Categories
Security

Paying the ransom. Damned if you do, damned if you don’t

There isn’t a person on Earth who would argue that 2020 has been a good year for fighting viruses. Turns out, it’s also been a tough one for ransomware.

While ransomware attacks have been arguably ramping up since 2016, it was 2020 that rained expensive ransom threats down on companies from a wide range of increasingly dangerous and emboldened cybercriminal gangs. Ryuk, Sodinokibi, Maze, and others doubled down on their dastardly deeds by not only encrypting and withholding sensitive data, but threatening to make it public.

In a stunning end-of-the-year development, ransomware actors showed belligerent persistence by cold calling organizations that refrained from paying the ransom or targeting them with an angry Facebook ad campaign. Meanwhile, cybercriminals have increasingly been hanging onto the files of those that do pay the ransom for auction or re-exploitation. It seems like businesses are either damned if they pay the ransom, or damned if they don’t. So what’s the right move?

Ransomware authors push the envelope, emboldened by success

Ransomware authors are having a field day — or rather, a field year. In 2019, the average ransom payment was $41,000. A year later, it was $234,000, about a 470 percent increase. Ransom demands have skyrocketed in 2020, as have their frequency and potency. Even if organizations are following security best practices by ignoring ransom notes and restoring from backups, they can no longer claim victory. In fact, businesses can run into trouble whether they refuse to pay the ransom or pay in full.

Victims of ransomware attacks who don’t compensate their captors are now rewarded with a not-so-friendly phone call from cybercriminals, marking an escalation in tactics that include threatening to notify journalists of the breach or leaking data onto public sites. Ransomware gangs such as Maze, Ryuk, Conti, and Egregor/Sekhmet have been engaging in these cold calls as far back as August, often dialing from a call center and using a script. The callers make vague threats about continuing to monitor victim endpoints and issue an ultimatum: Pay up now or the problems with your network “will never end.”

To add insult to injury, the threat actors behind Ragnar Locker ransomware have cooked up a similar scheme, this time pressuring victims into paying via fraudulent Facebook ads. According to Brian Krebs, one such ad was taken out against Italian beverage company Campari Group, which had already publicly acknowledged a malware attack. Cybercriminals used hacked accounts to pay for the ads, which Facebook did eventually detect as a scam, but not before displaying them to thousands of people.

On the flip side, ransomware gangs are increasingly failing to make good on their promise of deleting stolen data once the ransom has been paid. Back in 2019, Maze introduced the idea of double extortion — ransoming data plus threatening to release it publicly — and other ransomware operators followed suit, dumping sensitive files onto data leak sites. Over the summer, Sodinokibi took this a step further. When threatening victims to pay up didn’t work, they began auctioning off their stolen data online, charging hefty prices to the highest bidder (often a competitor).

These tactics reveal an uncomfortable truth: There’s no way to tell whether a cybercriminal group has actually deleted the files they promise to delete after you pay the ransom. According to Coveware’s Q3 2020 report on ransomware, groups such as Sodinokibi, Conti, Maze, Sekhmet/Egregor, Mespinoza, and Netwalker are using fake data as proof of deletion or even re-extorting the same victim.

So, what’s an IT/security professional to do? The FBI has flip-flopped on its official position about whether organizations should pay the ransom, first staying mum on the topic, then stating unequivocally that the ransom should never be paid. For a while, many in the security industry were inclined to agree. But that’s a tough pill to swallow for individuals. Would you pay a $200 ransom to return your PhD thesis, which represents months of work? What about for pictures of your baby’s first year?

As ransomware actors become more and more aggressive — not just stealing data and threatening to release it, but interrupting operations in hospitals, schools, and cities — some in the security industry have changed their tune. There are many who believe that in rare cases, organizations should try to negotiate for their most important files back. An entire industry of ransomware insurance providers has popped up to provide companies with cover, should their files be ransomed for exorbitant amounts.

The long and short of it is there’s no one-size-fits-all answer when it comes to ransomware. Once again, the best defense against this threat is to avoid infection in the first place. If your security software doesn’t protect against the ransomware authors mentioned above, you may want to consider investing in additional protection.

