Chapter 3. Ransomware Operators and Targets
While ransomware rightfully gets a lot of attention because of the damage it can cause to an individual or organization, ransomware families actually make up a small, but rapidly growing, percentage of attacks. Kasperspy Lab, in the first quarter of 2016, reported blocking 228 million attacks. Of those blocked attacks, 372,602 involved ransomware, which means that ransomware accounted for only 0.0016% of the attacks.1 Even if the current meteoric growth of ransomware continues, it will be a while before ransomware makes up a significant percentage of all security threats.
In other words, ransomware families are still in their infancy, but they are rapidly evolving, and even more sophisticated hacker groups are using ransomware in their attacks. Ransomware has come on the scene at an interesting time in security. While there are a number of advanced tools available to organizations that have been developed to detect and stop ransomware attacks, there is also a sophisticated underground infrastructure in place to foster the rapid development and deployment of new ransomware families. There is also a significant body of knowledge available online about what works and what doesn’t when trying to deploy new malware. That body of knowledge includes a lot of code sharing on underground forums and learning from the mistakes of older ransomware families. So, unlike developers of previous types of malware, ransomware developers are not starting from scratch, which is why ransomware has quickly found a place in the arsenal of hackers with all sorts of skill levels.
What is even scarier for organizations is that there doesn’t seem to be any pattern to ransomware attacks. This differs from “traditional” hacker groups that focus on a particular target such as the financial sector or the defense industrial base. Instead, ransomware groups spread their attacks across all industries and home users. The attacks often feel completely random, more like a spam campaign, than a targeted attack.
The basic point is that even though the ransomware groups are sophisticated, they spread their attacks across as many targets as possible in the same way that spam campaigns do. Modern ransomware gained momentum with the launch of Gpcoder in 2005. Like modern ransomware, Gpcoder would encrypt select files on a hard drive and demand a ransom in order to decrypt them. However, unlike modern ransomware, the private key was easily cracked, and the antivirus companies were able to provide their customers with a solution to decrypt files in a relatively short amount of time.
Ransomware like Gpcoder existed in dangerous times for the attacker. The ransom extorted from the victims had to either be paid in a form that was potentially traceable, such a PayPal account or credit card transaction, or in a format that had limited acceptance, such as Ukash. This meant that they either had to constantly look over their shoulder as they spent their money or had to settle for limited spending opportunities.
Today, we live in a world with Bitcoin, more complex encryption libraries readily available, and the ability to create stronger keys on commodity hardware. So it is easier than ever to build and successfully run a ransomware campaign. There is also the appealing aspect of the immediate monetization of an attack. In the case of more traditional hacking campaigns, the attacker has to break into the target machine(s), exfiltrate the desired data, find a buyer for that data, negotiate a deal, and process the payment, which in some cases can take weeks or months, assuming anyone is willing to purchase the stolen data. Ransomware attacks simplify this process:
- Launch an attack.
- Get paid.
This simplified business model means that it is much easier for attackers to raise funds quickly. It also means that the money raised can be poured back into research and development to continuously improve the product. This is one of the reasons for the rapid development cycles in ransomware families, with new releases sometimes happening weekly.
Also, with ransomware attacks being reported in the media, more and more groups are getting involved in the ransomware business. There are also ransomware as a service (RaaS) options available to those who are testing out the ransomware market. These RaaS offerings vary from a customized versions of a ransomware family attackers can use in their own infrastructure to fully-functioning exploit kits with ransomware as an add-on that can be dropped into any campaign. These aren’t the only reasons for the rise in ransomware; more are outlined in Chapter 1, but they served to make ransomware more attractive to hacker groups.
Criminal Organizations
Not every hacker group is motivated by the same goal. Some are motivated by infamy; others are looking to steal state secrets; some are doing it to fund various other criminal operations; still others are looking to disrupt the services of a perceived enemy. Different groups use different tactics, techniques, and procedures (TTPs); and understanding them allows an organization to potentially stop a ransomware attack before it gets to the encryption phase.
