Cybercriminals are continually trying to make their ransomware campaigns more effective. Here are three developments you should know about.
Most cybercriminals carry out ransomware attacks to make money. As a result, they are continually trying to make their ransomware campaigns more effective. This might involve making minor changes like fine-tuning a deployment method or major changes like developing a novel way to avoid detection.
Keeping abreast of the major developments in ransomware campaigns is important so that you can take measures to protect your business. Toward that end, here are three noteworthy developments you should know about.
In the past, the Java programming language was seldomly used to create malware because the Java Runtime Environment (JRE) is needed to run the code. Similarly, Java Image (JIMAGE) files have rarely been used in malware attacks. Even developers avoid working with these largely undocumented files, opting to use the popular Java Archive (JAR) files instead.
Because of this past, some cybercriminals decided to use Java to create a new strain of ransomware and compile it into a JIMAGE file. “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats,” explained the BlackBerry and KPMG researchers who discovered the new ransomware strain. “We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”
The new strain of ransomware, dubbed Tycoon, targets Windows and Linux systems. Cyber extortionists are using it to encrypt the files on servers in small to mid-sized organizations mainly in the software and education industries.
To get Tycoon into an organization’s network, the cybercriminals typically exploit a vulnerable Remote Desktop Protocol (RDP) service on an Internet-facing machine. Once inside the network, they infiltrate the organization’s various servers (e.g., file and database servers) and disable any antivirus software running on those machines. The cybercriminals then manually deploy a ZIP archive file that contains the malicious JRE build. The JIMAGE file that contains the ransomware code is located in the JRE build’s lib\modules directory. After the attackers extract the ransomware code, they place it on the victim’s servers and run a script to launch the attack on all the machines at the same time.
The Ragnar Locker ransomware is known for the unique methods it uses to help avoid detection. For instance, while many ransomware programs disable security software, Ragnar Locker also disables managed service providers’ (MSPs’) utilities to prevent them from discovering and stopping the attack.
Sophos researchers recently discovered a Ragnar Locker variant that deploys a highly unusual but effective technique to avoid detection. It deploys a virtual machine on each targeted device and runs the ransomware executable from inside the virtual machine. The Sophos researchers had never seen this done before.
The researchers studied one of the attacks to learn more about it. They found that the cybercriminals use Windows Installer to download a package from a remote web server and install it on each targeted machine. The package includes an open-source hypervisor named VirtualBox and a virtual disk image (VDI) file. The VDI file contains an image of a stripped-down version of Windows XP and an image of the Ragnar Locker executable.
The installer package also includes a batch script designed to make the necessary preparations. For example, it stops certain processes on the targeted device and enumerates the device’s local drives, mapped network drives, and connected removable drives. The script uses the drive information to create the VirtualBox configuration file needed to start the virtual machine and allow it to access and encrypt files on the device.
After the preparations are finished, the VirtualBox hypervisor, its configuration file, and the VDI file are used to deploy a Windows XP virtual machine. Finally, the Ragnar Locker executable is extracted and decompiled. Because the ransomware runs from inside the virtual machine, it encrypts the files on the device’s drives without being detected.
Businesses are increasingly following IT security experts’ advice and backing up their data and systems in case they fall victim to a ransomware attack or another type of catastrophe. This has prompted some cybercriminals to up the ante by stealing companies’ files before encrypting them with ransomware. If the companies do not pay the ransom by the due date, the cybercriminals publish a small portion of the data on their data-leak sites and then threaten to post rest of it if the ransom is not paid. This can be an effective motivator to pay up, especially if the stolen files contain personal data (having it publicly posted could be considered a data breach) or proprietary business information (having it published might reveal a company’s trade secrets).
A ransomware gang that calls itself the “Maze crew” is gaining notoriety for this tactic. Sometimes it even tells the news media about its threats and informs the victims about doing so in order to exert extra pressure on them.
This is exactly what the Maze crew did to Allied Universal. This security and facility services company had around 700 megabytes (MB) of its data publicly posted in November 2019 after it refused to meet the Maze crew’s initial demands. This data constituted only a small portion of the 5 gigabytes (GB) of data stolen before it was encrypted with the Maze ransomware. The files included contracts, medical records, server directory listings, and encryption certificates.
After publishing the data, the cybergang sent an email to BleepingComputer. In it, they wrote “I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed Maze ransomware in their network…. If they dont [sic] begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze.” The cybergang also threatened to conduct a spam campaign using Allied Universal’s domain name and email certificates.
The Maze crew used the same tactic with another ransomware victim, LG Electronics. In June 2020, the cybergang informed BleepingComputer that they would be posting some of the 40 GB of source code they stole from LG Electronics because the company had not yet contacted them. Soon thereafter, the cybergroup published some stolen Python code, a screenshot of a file listing from a Python code repository, and a split archive for a KDZ file on their data-leak site. (LG Electronics developed the KDZ archive file format. It uses these files to distribute firmware for its mobile devices.)
Cybercriminals Don’t Rest on Their Laurels — and Neither Should You
Cybercriminals don’t rest on their laurels. Instead, they are continually coming up with new ways to make their ransomware campaigns more effective. It is important to make sure that your company’s security measures can defend against ransomware campaigns that employ new tactics. We can assess your company’s security measures and make recommendations on how to strengthen your defenses so that your business does not become the next ransomware victim.