Categories
Security

How cyber insurance is changing the security industry

As ransomware and other advanced threats continue their assault on businesses, organizations have increasingly turned to cyber insurance providers to help them out of a jam. However, this marketplace isn’t just growing—it’s changing. What was once considered necessary protection in case of file encryption and ransom demands is now an integral part of many businesses’ security infrastructures.

In response to changes in the work environment due to the pandemic, ransomware attacks and extortion techniques have evolved. So, too, has the industry that sprung up to assist organizations that had already been hit. More and more, companies are realizing that yes, they need to shore up preventative security, but they also must have a working plan for the very real potential of getting breached.

According to an October 2020 study by ReportLinker, the global cyber insurance market is expected to grow from $4.8 billion in 2019 to $16.9 billion by the end of 2025, a Compound Annual Growth Rate (CAGR) of 23 percent. After an onslaught of ransomware attacks last year on schools, cities, and government agencies, many organizations doubled down on cyber insurance to cover costs that might arise from another attack, such as investigative teams, remediation and recovery efforts, business interruption losses, digital data recovery, and more.

While the cyber insurance industry drew early criticism from security insiders for potentially juicing ransomware threat actors’ bank accounts, the sentiment has since shifted. In 2017, the NotPetya attack, one of the largest cyberattacks in history, caused $10 billion in damage worldwide. Only 3 percent of those costs were covered by cyber insurance. In the years since WannaCry, NotPetya, and other expensive attacks on businesses, organizations have moved to adopt more robust insurance policies, including coverage for nation-state attacks and hands-on assistance in bolstering existing security policies.

As ransomware attacks have increased in frequency and complexity, ransoming techniques have also evolved, switching the focus away from “simply” encrypting files and requiring a ransom to return them. Where many companies adapted to ransomware threats by instituting regular, automatic backups, cybercriminals returned the volley by threatening to release sensitive data to the public or disrupting operations for ransom.

Cyber insurance, paired with layered security software and employee awareness, can thus provide the additional protection necessary to prevent attacks when possible, and recover from an attack quickly when it’s not. Expect cyber insurance to continue evolving in this direction, filling in technical gaps and not just providing hefty ransom payments. In fact, that’s why we’ve recently partnered with Coalition, a leading cyber insurance provider, to help business customers further reduce their risk of cyberattacks.

To learn more about why cyber insurance should include coverage for state-sponsored attacks, read this article from the Harvard Business Review: https://hbr.org/2020/10/does-your-cyber-insurance-cover-a-state-sponsored-attack

For more information on the Malwarebytes and Coalition partnership: https://go.malwarebytes.com/Coalition-Malwarebytes-Partnership.html

Categories
Security

RegretLocker ransomware encrypts virtual machines

Ransomware, ransomware, ransomware. At this point, the other malware families might be feeling some Jan Brady-level jealousy toward their flashier, more advanced brother. Ransomware is getting all the attention right now — for good reason.

Ransomware attacks have been ramping up in volume and in sophistication over the last year. Corporate targets have had to steel themselves against stealthy spear phishing campaigns, exposed RDP ports, zero-day exploits, and more. Now they have to worry about their virtual machines.

Using a combination of advanced attack techniques, a new ransomware family discovered in October called RegretLocker is able to encrypt virtual hard drives and close any files open by users for encryption. Why does this matter? RegretLocker is able to execute much more quickly than previous ransomware families and evade detection.

RegretLocker takes ransomware to the next level

RegretLocker ransomware appears fairly simple on the surface. It is accompanied by a short and sweet ransom note (as opposed to a long-winded soliloquy that has become common among ransomware threat actors). It uses email instead of Tor to accept ransom payments. When encrypting files, it applies a harmless-sounding .mouse extension.

But that’s where the simplicity ends. Instead of encrypting large files en masse, which can take a long time, RegretLocker mounts a virtual disk file so that each file may be encrypted individually, speeding up the process. In addition, RegretLocker uses the Windows Restart Manager API to terminate processes on Windows that can keep a file open during encryption, preventing users from salvaging open files.

RegretLocker follows in the footsteps of another ransomware family known as Ragnar Locker, which was first discovered in October 2019. Ragnar Locker deploys virtual machines to victim systems and launches the ransomware from inside. This gives the ransomware access to files on the local disk without being detected by security software deployed on the host system. In September 2020, Maze ransomware authors added Ragnar Locker’s virtual machine tactic to their bag of tricks.