To understand why TTPs are important, think back to Chapter 1 and the discussion around the anatomy of a ransomware attack. Generally, attackers don’t deliver ransomware right off the bat but instead use a multistaged approach to an attack. The attack often starts with either a phishing email or a visit to a webpage infected by an exploit kit. Then it exploits either the browser, Microsoft Office document, Adobe Flash file, or whatever the target vector. Taking advantage of the exploited vector, the attacker will, automatically, install a loader such as Bedeep. Only when the system is fully surveyed will the attacker, again automatically, install the payload, in this case the ransomware.
Ransomware campaigns are almost always motivated by money. For example, in late June of 2016, researchers at SetinelOne determined that the group behind one variant of the CryptXXX ransomware family made 70 bitcoins (about $50,000 at the time of the attack) in a little over two weeks.2 A number of hacking groups have had a great deal of financial success with ransomware campaigns, some of which are described in the following sections.
TeslaCrypt
Of course, making a lot of money can also bring unwanted attention. It is speculated that this unwanted attention is what led to the person or group behind the TeslaCrypt ransomware family to cease operations in May 2016. While TeslaCrypt was not the most widely deployed ransomware family, its longevity—it was used in campaigns from early 2015 through May 2016—meant that that whoever was behind it made a great deal of money. From February through April 2015, researchers at FireEye determined that TeslaCrypt generated $77,000 for its developer.3 Following the escalated rate of deployment as the developer improved the software, TeslaCrypt likely generated more than $500,000.
The team behind TeslaCrypt famously stopped all operations in May of 2016. When a researcher from ESET antivirus company contacted them, the team apologized and made their private key available, which allowed ESET to develop a free decryption tool.
Other ransomware families have generated even more income. It is estimated that the team behind behind CryptoLocker made more than $3 million before it was shut down in late 2015.
There is a very clear financial motivation behind ransomware campaigns, but that does not mean that all ransomware hacker groups are the same. There are, undeniably, a lot of commonalities between the different hacker groups behind ransomware, but there are also a lot of differences. Some ransomware groups are sophisticated and well funded, with ransomware as their primary revenue source; while others are just getting started and have managed to cobble together a piece of ransomware that may or may not work. Still others are groups involved in sophisticated attacks that use ransomware as one small part of their arsenal. Understanding the differences among the different ransomware families and the hacker groups behind them can help organizations better protect their networks.
CryptXXX
The CryptXXX ransomware family is an example of a unsophisticated team that has morphed into a much more sophisticated one. The first iteration of the CryptXXX family was discovered in April 2016 as part of the Angler exploit kit. This version of CryptXXX had a flaw in the encryption process that allowed researchers at Kaspersky Labs to quickly develop a tool to decrypt any system that had been infected by that early version.4 Later versions of the malware used a different encryption scheme, one that deleted the VSS, making it impossible to restore a file from a local backup (offline backup restoration is still possible). There is some speculation that this newer variant of CryptXXX was developed by a different, more experienced team, building on the immature code.
The earlier a security team can identify and isolate a ransomware attack, the more likely they can stop it. That is why a holistic view of a ransomware attack is so important. Taking a holistic view allows security teams to stop a ransomware attack, using a combination of IOCs (indicators of compromise) and sound security practices, before the ransomware is downloaded to the target’s machine.
As mentioned before, to detect ransomware holistically requires an understanding of the who is behind the ransomware and what techniques they are using.
The CryptXXX ransomware is discussed in some detail in Part III of this book.
CryptoWall
At one point CryptoWall was the most popular ransomware family and was delivered in a variety of ways. Most likely authored by a Russian hacker team, CryptoWall was originally delivered through spam campaigns, usually through attachments. However, as it grew in popularity, the delivery mechanisms started to vary. Eventually CryptoWall was delivered through a series of well-known exploit kits including Angler, Magnitude, and Nuclear, often using malvertising on legitimate sites as the point of entry. This change in tactics is important because these exploit kits are well known and monitored closely by the security community. If a ransomware family switches to using an exploit kit for delivery, or jumps from one exploit kit to another, there are already known protections in place to detect that exploit kit. Stop the exploit kit and the ransomware never gets to install itself.
