its C2 infrastructure to obtain cryptographic keys and extract your data.
  • Learn to fend off DDoS raids. With the above-mentioned RDoS attacks gearing up for a rise, make sure you have appropriate defenses in place. Use a web application firewall (WAF) and a cloud-based DDoS mitigation service from a reputable provider such as Cloudflare or Akamai.
  • Do not underestimate the power of software updates. In addition to improving the user experience and delivering new functionality, updates contain critical patches that address recently discovered software vulnerabilities. This raises the bar for any viruscreators attackers who are adept at exploiting security loopholes in obsolete applications to infiltrate networks.
  • Use an effective security suite. Whereas antivirus software is not the silver bullet, it can detect and block all known strains of ransomware in a snap.
  • Educate your staff. Invest in a security awareness program for your employees. Every member of your team should know the telltale signs of a phishing attack, use strong passwords or MFA to access their work accounts, and maintain proper RDP hygiene.
  1. Pages:
  2. 1
  3. 2
  4. 3
  5. 4
  6. All


Discuss in our Forums

See what other readers are saying about this article!

Click here to read & post comments.

2 posts so far.

Share this:
reddit this reddit thisbookmark with del.icio.us Del.icio.usdigg thisseed newsvineSeed NewsvineStumbleUpon StumbleUponsubmit to propellerkwoff it

About the Author

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project.

Other articles by this Author

All articles by David Balaban

Creative Commons LicenseThis work is licensed under a Creative Commons License.

Article Tools
Comment 2 comments
Print Printable version
Subscribe Subscribe
Email Email a friend
Advertisement

About Us Search Discuss Feedback Legals Privacy