Security Week 20: Ransomware Myths

May 12, Kaspersky Lab experts published a large report on the evolution of data encryption and subsequent ransomware attacks. The article primarily focuses on the organization of this criminal business and examines attacks on large companies. One of the clear trends of the year was the hunt for “big game” by criminal gangs – relatively large organizations capable of paying a serious ransom in digital currency. The report comes amid daily news of attacks on businesses, including high-profile events such as the attack on the Colonial Pipeline company.

The most important thing to know about such groups is that they are complex and do not work autonomously. It will not be possible to get rid of this threat, even if the organizers of a separate campaign are found and arrested. The ecosystem will stop working only if it loses its income, that is, when the affected people stop paying the ransom. The study provides examples of recruiting new organizations and identifies typical roles: credential vendors, malware developers, analysts responsible for cryptocurrency laundering.

The most relevant myth, which is refuted in the article, is the assertion that the targets of attacks are selected in advance. In fact, they are found randomly. Most often, the owners of botnets and brokers who sell access to compromised computers and servers post information about potential victims, and the goals are determined “based on availability.” There is an important recommendation for IT security personnel here: you need to timely detect individual incidents related to penetration into the protected perimeter or malware infection. There may be a time lag between this first call and a full-scale attack to avoid serious consequences.

The study details the activities of two large ransomware groups, REvil and Babuk. Among other things, there is more aggressive pressure on potential victims, motivating them to pay the ransom faster. For this purpose, websites with examples of stolen data are created on the darknet, and information about leaks is “leaked” in the media. Conversely, victim support is improved to facilitate the “customer experience” – for example, a separate chat is created to communicate with ransomware. In the previous publications Kaspersky Lab experts on the topic of “custom” ransomware have noted a decrease in the number of large-scale attacks. The new report shows where the attention of cybercriminals has shifted and details the transformation of criminal operations into a complex and ramified business.

What else happened:

The attack on the operator of the Colonial Pipeline in the United States resulted in a brief interruption in the supply of oil products on the country’s east coast, sparked panic at gas stations and is likely to lead to further changes in the measures to combat cybercrime. There were many publications about this attack last week, but not all information has been confirmed. Here are the most interesting articles:

– Analysis activities of the group DarkSide, which claimed responsibility for the attack, from Brian Krebs (Brian Krebs). Earlier on Twitter, he either jokingly or seriously pointed out an obvious fact about malicious encryption programs with Russian-language roots: they avoid a system with a Cyrillic layout.

Localization was also noted in the Kaspersky Lab report, but in a different context: Russian-speaking organizers of attacks try not to work with English-speaking partners, fearing counter-attacks or information leakage. For a language proficiency test, one example suggests using local folklore.

– Parsing technical features of the malware used by DarkSide in previous attacks.

– Not officially confirmed information, according to which Colonial Pipeline paid the extortionists $ 5 million. Here it is alleged that the organizers of the attack lost access to their infrastructure, as well as to crypto wallets.

– Analysis the movement of funds in Bitcoin wallets, presumably belonging to DarkSide.

In addition to this incident, “IB-life” is going on as usual. The big event was a study on vulnerabilities in devices and the Wi-Fi protocol itself. Fragattacks collection of attacks (website project, discussion on Habré) exploits vulnerabilities that do not depend on the type of encryption (up to WPA3), and can be used to steal data or redirect the user to malicious resources.

Swedish researcher Pontus Johnson found a vulnerability in the concept of universal Turing machinesproposed back in 1967 (article The Register, research Work). In this purely theoretical exercise, a way was found to run arbitrary code. Reason: Lack of input validation.

Proposed way transferring arbitrary data and receiving information from devices based on iOS and MacOS. The vulnerability of the Bluetooth protocol and the features of the Find My technology are used to find lost devices.

MSI warns about fake sites that distribute malware under the guise of the popular Afterburner utility for overclocking video cards.