Take the Angler exploit kit, before its demise, as an example. More security vendors tracked the kit, monitoring its evasion techniques, anything from steps it would take to avoid specific antivirus programs to how it would change tactics and attempt to execute in memory.
By monitoring the activity of the developers of the Angler exploit kit, security teams were able to better ensure that Angler never got a foothold in the network; thus they were also protecting against CryptoWall. Of course, most security teams don’t have hours a week to spend tracking the changes in various exploit kits, which is why it is important to have a trusted security advisor that the security team can work with to share that information. Most organizations have multiple security vendors that they work with, and those security vendors are doing this work already. Getting updated alerts from these vendors on a regular basis helps security professionals to better prioritize patching and to develop more focused security strategies to deal with the threat of ransomware.
Locky
Locky is another popular family of ransomware. Locky is usually delivered as spam with attachments. At first Locky was primarily delivered via Microsoft Office attachments, sent as part of a spam campaign. The Office document asked the user to enable macros on the downloaded document, which allowed Locky to run on the system. This method of delivery is surprisingly effective—all the attacker has to do is give the victim a compelling reason to open the document.
Administratively Disabling Macros
This will be discussed in detail in Part II, but it is worth noting that Microsoft introduced the ability to administratively disable macros starting with Microsoft Office 2016 and then ported that capability to Office 2013. This means that macros can be disabled across an entire organization.
Locky has also used JavaScript attachments in an attempt to obfuscate the ransomware activity, because JavaScript files are not examined as closely as executable files are by security tools. JavaScript attachments, delivered as .js files often inside a compressed file, can are effective as ransomware because most security applications do not scan .js files. That being said, there is almost no legitimate reason for anyone to receive a .js file attachment, and these can be blocked at the mail gateway. Some mail security services can even inspect compressed files, such as a ZIP, RAR, or 7z, to look for embedded .js files.
Locky also uses a loader called RockLoader, also known as Waldek, that delivers not only the Locky ransomware, but often Pony and Kegotip (information stealers). Because these different malware families are installed as part of the same attack, essentially they are bundled together in a single attack. So often if a security tool picks up one of them on the network, it is worth doing an in-depth scan for the others.
Locky is also delivered using exploit kits, specifically the Neutrino and the Nuclear exploit kits. Both kits generally use Adobe Flash exploits to compromise the victim’s browser and install the Locky ransomware. The Locky ransomware is discussed in some detail in Part III of this book.
The actors behind the Locky ransomware are believed to be the same group who run the Dridex botnet.5 The Dridex botnet gained fame in early 2014 for delivering banking trojans, which are malware specifically designed to steal banking credentials that can later be sold on the underground markets. The team behind Dridex, who call themselves Evil Corp., are thought to be former members of the Business Club, a Slavic criminal group.
Locky is a good example of how threat actors change their tactics to get better results. As financial institutions stepped up security for their customers and banking trojans became less effective, it was necessary for groups such as Evil Corp. (several of whose members had been arrested) to change their tactics. In general, financial institutions have significantly improved security, making it harder to sustain attacks that involve banking or credit card information.
From 2010 to 2012, it seemed like so-called fake AV campaigns were everywhere. A number of hacker groups made a great deal of money from these scams. Banks eventually caught on to these scams and put protections in place to stop them. Not being able to rely on credit cards anymore, some of these groups moved on to distributing ransomware. In the case of the hacking team behind the Dridex botnet, they simply replaced one payload, fake AV, with another, Locky. One of the unique features of Locky is that the command-and-control communication (the communication between the ransomware itself and the infrastructure controlled by the attacker) contains a field called “affid,” short for affiliate ID. Multiple groups can distribute Locky using whatever their preferred method of delivery is, and the Dridex team may be offering Locky as part of a RaaS model.
Ranscam
While most ransomware families stick to the standard formula of encrypting files and decrypting them when the victim pays the ransom, not all do. This is why knowing which ransomware has infected a machine is a critical component of addressing the threat. There are a few exceptions to this rule, the most notable of which is Ranscam, a ransomware family that simply deletes all files on a machine after successful installation.6
Ranscam still prompts the victim to pay the ransom; but when the victim does pay, a message is displayed saying that the ransom was not paid and that therefore a file will be deleted (of course it is not deleting a file; all the files were deleted when it was installed). This can induce panic and trick the victim into paying again (which will generate the same message).
