Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/24/2016
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attackers Clobbering Victims With One-Two Punch Of Ransomware And DDoS

Encrypted systems now being added to botnets in the latest incarnations of ransomware attacks, with experts expecting this to become standard practice.

As if ransomware weren't bad enough, attackers are now making the most of their attacks by adding victimized machines to distributed denial of service (DDoS) botnets at the same time that they're encrypted and held hostage, according to warnings from several security research organizations in the last week.

This one-two punch is a natural gimme for profit-minded attackers and one which security pundits expect will be standard issue for most ransomware kits in the near future.

"Adding DDoS capabilities to ransomware is one of those 'evil genius' ideas," says Stu Sjouwerman, CEO of KnowBe4, which today issued an alert that a new variant of Cerber ransomware has added DDoS capabilities to its payloads. "Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.”

The new trend was first detailed by researchers with Invincea last week, which found attackers using weaponized Office documents to deliver the threat via a Visual Basic exploit that allows them to conduct a file-less attack. That delivers malware with the underlying binary, giving the bad guys "two attacks for the price of one," says Ikenna Dike of Invincea. 

"First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack," Dike said in a post. "The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."

Seen by many as a perfect example of the mercenary nature of cybercrime, ransomware's evolution has been driven entirely by black market ROI. According to the FBI, by the end of the year the ransomware market is expected to net the crooks at least $1 billion.

"Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation," explained FireEye researchers in an update last week on ransomware activity.

FireEye's data shows that there was a noticeable spike in ransomware in March this year and that overall figures are on track for ransomware to exceed 2015 levels. This latest trend of DDoS bundling once again shows the lengths to which the criminals will squeeze every last bit of profitability and efficiency from ransomware attacks. It also offers fair warning to enterprises that even with backups, ransomware can pose threats to their endpoints and networks at large.

Even if data is restored on systems plagued by ransomware, there's no guarantee that a system wouldn't be used to continue to remain a part of the botnet or be used as a foothold for further attacks if the threat isn't properly contained.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/25/2016 | 7:51:46 AM
It continues
And so the ever-onward evolution of malware continues and it's up to the security community to respond. I doubt we'll ever reach a point where these sorts of threats can be heade off at the pass, but here's hoping we nip ransomware in the bud soon. That's about the only malware that truly concerns me at this point.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
5/25/2016 | 8:43:22 AM
Re: It continues
I agree that Ransomware has been the gravest IT security threat.  Though, I am not too sure about, as this aritcle suggests, the DDoS bots.  Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch.  Most of the rightful owners of DDoS bots either don't know their computers are infrected, or simply just don't care.  There may be terrible costs for the intended targets of the attacks, but for the actual owners of the bots, not so much.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:45:11 AM
Re: It continues
"... Rather than a second punch, additional botnet infection is more like a bump against the victim after the first good punch. ..."

I was thinking the same thing, after ransomware you would want the victims to focus on recovering from it so you get paid then dealing with DDoS attacks. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:41:45 AM
Re: It continues
"... ever-onward evolution of malware continues  ..."

Good way to put it. They really come up with creative ideas to keep people feel threatened.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:39:40 AM
Ransomware And DDoS
I am not sure why anybody would need to do DDoS at the same time of a Ransomware attack. If intention is not Ransomware that is understandable, but otherwise it does not make sense to me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/27/2016 | 10:48:42 AM
ransomware attacks
 

Ransomware attacks are becoming its own industry, it will be harder to declare defense system when you have many people profiting from it. 
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
5/29/2016 | 5:48:46 AM
ima stick with canada here
We should never pay ransoms because kidnapping/ransomware is a self fulfilling prophecy
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.