Data leak ransomware

The Evolution of the Data Leak Extortion Ecosystem

 

Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.

The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.

Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.  

To ensure the complete surrender of victims,  threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.

In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.

Police Lockers

The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.

During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.

CryptoLocker

2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.

Emergence of Ransomware-as-a-Service (RaaS)

In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.

Locky Ransomware and KeRanger

The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).

WannaCry and Notpetya

With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially.  And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.

A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.

Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.

Maze

Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.

The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.

 

Conclusion

Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats. 

Why you should be worried about a cyber pandemic that could take over the cyberspace

 

Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to  compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations. 

Quite often, the RaaS [Ransomware as a Service] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.

State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.

Ransomware rate

Threat Landscape

Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.

 

Ransomware

Ryuk

Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation. 

 

Fig1. Popular attack vectors
Fig1. Popular attack vectors

 

Ransomware targets Windows

REvil/ Sodinokibi

REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.

 

Dharma/ CrySiS

Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.

 

STOP/ djvu

Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm. 

 

Ransomware strains reported

Fig2. Ransomware strains Q1 2020 (incl. STOP)
Fig2. Ransomware strains Q1 2020 (incl. STOP)

Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.

Fig3. Ransomware strains Q1 2020 (excl. STOP)
Fig3. Ransomware strains Q1 2020 (excl. STOP)

STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.

Phishing and ransomware

Malware attacks vs. Malware-free attacks

Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.

 

Cost of a Ransomware Attack

The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom. 

It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.

Ransomware affectes business

Fig4. Largest amount of ransom reported in 2019
Fig4. Largest amount of ransom reported in 2019

 

Fig5. Largest avg. ransom pay-offs 2020
Fig5. Largest avg. ransom pay-offs in 2020

 

Ransomware statistics for 2020

Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:

  • Italy: $1.1 billion – $4.3 billion
  • Germany: $1 billion – $4 billion
  • Spain: $830 million – $3.3 billion
  • UK: $469 million – $1.9 billion
  • France: $121 million – $485 million

 

Hidden Costs of ransomware

  • Downtime of Information systems
  • Loss of Reputation
  • Penalties/Fines[Compliance]
  • Legal Action from user

Avg. ransom payment

 

Cyber security during COVID-19

“WHO reports fivefold increase in cyber attacks, urges vigilance”

Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:

  • Increased security risk from remote working/ learning
  • Potential delay in cyber-attack detection and response
  • Business Continuity Plans (BCP) to feature global pandemics

 

Effective Threat Intelligence

For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year. 

A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.

An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.

A CTI team can actively monitor and create actionable intelligence on the following areas of your business:

  • Supply chain 
  • Dark web monitoring for data leaks 
  • Zero-days
  • New emerging attack vectors

Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.

 

Indicators of Compromise

These are some of the common Indicators of Compromise:

  • IP addresses, URLs and Domain names used by malware
  • Email addresses, email subject, links and attachments used by malware  
  • Registry keys, filenames and file hashes and DLLs of malware 
Examples
  • hxxp://45.142.213.230/bssd [sectopRAT Trojan]
  • hxxp://45.142.213.230/blad [SectopRAT Trojan]
  • [email protected] [djvu ransomware]
  • [email protected]     [djvu ransomware]
  • ef95c48e750c1a3b1af8f5446fa04f54 [maze]
  • f04d404d84be66e64a584d425844b926 [maze]

 

Tactics, Techniques, Procedures/ TTPs

TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet. 

MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.

 

Example of Tactic and Technique

 

Tactic 
Techniques
Initial Access T1193: Spear Phishing Attachment
Execution T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

 

The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.

 

Conclusion

To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.

KMIKE Ransomware - CloudSEK

The lifecycle of a ransomware written in Python (featuring KMike)

*Update: This article was updated on 12th August 2020 with further details on KMike.

 

In a quest to understand how ransomware works, I came across an article on “How not to Write a Ransomware.” This made me wonder “how do you write one then?” It led me on a trail through multiple blogs and code repositories, which only confused me more. So, I decided to write my own ransomware, to understand its operations and in the process help others who are after the same elusive secret.