If Ranscam continues to be successful, security analysts expect more hacker groups, especially less sophisticated ones, to attempt this type of attack. Obviously, developing fake ransomware is easier than actually building ransomware, so this is potentially a low-barrier method for low-skilled groups to get the benefits of ransomware, without having to put in the work or put up the money.
Along the same lines, there are reports of attackers threatening to launch a ransomware attack unless the company pays the ransom ahead of time. There is usually no real threat to these emails, since the groups behind these emails usually are not sophisticated enough to launch a ransomware attack; but the hope is that they can scare enough people into paying.
Even if an organization has done nothing to prepare for a ransomware attack, once it happens, it is important to take a step back to take stock of the situation. By fully understanding what happened and doing some research before making a panicked decision, an organization can save itself some headache and maybe avoid further mistakes.
Who Are Ransomware Groups Targeting?
The easy answer to this question is: everyone. Of course, if everyone is a target, then no one is really a target. At first glance, that seems to be the case. If the Dridex team is sending out millions of spam emails at a time with Locky attachments, they aren’t really targeting anyone. If the CryptXXX team is running malvertising campaigns or infecting as many websites as possible to infect their victims, then they are trying to cast as wide a net as possible.
The truth is, the answer is not quite that simple. Yes, most ransomware groups are trying to infect as many people as they can; but as their tactics and techniques morph, it is clear they are refocusing their efforts.
Evolving Targets
Nowhere is this rapid evolution in ransomware more apparent than in the study of ransomware targeting. Early versions of ransomware targeted home computer users almost exclusively. It was very rare to hear about a company being infected with ransomware. Ransomware is still delivered in large numbers to home users, with hacker groups, like the group behind Locky, indiscriminately spamming people hoping to get a successful infection and even occasionally someone who will pay them.
But it wasn’t long before hacker groups realized that organizations were more likely to pay ransoms to get their systems up and running again. Mass spam campaigns quickly turned into phishing campaigns and those campaigns started to see some success. This strategy makes sense, especially for ransomware delivered as an attachment. Many home users don’t have Microsoft Office installed on their computers, but almost every organization does. Given the popularity of Microsoft Office documents as an attack vector, launching ransomware attacks against organizations was a logical step.
In addition to being a more natural fit, these types of infections tend to be newsworthy. When a hospital in California is infected with ransomware it is in the news for days or weeks. When multiple healthcare organizations are infected with ransomware in seeming rapid succession, it makes the news for months and stays in the public conscience; at least it weighs heavily on the minds of security teams. It also alerts the attackers to the fact that healthcare organizations are potentially vulnerable to attacks. In turn, the attacker groups begin aggressively targeting healthcare organizations for as long as they continue to see success.
Advanced Hacking Groups Move In
The attacks don’t stop with phishing though. As the more advanced hacking groups, the so-called advanced persistent threat (APT) groups, see that others are having success, they begin to use ransomware in their attacks, often with devastating effects. This was clearly illustrated by an attack on Lukas Hospital located in Neuss, Germany, where a more traditional attack group gained remote access to the network. They used that access to delete all backups and then attempted to use the hospital’s active directory service to automatically deliver ransomware to all of the workstations on the network using the domain controller and scheduled tasks, along with group policy objects (GPOs). This was a huge and potentially devastating attack that fortunately was not as successful as it could have been. What saved the hospital was a combination of quick reporting by affected victims and a quick response from the security staff. As soon as the security staff discovered that there were multiple systems under attack from ransomware, they disconnected everything from the network. It was an extreme response but one that probably saved the hospital millions of dollars.
Another hacking group is focused on taking advantage of known weaknesses in the JBoss Management Console. JBoss is an open source application server maintained by Red Hat. This group uses a customized ransomware family called Samas (also known as SamSam), ransomware developed as a .NET executable. The group gains access to the application server and then uses it to distribute the Samas ransomware. This is a very specific methodology but, given the number of vulnerable JBoss servers that are publicly reachable, it has proven successful.