The use of virtual machines by these ransomware families is not for the faint of heart — it’s complex, messy, and requires prior knowledge about the hardware and capabilities of its target networks, including whether or not the services had already been disabled. However, for threat actors looking to select and encrypt specific files quickly, or for those who’ve compromised a system but are looking to crack particularly difficult files, these methods represent the next evolution in a long chain of dangerous developments in ransomware.

What’s more, there are not many ways to protect against these types of ransomware attacks outside of preventing them from happening in the first place. (Though Malwarebytes’ Anti-Ransomware technology blocks RegretLocker from launching.)

What we can take away from these latest developments in ransomware is that cybercriminals have been busy doing what they do best: developing new tricks and workarounds that had previously prevented their malware from being as dangerous as it could be. The best defense, as it has always been, is awareness and proactive protection.

To learn more about RegretLocker ransomware, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/regretlocker-new-ransomware-can-encrypt-windows-virtual-hard-disks/

And here is Bleeping Computer’s take on RegretLocker: https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

For information on Ragnar Locker’s attack on gaming company Capcom: https://threatpost.com/gaming-giant-capcom-ragnar-locker-ransomware/160996/

Categories
Security

Maze ransomware group calls it quits… maybe

2020 has claimed victim nearly 200,000 small businesses across the United States — a gut punch of a statistic. But there’s one group closing up shop that I won’t shed any tears over: Maze ransomware.

Last week, the notorious Maze ransomware group known for corporate targeting and data extortion schemes announced they are shutting down operations. So why aren’t security folks like me rejoicing? First, we’ve seen ransomware families disappear before, only to come back with a smarter business plan for distribution or key updates that increase their potency. Second, never trust the word of a cybercriminal.

Back in May 2019, Malwarebytes researchers discovered a new strain of ransomware known as Maze, distributed via the Fallout exploit kit. Soon after, we found that Maze was spreading indiscriminately through other exploit kits, such as Spelevo, as well as through spam campaigns using documents laced with malicious macros.

As time went on, Maze operators began to adopt a more targeted approach, likely looking for a higher return on investment. They began going after organizations with spear phishing campaigns or by exploiting vulnerabilities in exposed infrastructure. Nothing new there. However, Maze was a pioneer in some regards, as it was one of the first to threaten its victims with leaking sensitive data if the ransom was not paid. Its authors also adopted clever tricks to evade detection by leveraging virtual machines to encrypt files.

Rumors began months ago that the threat actors behind Maze ransomware might be abandoning ship, as several of its affiliates switched to an up-and-coming ransomware family known as Egregor, which likely shares some of its code with Maze. In fact, it’s possible that former Maze developers are the ones behind the Egregor project, which would explain the recruitment of their affiliates.

On November 1, coincidentally my birthday, the group behind Maze released a statement claiming that they were done for good. The error-laden message (more of a rant) went on to claim that the future will be lived entirely online, therefore Maze’s efforts were meant to help prepare companies by forcing them to increase their security — typical rhetoric among delusional criminals who try to reframe their acts as benevolent.

There’s no doubt the Maze developers and distributors made enough money to call it a day. Their so-called press release is perhaps a distraction meant to hide conflicts or internal disagreements. It could also be a smokescreen for a potential shift to Egregor. When a cybercriminal says, “We never had partners or official successors,” you can count on the opposite to be true.

Whether Maze is actually gone, we can’t yet say for sure. We thought Ryuk had vanished earlier in 2020, only to have it return. At the same time, the affiliate shift to Egregor is reminiscent of the shift away from GandCrab to Sodinokibi ransomware in 2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways. Because of this, it’s best to continue to guard against, at the very least, the types of attack vectors used by Maze ransomware. I suggest:

  • Updating software and hardware to shore up vulnerabilities (protecting against exploit kits)
  • Boosting protection against brute force attacks and exposed RDP ports
  • Increasing employee awareness on sophisticated spear phishing tactics
  • Segmenting sensitive data into more restrictive servers

For more information on the Maze ransomware group’s retirement, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/

For an in-depth threat spotlight on Maze ransomware’s capabilities: https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist

For TechCrunch’s take on Maze’s retirement: https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down