Ransomware With an Identity Crisis Targets Small Businesses, Individuals

Researchers have identified a new strain of ransomware that dates back to 2019 and targets individuals and small businesses, demanding small ransoms from each client rather than the often million-dollar sums that typical ransomware actors ask.

TZW is the latest strain of the Adhubllka ransomware family, which first appeared in January 2020 but already was active the year before, researchers from security and operations analytics firm Netenrich revealed in a blog post published this week.

Even more important than the discovery of the strain is the process that researchers undertook to identify it correctly. Over the years, many of the samples of Adhubllka have been misclassified and/or mistagged into some other ransomware family, says Rakesh Krishnan, senior threat analyst at Netenrich.

"This would confuse threat hunters/security researchers while doing an incident report," he says. Indeed, researchers report that multiple engines had previously detected TZW but found traces of other malware, such as CryptoLocker, in the sample.

Further, other names had already been assigned to the same piece, including ReadMe, MMM, MME, GlobeImposter2.0, which all actually belong to the Adhubllka ransomware family. All this confusion required further digging into the genealogy of the ransomware strain to identify it with proper attribution, Krishnan says.

"This research also sheds light on the tracing of a family of ransomware to its origin using [threat actors'] communication channels and other means," including contact emails, ransom notes, and execution method, which all played a vital role in analysis, he adds.

Racking Adhubllka

Adhubllka first gained more attention in January 2020, but had been "highly active" the previous year, the researchers noted. Threat group TA547 used Adhubllka variants in their campaigns targeting various sectors of Australia in 2020.

A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes — $800 to $1,600. At that low level, victims often pay attackers and the attackers continue to fly under the radar.

"This ransomware, like others, is being delivered via phishing campaigns, but the uniqueness lies as they only target individuals and small-sized companies, hence they won't make a big news on the media channel," Krishnan says. "However, this doesn't mean [Adhubllka] won't grow bigger in coming time, as they had already made necessary updates on their infrastructure."

In fact, in the future, the researchers anticipate that this ransomware may be rebranded with other names; other groups may also use it to launch their own ransomware campaigns.

"However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the Adhubllka family," Krishnan says.

Keys to Identification

Indeed, the key that researchers used to tie the latest campaign to Adhubllka was to track previously linked Tor domains used by the actor, with the team uncovering clues from within the ransom note dropped to victims to trace it back to the source.

In the note, the threat actor asks victims to communicate via a Tor-based victim portal to obtain decryption keys following ransom payment. The note indicated that the group changed its communication channel from v2 Tor Onion URLs to v3 Tor URL, "because the Tor community deprecated v2 Onion domains," according to the post.

Further, an additional sentence in the note — "the server with your decryptor is in a closed network Tor" — was only seen in two new Adhubllka variants: TZW and U2K, according to the researchers, which further narrowed down attribution.

Other clues that pointed clearly to the latest variant of Adhubllka were the campaign's use of the email address [email protected], reported widely as belonging to the ransomware group, and its link to the MD5 variant sample of Adhubllka spotted in 2019.

The research overall demonstrates how ransomware is carefully crafted to throw threat hunters off the trail of cybercriminals, reinforcing the importance of defending against attacks by setting up an endpoint security solution, Krishnan says.

"However, when a ransomware is newly formed/coded, it can only be thwarted by basic security education, like not to click on malicious links delivered via email," he says.

Indeed, the most important protections for organizations lie in preventing ransomware from entering an environment in the first place, "which means looking for behavior anomalies, privilege escalation, and the introduction of suspicious removable media into an environment," Krishnan adds.