The RAA ransomware is another ransomware family that specifically targets business users. First uncovered in June 2016, RAA was initially delivered as a .js spam attachment and targeted primarily at organizations in Russia (the campaign was distributed broadly, but the ransom note was written in Russian).7 The content of the spam was clearly directed at corporate users since it mentioned “overdue invoices.” As with most ransomware campaigns, RAA quickly evolved; and rather than simply delivering the spam as a .js attachment, they began delivering it as a password-protected ZIP file. This allows attackers to bypass many network email protection systems as well as most end-point antivirus software solutions.
Ransomware is also being used as a distraction tool by advanced attacker groups. Similar to the way distributed denial of service (DDoS) attacks are often used to mask a real attack, the same can be done with ransomware. If an attacker is trying to move stealthily through a targeted organization and is concerned that he may be discovered, it is trivial to launch a ransomware attack on a system that is not critical to the attacker’s access. Because the tactics and techniques of ransomware vice targeted attacks are so different, security teams will be looking for a completely different set of indicators, which allows the attack group to continue their activity unimpeded while the security team remains distracted.
Choosing an Email Filtering Platform
More ransomware campaigns are using .zip .7z, and .rar extensions to compress their payload. The idea is not really to make the ransomware package smaller but to take advantage of the fact that many email protection systems don’t scan compressed files. When looking at email protection systems, organizations should ask a few questions:
- Does this solution extract archived files and examine those files before delivering the email?
- What archives will it extract and examine? (If there is an archive type that is not commonly supported by email protection systems, eventually hackers will start using it.)
- Can the email solution pull passwords out of emails to extract files from a password-protected archive? (This tactic is becoming more common because bad guys know most security vendors are not able to do this.)
Even teams that are not normally associated with financially motivated attacks have started getting involved in ransomware. Several security companies have noted ransomware activity from Chinese hacker groups that normally engage strictly in cyber espionage activity.8 There is some speculation that the September 2015 pact between the United States and China has contributed to the increase in ransomware attacks by traditionally Chinese espionage-focused threat actors. In the agreement that President Obama and President Xi Jinping signed, both countries agreed that cyber espionage activity would have limited scope and would not involve economic activity. Since the agreement there has a been a noticeable drop-off in Chinese cyber espionage activity, but the hacker groups still exist. That has led to speculation that it is these groups that have taken to using ransomware to replace lost income.
What does all this mean? While “everyone” is still a target for ransomware, developers and the groups have begun to focus more specifically on organizations, rather than individual users. These attacks tend to be more profitable, since organizations are more likely to pay and to pay larger sums. While a typical home user may pay up to the equivalent of a few hundred dollars to decrypt an infected machine, an organization will often pay tens of thousands, even hundreds of thousands, of dollars to decrypt and retrieve their data.
Ransomware as a Service (RaaS)
As mentioned previously, one of the factors that has led to the rapid spread of ransomware is the quick adoption of RaaS. RaaS is a way for “wannabe hackers” who do not have the skills, or the infrastructure, to deliver ransomware widely to take advantage of existing capabilities to launch a ransomware campaign.
RaaS is not a new idea. With the advent of The Onion Router (TOR) and a robust underground economy (sometimes referred to as the Dark Web9) it has become significantly easier for skilled hackers to offer their services to others. Long before the idea of RaaS came along, attackers who had amassed a large number of victim hosts using a botnet would rent it out to anyone who wanted to launch a spam campaign or launch a DDoS attack against a target.
For a botnet owner, this made sense, because after extracting whatever financial data he or she could from the victims, the attacker could continue to earn income from the botnet. Renting botnets has become such a popular endeavor that it has changed the nature of the tools that are used to manage these botnets. The tools have become more modular, allowing the person who controls the botnet to offer plug-ins and even control panels to let customers automate the process of manipulating the botnet.
