Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/24/2016
05:25 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Attackers Clobbering Victims With One-Two Punch Of Ransomware And DDoS

Encrypted systems now being added to botnets in the latest incarnations of ransomware attacks, with experts expecting this to become standard practice.

As if ransomware weren't bad enough, attackers are now making the most of their attacks by adding victimized machines to distributed denial of service (DDoS) botnets at the same time that they're encrypted and held hostage, according to warnings from several security research organizations in the last week.

This one-two punch is a natural gimme for profit-minded attackers and one which security pundits expect will be standard issue for most ransomware kits in the near future.

"Adding DDoS capabilities to ransomware is one of those 'evil genius' ideas," says Stu Sjouwerman, CEO of KnowBe4, which today issued an alert that a new variant of Cerber ransomware has added DDoS capabilities to its payloads. "Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.”

The new trend was first detailed by researchers with Invincea last week, which found attackers using weaponized Office documents to deliver the threat via a Visual Basic exploit that allows them to conduct a file-less attack. That delivers malware with the underlying binary, giving the bad guys "two attacks for the price of one," says Ikenna Dike of Invincea. 

"First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack," Dike said in a post. "The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."

Seen by many as a perfect example of the mercenary nature of cybercrime, ransomware's evolution has been driven entirely by black market ROI. According to the FBI, by the end of the year the ransomware market is expected to net the crooks at least $1 billion.

"Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation," explained FireEye researchers in an update last week on ransomware activity.

FireEye's data shows that there was a noticeable spike in ransomware in March this year and that overall figures are on track for ransomware to exceed 2015 levels. This latest trend of DDoS bundling once again shows the lengths to which the criminals will squeeze every last bit of profitability and efficiency from ransomware attacks. It also offers fair warning to enterprises that even with backups, ransomware can pose threats to their endpoints and networks at large.

Even if data is restored on systems plagued by ransomware, there's no guarantee that a system wouldn't be used to continue to remain a part of the botnet or be used as a foothold for further attacks if the threat isn't properly contained.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/25/2016 | 7:51:46 AM
It continues
And so the ever-onward evolution of malware continues and it's up to the security community to respond. I doubt we'll ever reach a point where these sorts of threats can be heade off at the pass, but here's hoping we nip ransomware in the bud soon. That's about the only malware that truly concerns me at this point.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
5/25/2016 | 8:43:22 AM
Re: It continues
I agree that Ransomware has been the gravest IT security threat.  Though, I am not too sure about, as this aritcle suggests, the DDoS bots.  Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch.  Most of the rightful owners of DDoS bots either don't know their computers are infrected, or simply just don't care.  There may be terrible costs for the intended targets of the attacks, but for the actual owners of the bots, not so much.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:45:11 AM
Re: It continues
"... Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch. ..."

I was thinking the same thing, after ransomware you would want the victims to focus on recovering from it so you get paid then dealing with DDoS attacks. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:41:45 AM
Re: It continues
"... ever-onward evolution of malware continues  ..."

Good way to put it. They really come up with creative ideas to keep people feel threatened.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:39:40 AM
Ransomware And DDoS
I am not sure why anybody would need to do DDoS at the same time of a Ransomware attack. If intention is not Ransomware that is understandable, but otherwise it does not make sense to me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:48:42 AM
ransomware attacks
 

Ransomware attacks are becoming its own industry, it will be harder to declare defense system when you have many people profiting from it. 
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
5/29/2016 | 5:48:46 AM
ima stick with canada here
We should never pay ransoms because kidnapping/ransomware is a self fulfilling prophecy
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.