Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/6/2017
10:30 AM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Commodity Ransomware Is Here

When deploying ransomware is as easy as ordering a pizza, the best defense is through better threat intelligence sharing.

With "Philadelphia," a slick ransomware-as-a-service interface that enables almost anyone to launch a sophisticated ransomware campaign, suddenly, deploying ransomware is easy as ordering a pizza. The criminal developers behind Philadelphia even had the heart to offer a “mercy” feature should a victim plead for access to ransomed family photos of lost family and friends.

Welcome to the new world of commodity malware!

As the co-founder of a threat intelligence exchange platform, I see of lot of trending campaigns before they reach mainstream, and Philadelphia typifies many of the new age indicators we’re starting to see in incident data from companies across the cloud, finance, and healthcare sectors.

Below are some key insights about this new era of commodity malware so that you can spot patterns within your own data.

Insight #1 - The Exploit Kit Playbook: Many incident reports show multiple ransomware campaigns relying on an easy-to-buy RIG exploit kit, and then combining it with commoditized ransomware like Cerber and Locky. The playbook for creating new ransomware campaigns has been written and everyone is following it.

Insight #2 - Block and Tackle: Blocking a specific exploit kit or ransomware software will lead to short-term disruption of some campaigns but bad actors will find a different exploit kit or ransomware to weaponize and evolve into a new campaign.

For example, from January to June of 2016, Angler was the predominant exploit kit being seen in reports submitted to the wider security community until it was disrupted due to arrests of a criminal hacking gang in Russia. When the Angler exploit kit went down, cybercriminals began searching for a new go-to exploit kit, and in early September 2016 the RIG exploit kit became the predominant cybercriminals exploit kit. 

Insight #3 - Low-Effort, High-Efficacy: Malware usually requires additional steps to monetize a successful exploit. Whether it is pulling exfiltrated data from the first level C2 or stolen passwords, the bad guys have to do the work of posting that information for sale after packaging the data in a specific size and/or format. On the other hand, ransomware is fire and forget. As soon as it hits a system the payoff is instantaneous.

In previous malware models there was usually a way for the user to remove or mitigate the issue. If the user gets a keylogger, RAT, or rootkit on their system there is almost always a way to remove the offending malware. Sometimes the steps to remove the malware can be tedious, or special tools are needed, but there is a path to a solution. This is not the case with ransomware. Pretty much all ransomware utilizes asynchronous encryption, making reversal extremely difficult.

It’s Not Just You
Ransomware campaigns bar access to critical data but they can also be used to disrupt system operations. Recall the
Hollywood Presbyterian ransomware attack just over a year ago. The attack disrupted emergency room operations and patients had to be diverted to other hospitals.

The trend of commoditized ransomware raises an even larger issue within the security community: companies need to stop assuming they are being singled out for attacks. The truth is, you’re not that special. In fact, according to our latest platform analysis, 65% of our threat reports are correlating across companies regardless of sector.

There is absolutely no reason that after one victim has been hit by a particular ransomware attack others must fall victim to the same attack. What we’re seeing in the media and from our own platform data insights underscore the fact that commoditized ransomware campaigns will become increasingly opportunistic, and will not be as targeted.

As hacks continue to be replicated with more ease, the private sector must not fight alone. Exchanging threat intelligence to identify trending campaigns and provide context to mitigate against these campaigns is the only path forward.

Related Content:

 

Paul Kurtz is Executive Chairman and Co-founder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...