Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/6/2017
10:30 AM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Commodity Ransomware Is Here

When deploying ransomware is as easy as ordering a pizza, the best defense is through better threat intelligence sharing.

With "Philadelphia," a slick ransomware-as-a-service interface that enables almost anyone to launch a sophisticated ransomware campaign, suddenly, deploying ransomware is easy as ordering a pizza. The criminal developers behind Philadelphia even had the heart to offer a “mercy” feature should a victim plead for access to ransomed family photos of lost family and friends.

Welcome to the new world of commodity malware!

As the co-founder of a threat intelligence exchange platform, I see of lot of trending campaigns before they reach mainstream, and Philadelphia typifies many of the new age indicators we’re starting to see in incident data from companies across the cloud, finance, and healthcare sectors.

Below are some key insights about this new era of commodity malware so that you can spot patterns within your own data.

Insight #1 - The Exploit Kit Playbook: Many incident reports show multiple ransomware campaigns relying on an easy-to-buy RIG exploit kit, and then combining it with commoditized ransomware like Cerber and Locky. The playbook for creating new ransomware campaigns has been written and everyone is following it.

Insight #2 - Block and Tackle: Blocking a specific exploit kit or ransomware software will lead to short-term disruption of some campaigns but bad actors will find a different exploit kit or ransomware to weaponize and evolve into a new campaign.

For example, from January to June of 2016, Angler was the predominant exploit kit being seen in reports submitted to the wider security community until it was disrupted due to arrests of a criminal hacking gang in Russia. When the Angler exploit kit went down, cybercriminals began searching for a new go-to exploit kit, and in early September 2016 the RIG exploit kit became the predominant cybercriminals exploit kit. 

Insight #3 - Low-Effort, High-Efficacy: Malware usually requires additional steps to monetize a successful exploit. Whether it is pulling exfiltrated data from the first level C2 or stolen passwords, the bad guys have to do the work of posting that information for sale after packaging the data in a specific size and/or format. On the other hand, ransomware is fire and forget. As soon as it hits a system the payoff is instantaneous.

In previous malware models there was usually a way for the user to remove or mitigate the issue. If the user gets a keylogger, RAT, or rootkit on their system there is almost always a way to remove the offending malware. Sometimes the steps to remove the malware can be tedious, or special tools are needed, but there is a path to a solution. This is not the case with ransomware. Pretty much all ransomware utilizes asynchronous encryption, making reversal extremely difficult.

It’s Not Just You
Ransomware campaigns bar access to critical data but they can also be used to disrupt system operations. Recall the
Hollywood Presbyterian ransomware attack just over a year ago. The attack disrupted emergency room operations and patients had to be diverted to other hospitals.

The trend of commoditized ransomware raises an even larger issue within the security community: companies need to stop assuming they are being singled out for attacks. The truth is, you’re not that special. In fact, according to our latest platform analysis, 65% of our threat reports are correlating across companies regardless of sector.

There is absolutely no reason that after one victim has been hit by a particular ransomware attack others must fall victim to the same attack. What we’re seeing in the media and from our own platform data insights underscore the fact that commoditized ransomware campaigns will become increasingly opportunistic, and will not be as targeted.

As hacks continue to be replicated with more ease, the private sector must not fight alone. Exchanging threat intelligence to identify trending campaigns and provide context to mitigate against these campaigns is the only path forward.

Related Content:

 

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...