For the customers of these botnets, renting them makes sense as well. Rather than investing months and thousands of dollars trying to infect a few hundred thousand or a million hosts, why not use an existing botnet? It allows attackers to concentrate on their specific skill, whether that is crafting a DDoS attack or spamming millions of people. Some botnet owners will even manage the attack from start to finish for their customers. Think of it as a concierge service for hacking. For example, for an additional fee, the customer can tell the botnet owner the target that they want taken offline or the service they want degraded, and the botnet owner will take care of everything.
Different RaaS Models
There are several types of RaaS models available to “wannabe hackers.” Some of these are surprisingly simple, like the one in Figure 3-1. In the ad, the developer of the Encryptor ransomware provides details about the ransomware for potential customers, including screenshots and what the customer can customize in the delivery. The developer also discusses how successful the campaigns have been so far and how much his customers have made, as well as how much the developer has made.
This is an example of an easy-to-find RaaS campaign that was heavily advertised on various TOR sites for a tool that was not very effective (in fact, the Encryptor RaaS infrastructure was completely shut down by authorities in September 2016 and all of their servers were seized). While there are other, much more effective ransomware services out there, this model of service offering is one that is used most often. The developer builds the ransomware and uses a control panel to let customers configure it, never giving the customer direct access to the binary. Rather than paying the developer to launch a ransomware campaign, the developer just takes a cut from every victim who pays. The customer of the RaaS provider has to provide a list of emails to target.
Other RaaS offerings include different perks. For example, the ransomware family ORX-Locker took a page from the multilevel marketing businesses that are popular today and offered a 3% referral fee for ransom brought in from someone referred by an existing user. The ORX-Locker team also offered 24/7 support via chat and email for their customers who were running into problems.
While the Encryptor and ORX-Locker were rather immature RaaS offerings, newer variants have improved not only backend systems but also the ransomware itself. The hacking team behind the Cerber ransomware not only developed a well-designed user interface for their customers, including up to the minute automated tracking of payments and the ability to set different ransom amounts for each campaign, they also developed effective ransomware code with none of the amateur flaws found in the Encryptor RaaS and ORX-Locker code.
These types of distribution models are generally known as affiliate models, which was referenced in the discussion of the Locky ransomware. Sophisticated hacker teams offer more advanced capabilities as part of their RaaS. These groups also cater to more sophisticated customers. The Cerber ransomware RaaS is one such example. In order to sign up a customer must provide references and proof of access to a working exploit kit. This ensures that the Cerber code is less likely to be mishandled by someone who is new to the world of hacking.
Figure 3-1. An ad on a TOR-enabled website for the Encryptor ransomware
RaaS has become so commonplace in underground forums and marketplaces that even hacker groups not normally associated with ransomware have started bundling those services in with the other services they offer. Figure 3-2 shows an ad from a group simply calling themselves Russia Hackers, who are offering to create a customized CTB-Locker variant for two bitcoins. Note that the offer is nestled between offers to change someone’s grades and to launch a DDoS attack.
Figure 3-2. Hackers selling customized versions of CTB-Locker
The Russia Hackers and CTB-Locker teams are not offering any backend support. Instead, they deliver the ransomware binary, and the customers are responsible for managing the distribution, most likely using their own exploit kit or spamming tool. There are some customizable features that can be built into the binary, but that is the extent of the involvement of the team selling the binary. Note that the group Russia Hackers is not the hacking team that originally developed the CTB-Locker. The hacking group behind CTB-Locker actually sells kits for around $3,000. For $3,000, the buyers get support in getting their ransomware business up and running, as well as recommendations for delivery mechanisms and suggested ransoms. The buyer is also able to create an affiliate program and sell variants of CTB-Locker to others who want to get into the ransomware business.
RaaS makes it easier for newer hackers to quickly get into the ransomware delivery business and possibly raise money quickly, although most hackers make very little, if any, money. RaaS also makes it more difficult for security teams, whether they are working for a security vendor or trying to protect a network, to stop the ransomware threat.
