Data leak ransomware

The Evolution of the Data Leak Extortion Ecosystem

 

Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.

The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.

Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.  

To ensure the complete surrender of victims,  threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.

In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.

Police Lockers

The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.

During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.

CryptoLocker

2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.

Emergence of Ransomware-as-a-Service (RaaS)

In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.

Locky Ransomware and KeRanger

The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).

WannaCry and Notpetya

With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially.  And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.

A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.

Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.

Maze

Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.

The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.

 

Conclusion

Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats. 

Why monitoring the most popular P2P messenger should be a cybersecurity priority

 

Cloud-based encrypted communication platform – Telegram – became an overnight sensation, owing to a WhatsApp outage that occurred in 2018. The user base of Telegram hit a whopping 400 million, as of April 2020, since its inception in the year 2013. The non-intrusive nature of the app, contrary to the likes of Facebook Messenger and WhatsApp, is another reason for its popularity.

However, over the years, the app and its developer Pavel Durov have also been on the receiving end of some criticism. The anonymous secure connection of Telegram allows users to access selectively prohibited networks and websites. Among other proxy servers and VPN services, Telegram is also completely or partially banned across several countries that are unwilling to risk national security. Furthermore, the app is not as secure as it claims to be. Its security flaws have been a major cause for data leaks.

In Russia, a struggle that ensued between the Federal Security Service (FSB) and Telegram, after the St. Petersburg bombing, resulted in the application’s ban in 2018. Pavel Durov refused to share the encrypted messages of the suicide bomber who was apparently active on the messaging platform. A court maintained that the app remain banned until its developer agreed to hand over its data encryption keys to the authorities. Russian authorities failed to hold up the ban successfully and decided to lift the ban only recently.

In 2016, 15 million Iranian users’ records were leaked following a major data breach. Iranian hackers exploited the security flaws in Telegram to compromise accounts. In particular, they hacked the SMS verification codes that are generally sent to the users. This attack targeted Saudi royals, NATO officials, and even nuclear scientists.

In a more recent event, pro-democracy campaigners in Hong Kong coordinated their demonstrations against their government using Telegram. Although the app has been banned in the country since 2015, users found a way around it.

In Germany, the police launched a crackdown on criminals to prevent premeditated crimes. For this they only had to use proprietary software to hack into Telegram correspondences. The police successfully carried this out for two years.

 

Why should you monitor Telegram for threats?

The anonymity associated with the app is concern for regulators and governments. It increases the odds of misuse of the app’s features. Which is why Telegram activities on the app should be monitored for the following reasons:

Selective chat encryption

Although users tend to think that their correspondences are all encrypted and secure, the app requires you to change the settings to “activate” end-to-end encrypted chats. Most users are not aware of this.

Proprietary encryption

Telegram relies on the symmetric encryption method and uses proprietary protocol MTproto, making it difficult external cryptographers to audit its efficacy. 

Exposes Metadata

Researchers have uncovered flaws in the app whereby an attacker can snoop on significant data about the user, apart from their chats. For instance, the attacker can figure out when the user is online and offline. This could in turn help them determine who the user is talking to, which is a rather serious flaw.

Breeding ground for illegal activities

In a 2016 report by Memri, Telegram was referred to as “the app of choice for many ISIS, pro-ISIS and other jihadi and terrorist elements.” Terrorist organizations weaponize Telegram to disseminate hatred and misinformation. The anonymity that the messaging app offers indirectly, endorses criminal activities, harmful to civilians and governments alike.

Corrupted files

Latest research from Symantec indicates that media files shared on WhatsApp and Telegram can be manipulated using a malware. This security flaw, known as media file jacking, exists in Android devices. It allows attackers to intercept the process by which applications save media files on the device’s storage.

Command and control

The ‘Masad Clipper and Stealer’ malware, capable of allowing hackers to access user’s personal information and their crypto wallets, was sold via Telegram channels. The Telegram channel was also a makeshift command and control for the same malware.

 

CloudSEK’s proprietary cyber threat monitoring platform XVigil gathers information from Internet Relay Chat (IRC) and chat rooms (for instance, Telegram Channels). The platform then detects conversations that are intended to obtain information about your organisation, and weaponize it against you. XVigil crawls across various parts of the internet to find mentions of your digital assets, so that you can take proactive measures to prevent any external threats to your brand and infrastructure.

Threat actors’ next big target: VIPs, Executives, and Board members

A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization. 

Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:

  • Confidential and sensitive information including financials, trade secrets etc. 
  • Authorize or order other employees in the organization to carry out certain tasks.
  • Valuable assets including networks, devices, and facilities. 

How do threat actors target C-level executives?

Research and reconnaissance

  • To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
  • Using this information, they narrow down the list of potential targets and their associates.
  • They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax. 
  • They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.

Data theft attacks

  • Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more. 

Impersonation attacks

  • Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.  
  • Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication. 
  • If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive. 

Extended attacks

  • Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment. 
  • If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.  

How to protect C-level executives from these attacks?

Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:

Continuous monitoring

Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats.  A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.

Review social media presence

Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis. 

Multi-layered protection

Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network. 

Regular cybersecurity refreshers

Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps. 

 

An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations.