Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/24/2016
05:25 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Attackers Clobbering Victims With One-Two Punch Of Ransomware And DDoS

Encrypted systems now being added to botnets in the latest incarnations of ransomware attacks, with experts expecting this to become standard practice.

As if ransomware weren't bad enough, attackers are now making the most of their attacks by adding victimized machines to distributed denial of service (DDoS) botnets at the same time that they're encrypted and held hostage, according to warnings from several security research organizations in the last week.

This one-two punch is a natural gimme for profit-minded attackers and one which security pundits expect will be standard issue for most ransomware kits in the near future.

"Adding DDoS capabilities to ransomware is one of those 'evil genius' ideas," says Stu Sjouwerman, CEO of KnowBe4, which today issued an alert that a new variant of Cerber ransomware has added DDoS capabilities to its payloads. "Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.”

The new trend was first detailed by researchers with Invincea last week, which found attackers using weaponized Office documents to deliver the threat via a Visual Basic exploit that allows them to conduct a file-less attack. That delivers malware with the underlying binary, giving the bad guys "two attacks for the price of one," says Ikenna Dike of Invincea. 

"First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack," Dike said in a post. "The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."

Seen by many as a perfect example of the mercenary nature of cybercrime, ransomware's evolution has been driven entirely by black market ROI. According to the FBI, by the end of the year the ransomware market is expected to net the crooks at least $1 billion.

"Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation," explained FireEye researchers in an update last week on ransomware activity.

FireEye's data shows that there was a noticeable spike in ransomware in March this year and that overall figures are on track for ransomware to exceed 2015 levels. This latest trend of DDoS bundling once again shows the lengths to which the criminals will squeeze every last bit of profitability and efficiency from ransomware attacks. It also offers fair warning to enterprises that even with backups, ransomware can pose threats to their endpoints and networks at large.

Even if data is restored on systems plagued by ransomware, there's no guarantee that a system wouldn't be used to continue to remain a part of the botnet or be used as a foothold for further attacks if the threat isn't properly contained.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
5/29/2016 | 5:48:46 AM
ima stick with canada here
We should never pay ransoms because kidnapping/ransomware is a self fulfilling prophecy
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:48:42 AM
ransomware attacks
 

Ransomware attacks are becoming its own industry, it will be harder to declare defense system when you have many people profiting from it. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:45:11 AM
Re: It continues
"... Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch. ..."

I was thinking the same thing, after ransomware you would want the victims to focus on recovering from it so you get paid then dealing with DDoS attacks. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:41:45 AM
Re: It continues
"... ever-onward evolution of malware continues  ..."

Good way to put it. They really come up with creative ideas to keep people feel threatened.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:39:40 AM
Ransomware And DDoS
I am not sure why anybody would need to do DDoS at the same time of a Ransomware attack. If intention is not Ransomware that is understandable, but otherwise it does not make sense to me.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
5/25/2016 | 8:43:22 AM
Re: It continues
I agree that Ransomware has been the gravest IT security threat.  Though, I am not too sure about, as this aritcle suggests, the DDoS bots.  Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch.  Most of the rightful owners of DDoS bots either don't know their computers are infrected, or simply just don't care.  There may be terrible costs for the intended targets of the attacks, but for the actual owners of the bots, not so much.

 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/25/2016 | 7:51:46 AM
It continues
And so the ever-onward evolution of malware continues and it's up to the security community to respond. I doubt we'll ever reach a point where these sorts of threats can be heade off at the pass, but here's hoping we nip ransomware in the bud soon. That's about the only malware that truly concerns me at this point.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.