Who needs a horror movie when you have the 2017 ransomware news cycle? There has been a constant stream of increasingly destructive attacks hitting victims around the world.
Ransomware attacks are getting easier to launch as well. New research from Trustwave shows ransomware is now being distributed through an exploit for Microsoft Dynamic Data Exchange (DDE). Attackers can use Word and Outlook to execute malicious code with DDEAUTO, which allows for automatic code execution that can be abused by threat actors.
Major threat actors have started to toy with this exploit and use the Necurs botnet to distribute massive attacks on email gateways. The Necurs email campaign has an attached Open Office Word document with the malicious DDE exploit code. This code executes a PowerShell script, which downloads another script, which eventually downloads a Locky ransomware file.
The ease of this type of attack, complexity of defending against it, and number of applications infected means the DDE exploit will continue to be used among attackers, Trustwave researchers predict, and more in the near future.
When it comes to ransomware campaigns, "this past year was unlike anything we've ever seen," said David Dufour, vice president of engineering and cybersecurity at Webroot, which recently compiled the most destructive ransomware campaigns to hit so this year.
Locky is one of the nastiest attacks to hit in 2017. What are the others? Let's take a look back:
NotPetya: In June 2017, a fake Ukrainian tax software update spread laterally through infected networks like a worm, using attack vectors Supply Chain ME.doc and the EternalBlue and EternalRomance exploits. NotPetya, a variant of the older Petya attack, charged $300 in ransom from victims in 100+ countries.
WannaCry: The first ransomware to spread via Server Message Block (SMB) exploit was created in March 2017 and attacked in May 2017. WannaCry used the EternalBlue SMB Exploit Kit to infect more than 200,000 machines on day one. Victims spanning 150+ countries were charged $300-$600 in ransom.
Locky: It first appeared in 2016 but continues to be a threat in 2017, with 28+ countries hit in total. Locky arrives as a fake shipping invoice spam email which, once opened, downloads malware and encryption components. Ransom ranges between $400-$800.
Jaff: This May 2017 campaign also hit victims with phishing emails. Like Locky, it contains traits related to other forms of malware. It has demanded $3,700 in ransom from victims in 21+ countries.
CrySis: Appeared in February 2016 and uses Remote Desktop Protocol (RDP) to remote desktop unsecured machines by brute-forcing passwords. It demands $455-$1,022 in ransom and infected victims in 22+ countries. CrySis is a common way to spread ransomware because hackers can compromise administrators' machines.
Cerber: First hit in March 2016 and uses RDP, spam email, and ransomware-as-a-service (RaaS). Cerber distributes RaaS by packagaing itself and giving cybercriminals the tools to spread as they wish. It demands $300-$600 in ransom and has hit 23+ countries.
CryptoMix: Another March 2016 arrival, CryptoMix spread through RDP and exploit kits like malvertising. It has also been known to hide on flash drives. CryptoMix demands $3,000 in ransom and has infected victims in 29+ countries.
Jigsaw: If you've seen the "Saw" movies, you're familiar with the creepy character after which this spam email attack was named. Jigsaw appeared in April 2016. When users click, it encrypts files and deletes them every hour until the ransom ($20-$200) is paid. It has hit 29+ countries.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
- New Locky Ransomware Strain Emerges
- Ransomware Sales on the Dark Web Spike 2,502% in 2017
- Ransomware Numbers Continue to Look Abysmal