Your first thoughts would be what to name your project. The name should reflect the personality of your ransomware and metaphorically describe it. With a touch of creativity, my project was rightly named after Krombopulos Michael, a Rick and Morty antagonist, dubbed KMike. The basic objectives of the project was to develop a ransomware that is:

  • Functional
  • Demystifies the operations of a ransomware
  • Has the basic functionalities of a typical modern ransomware

The next step is to decide the language you will be using to develop the ransomware. I chose Python because it is easily readable and beginner-friendly in nature. Compared to low-level languages, execution in Python is slower and it supports larger file sizes. In fact, people with malicious intentions would consider a ransomware developed in Python to be unappealing.

 

Stages in the lifecycle of a ransomware 

This article will detail the different stages in a ransomware’s lifecycle and infection process and provide insights on how KMike operates in each stage. 

 

Delivery

A ransomware is usually embedded in documents and delivered via emails that execute as soon as it is downloaded/ opened. It may also masquerade as a legitimate software and trick you into downloading and executing it. Some ransomware might have the ability to propagate through the networks that a system is connected to.

KMike pretends to be a software that promises to help you add in-game currency in a game of your choice.

 

Evasion

A ransomware does not start executing as soon as it is opened so as to evade detection. Instead, it performs a series of checks to determine whether it is being executed in a sandbox or a normal environment. Evasion techniques help the ransomware to encrypt files of the victims successfully and also prevent its detection. This, in turn, helps to spread the infection to other systems.

The checks are limited only by the author’s imagination. Typical checks audit the system hardware configuration for sandbox specific values, and also inspects the filename of the executable to see if it has been renamed to something like “malware” or ”test”, something analysts generally use. Reportedly, some malware also checks the CPU’s temperature, screen resolution, user interaction to evade sandboxes.

Static code analysis can be evaded if you have a codebase which was not taken from any existing malware. Even though KMike does not implement any such measures, only 7 out of 72 engines were able to detect the file as malicious.

Ransomware: VirusTotal
7/72 engines detected KMike as malicious (Credits: VirusTotal)

 

Encryption

After determining that the ransomware is not in a sandbox, the next step is to encrypt files present in the system. There are two important choices to make: what files to encrypt and how to encrypt them.

We should encrypt files that have user data in them and not the ones that are needed for the OS to function properly. We can set it in such a way that only files with specific extensions are encrypted.

We generally encrypt files with a symmetric key algorithm. This encryption scheme is generally faster and less resource consuming than asymmetric encryption. In this scheme, we generate new keys for each file that is encrypted. However, faster execution comes with a caveat that it becomes easier for analysts and researchers to break. Therefore, in the case of KMike, we encrypt all the keys that we have generated with an asymmetric key algorithm, wherein the keys are generated during execution. 

Now, we have a pretty secure scheme, but the key that is used to encrypt everything is stored in the device itself for anyone to grab and decrypt the files. So, we encrypt the locally-generated private key with a public key. This public key is then embedded in the ransomware whose corresponding private key is stored in our server. With this scheme, we can encrypt all the files without making any network connections to our server. This also ensure that none of the keys are stored in plaintext form on disk.

To sum up:

  • Encrypt all user files with AES-256-CBC.
  • Random AES key and IV for each file.
  • Encrypt AES keys with locally-generated public key RSA-2048.
  • Encrypt locally-generated private key with RSA-2048 common public key

 

Communication

Once we have encrypted all the victim’s files, the next step is to display a ransom message and decrypt files after the payment has been made.

Ransom messages can be displayed in a variety of ways: changing the desktop background, creating a text file with the ransom message, etc. We need to make sure the server is easily accessible to the ransomware but hard for others to decipher. 

This is where Domain Generation Algorithms (DGA) come in. DGAs are algorithms which are deterministic and can generate pseudorandom values meaning it will generate the same random output for a given seed. We use this to generate hundreds, if not thousands of domains and start sending requests to all the domains. Once we know the seed value, which can be something like the present date or the value of a currency at a particular time, we can randomly register a small number of the domains and make sure it is accessible for the ransomware. 

We generate a unique bitcoin address for each infected machine to make it harder for adversaries to track.

Once the payment is done and verified, we can decrypt the locally generated asymmetric key from the machine in the server itself and return the decrypted key, so as to not expose the master private key at any point in time.

Thus, the lifecycle of the ransomware from infection to decryption concludes here. To see the code for KMike, please visit this repo.