RaaS Disrupts Security Tools
As discussed earlier in this section, the best way to stop ransomware is to do it before the ransomware is installed. Whether that is blocking a bad domain or IP address or preventing the loader that will retrieve the ransomware from installing, the earlier a ransomware (or any) attack can be stopped, the better. Unfortunately, with RaaS, that is more difficult to do. Each customer of the RaaS service, the wannabe hackers, will have a different set of targets; and many will have different delivery mechanisms, which makes it harder to tie a ransomware family to specific TTPs, and ultimately makes it harder to take preventative steps to stop the ransomware. This is exemplified by the evolution of Locky from being delivered via a simple Microsoft Office document with macros to being delivered using a number of exploit kits. Multiple TTPs, often happening simultaneously, make it more difficult to identify patterns in targets, and delivery mechanisms and can slow down reporting of effective methods for stopping the ransomware.
Think about it: if a particular family of ransomware has traditionally been delivered to targets in North America via spam attachments in a ZIP file, it is somewhat easy for a security team to mitigate this threat. But if that same ransomware is now being served via compromised banner ads on legitimate websites, security teams now have to reverse engineer the ransomware and look at its behavior to determine if it is a new family of ransomware or just a new strain of an existing family.
Remember, whether the discussion is ransomware or some other form of malware, a piece of malicious code is seen an average of six times in the wild by various security vendors before it is changed. There are a number of obfuscation techniques that sophisticated, and even unsophisticated, attackers use to alter the appearance of their ransomware or other malware to avoid being detected by traditional antivirus signatures. The executable itself may use the same things, but it looks different to the underlying operating system and to many security programs. A piece of ransomware delivered two different ways by two different groups will look, superficially, like two different programs. It is only upon close analysis that security teams will be able to determine that they are the same.
This is because the fundamentals of the ransomware don’t change between variants (with the exception, of course, of version changes, where there can be significant behavioral changes). Both ransomware variants will still use the same encryption schemes; they will both encrypt the same set of files; they will both make the same registry changes; they will both append the same extensions to the end of the newly encrypted files; and there will be more similarities than differences in behavior.
Why does any of this matter? After all, ransomware is ransomware—if a person or organization is infected, they are stuck; it doesn’t matter if it is Locky, CryptXXX, or some brand new ransomware no one has seen, right? Not exactly. Knowing which ransomware has hit a target system goes a long way toward determining the course of action.
Summary
Many security professionals don’t see the value in knowing who is behind ransomware or what their motivations are—they just want to know how to stop it.
But knowing who is behind an attack can help a security team combat a ransomware threat more effectively. For example, if the developers behind a newly discovered ransomware family are inexperienced, most likely the ransomware code is immature, which means that there is a good chance that a security researcher has found a way to circumvent the decryption process. Knowing that a ransomware family is almost always delivered via one or two exploit kits means that beefing up protection against those kits, even if it means a few more false-positives, may prevent the ransomware from ever hitting their network. If a ransomware family is being delivered using a specific phishing lure, warning users to watch for that lure and getting mail administrators to block incoming email matching that lure.
Building these attacker profiles and understanding how they work helps the security community combat ransomware more effectively and helps security teams better protect their organization.
1 Alexander Gostev, Roman Unuchek, Maria Garnaeva, Denis Makrushin, and Anton Ivanov, “IT Threat Evolution in Q1 2016,” Securelist, Kaspersky Lab, May 5, 2016.
2 Caleb Fenton, “Ransomware - New CryptXXX Variant Discovered,” SentinelOne, June 21, 2016.
3 Nart Villeneuve, “TeslaCrypt: Considering the Money Trail and Learning the Human Costs of Ransomware,” Threat Research Blog, FireEye, May 15, 2015.
4 John Snow, “How to unlock a .crypt file,” Kaspersky Lab Daily, April 26, 2016.
5 Chris Wakelin, “Locky Ransomware Is Becoming More Sophisticated - Cybercriminals Continue Email Campaign Innovation,” Proofpoint, April 6, 2016.
6 Edmund Brumaghin and Warren Mercer, “When Paying Out Doesn’t Pay Off,” Cisco Talos Blog, July 11, 2016.
7 GoldSparrow, “RAA Ransomware Removal Report,” Enigma Software Group, June 15, 2016.
8 Joseph Menn, “Exclusive: Chinese Hackers behind U.S. Ransomware Attacks,” Reuters, March 15, 2016.
9 Please don’t use that term.