Last year, organizations in Delhi (85%), Bangalore (83%), Kolkata (81%), Mumbai (81%), Chennai (79%) and Hyderabad (74%) were impacted by ransomware according to our latest survey report ‘The State of Ransomware 2020’.
But have you ever wondered what’s inside a hacker’s toolbox? Be assured it is more than you thought. SophosLabs Uncut has just published “Netwalker ransomware tools give insight into threat actor,” a new piece of research about Netwalker ransomware that includes a surprising collection of third-party programs used to quietly carry out attacks.
While investigating Netwalker, SophosLabs detected a bunch of widely well-known programs like TeamViewer and freely-available Windows utilities copied directly from the Github platform that were misused for getting ransomware into company’s networks.
SophosLabs’ research paper gives a detailed description of how the various tools are used during each stage of the attack, providing unique insight into the attackers’ behaviors.
A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks. A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.
Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLocker, Locky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today. But today’s ransomware criminals tend to pick entire organisations as victims.
The crooks break into networks one-at-a-time, learn the structure of the network, work out the most effective attack techique for each one, and then scramble hundreds or thousands of computers across an entire organisation in one go. In cases like this, where an entire business may find its business operations frozen because all its computers are out of action at the same time, ransom demands aren’t just $300 or even $30,000 – they may be $3,000,000, or even more.
As you can imagine, this means that the ransomare part of today’s file scrambling attacks – the malware program at the heart of the scrambling process – is now just one piece in a much bigger toolbox of tricks that a typical ransomware gang will have up their sleeves.
Last week, for example, we wrote about an attack by the Ragnar Locker crew in which they wrapped a 49KB ransomware executable – a file created specifically for one victim, with the ransom note hard-coded into the program itself – inside a Windows virtual machine that served as a sort of run-time cocoon for the malware.
The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim’s network, plus a VM file containing a pirated copy of Windows XP, just to have a “walled garden” for their ransomware to sit inside while it did its cryptographic scrambling.
But that’s far from everything that today’s crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.
When ransomware first became a serious problem about seven years ago, the idea of scrambling your files in place was a way for the crooks to “steal” your files – in the criminal sense of permanently depriving you of them – without having to upload them all first.
The average computer and the typical network just didn’t have the bandwidth to make that possible, and the average crook didn’t have enough storage to keep hold of it all. But cloud storage has changed all that, and ransomware crooks are now commonly stealing some or all of your data first, before unleashing their ransomware.
They’re then using this stolen data to increase the pressure of their blackmail demands by threatening to leak or sell your data if you don’t pay up, thus giving them criminal leverage even if you have a reliable and efficient backup process for recovering your files.
In quick form, our five tips are:
1. Protect your system portals. Don’t leave RDP and other tools open where they aren’t supposed to be. The crooks will find your unprotected access points.
2. Pick proper passwords. Don’t make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
3. Peruse your system logs. As the chart above shows, the crooks often use a lot of sysadmin tools that would probably show up as unusual in your logs if you were to look.
4. Pay attention to warnings. Exploits that ran but failed could be reconnaissance for a future attack rather than an attack in their own right.
5. Patch early, patch often. The Netwalker crooks wouldn’t bother with a CVE-2015-1701 exploit from five years ago if it never worked. Don’t be the network where it does!
Of course, don’t forget the obvious – make sure you are using anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
Gabor Szappanos, senior director, Threat Research at SophosLabs, explains, “Ransomware attacks nowadays are not single-shot events like WannaCry was in 2017. Cybercriminals now have well-established procedures and toolsets that they routinely use. The attacks are usually longer and multi-faceted, meaning attackers spend days or even weeks within targeted organizations, carefully mapping internal networks while gathering credentials and other useful information. In this process, they use legitimate third-party tools that may not be detected by the defenses. However, if defenders know and understand the processes and the tools that attackers are using, they can better prepare against these attacks and detect them in the early stages before the actual ransomware.”
