The danger that ransomware attacks pose to individuals and organisations has long been a concern for cyber and information security professionals. Despite this, public appreciation and understanding of this threat has traditionally been limited. At its most basic, ransomware is malware that encrypts files or locks devices, before demanding a ransom payment in return for restored functionality. If a victim chooses not to pay, their files or devices will most probably remain inoperative. Ransomware is not a new phenomenon; as a matter of fact, the first ever recorded attack dates back as far as 1989. It is, however, a threat that is gaining prominence, as we are increasingly dependent on the data stored on computer and mobile devices. This dependence has been publicly exposed this year by several high profile attacks, rendering 2017 the year that the concept and threat of ransomware truly accelerated into public consciousness.
Most readers will have heard of WannaCry, which affected over 100,000 organisations and individuals worldwide in May. Other established threats such as Cerber and Locky have continued to plague users, generating huge revenue along the way. Ransomware can be a hugely effective financial operation for both cyber-criminals and nation states, and this year there have been several attempting to follow in the footsteps of Cerber and Locky. Below, Silobreaker’s Cyber Security & Risk Intelligence team provide a summary of some of the most prominent.
January: Spora Ransomware
First observed in early January, Spora was one of the first ransomware to emerge in 2017. Its sophisticated nature prompted researchers to suggest that Spora was developed by experienced cybercriminals. Of particular note is its ability to encrypt files whilst offline, alongside its advanced ransom payment site which mirrors a well known e-commerce site. Spora has proved highly resilient, and has multiple distribution channels including being a payload for the Rig exploit kit. In late June an updated version emerged, which includes AV evasion techniques. Researchers view Spora as an up-and-coming threat, which may come to rival established malware such as Cerber and Locky.
February: Erebus Ransomware
Erebus was first observed targeting Windows systems via a malvertising campaign in September 2016. However, while this first variant was not particularly harmful, it re-emerged in February this year in a significantly altered, and far more advanced form. The new variant, which targets Linux systems, has incorporated the ability to bypass User Account Control (UAC), a Windows system which blocks anyone without proper authorisation from altering a device.
The threat posed by Erebus became clear in June, when it hit South Korean web hosting company NAYANA. The devastating attack infected 153 servers, and subsequently more than 3,400 business websites hosted by the company. Although the precise infection vector is unknown, it is thought Erebus may have exploited well known vulnerabilities such as Dirty Cow to achieve infection. In order to mitigate the damage, NAYANA agreed to pay a ransom of $1.01 million to recover their servers, constituting what is thought to be largest single ransomware payment ever.
May: Jaff Ransomware
Jaff ransomware emerged in May 2017, only days before the WannaCry attack, which led to the malware being somewhat under reported. However, it deserves to be included in this summary for a multitude of reasons. Its distribution network is well known, using the Necurs botnet which has previously been used to spread Locky ransomware and the Dridex banking trojan. This allowed Jaff to serve as the main payload in several large spam campaigns, targeting users in China, India, Russia and Germany. Jaff has also received several upgrades, including efforts to make its ransom note more professional. However, the threat posed by Jaff was significantly diminished in June, when researchers at Kaspersky developed a decryption key allowing victims to recover files for free.
May: WannaCry Ransomware
Perhaps the most infamous ransomware incident of all time and certainly the most documented, WannaCry achieved worldwide notoriety after infecting between 200,000 and 300,000 victims in over 150 countries. Amongst its high-profile victims were the UK’s National Health Service, FedEx, Telefonica and Renault.
WannaCry utilised the leaked NSA exploit EternalBlue, which allowed it to spread across networks by targeting the Server Messaging Block (SMB) protocol, primarily affecting older Windows systems including Windows XP and Windows 8. However, despite its unprecedented reach, WannaCry failed to reap much financial reward. A bitcoin wallet set up for victims willing to pay the demanded $300 ransom, as of July, only held $143,000, a comparatively small sum. This has led to speculation that the perpetrator, which some claim is the North Korean linked Lazarus Group, were more interested in causing disruption than monetary gain. Despite its notoriety, WannaCry is also a poorly designed piece of malware. It was halted when a British malware researcher registered a domain that caused an anti-analysis feature to kick in and bring an end to its rampage.
NotPetya (also referred to as Golden Eye, PetrWrap, ExPetr) burst on to the scene in late June, infecting thousands of individuals and large multinational companies such as WPP, A.P. Moller-Maersk and Cadbury. However, one of the most notable details regarding NotPetya is that it is not actually a ransomware at all.
After its emergence in Ukraine researchers initially believed that NotPetya was a new version of an older ransomware named Petya, or at least modelled heavily on it. It was soon discovered that NotPetya bore a closer resemblance to disk wiping malware such as Shamoon, which are used for purely destructive purposes. This is in part, based on the fact that after encrypting a victim’s files, the malware will not store a decryption key, meaning that even if a ransom is paid, file recovery is not possible. NotPetya was part of a supply chain compromise attack which affected a Ukrainian accounting software called M.E.Doc. This software pushed out updates containing the malicious payload, which then used EternalBlue to achieve lateral network movement. The same attack vector was likely used to push other malware, most notably the XData ransomware, which targeted mainly Ukrainian users beginning in early May.
October: Bad Rabbit
Bad Rabbit has spread with a ferocity rivalled only by the outbreaks of WannaCry and NotPetya in May and June this year. The ransomware has caused the most disruption in Russia and Ukraine despite cases being documented of it appearing in several other countries. At the time of writing it has affected organisations including the Kiev Metro, Odessa Naval Port, Odessa Airport, Ukraine’s ministries of infrastructure and finance, and other Russian media organisations including Interfax.
The ransomware spreads via watering hole attacks that lead to a popup asking the target to download a fake Flash player update. Once initiated, the executable locks machines and displays the ransom note. Victims are then redirected to an .onion payment site demanding a 0.05 Bitcoin ransom which increases gradually over time. Several popular websites have been compromised and had malicious JS injected into their HTML.
Bad Rabbit spreads by dropping copies of itself, and executes them using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. It also spreads laterally within the network via the SMB file sharing protocol, and attempts to brute force any administrative shares it can find, dropping a copy of itself into these. If this attack fails, it uses the EternalRomance exploit to propagate in the network. This is contrary to initial reports which claimed that unlike the NotPetya malware, Bad Rabbit did not leverage any of the alleged NSA exploits leaked by the Shadow Brokers group. The ransomware also contains additional binaries such as Mimikatz to harvest credentials and DiskCryptor to encrypt targeted systems.
There are, however, some flaws in the ransomware. Kaspersky Lab reported that Bad Rabbit does not delete the password it generates when encrypting a target’s files. It is therefore possible to extract it before the dispci.exe encryption process terminates. If the system is rebooted, however, the files cannot be encrypted without the RSA-2048 private key. In addition to this, Bad Rabbit does not attempt to delete Windows Shadow Copy back-up files. If shadow copies are enabled before an attack, they can be used to restore original versions of the encrypted files through Windows, or through third-party utilities.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.