Industry Insights with Con Mallon

Ransomware , Technology

New Twists on Old Threats Ransomware Continues to Evolve
New Twists on Old Threats

Ransomware attacks fall into two general categories - encrypting and non-encrypting. The first type encrypts files on your hard drive and forces you to pay to have them decrypted. The non-encrypting type uses fairly simple techniques to restrict your access to files or applications, like locking you out of Windows, or keeping your Web browser from running. You are then forced to pay to have access reinstated.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Within these categories are many variations and security researchers seem to encounter new, more advanced strains on a regular basis. According to researchers, a variant of the recent and WannaCry ransomware has already been seen in the wild - it's called WannaCrypt. As the success of the WannaCry attacks - which impacted 150 countries worldwide - demonstrates, rapid development cycles make it difficult for organizations to mount effective defenses, particularly if they are relying on legacy or standard security solutions.

Spurred by the lucrative results ransomware attacks achieve, as well as the speed and anonymity with which they can be launched, new variants are continuously being released. 

As with all threats, the purveyors of ransomware are hard at work developing new ways to evade your security with a range of advanced tactics, techniques and procedures.

Tools such as crypters and packers are implemented to morph ransomware so it evades detection by constantly changing or obfuscating its true nature. Other ransomware exploits, such as fileless techniques, are designed to appear as part of normal computer operations, but when executed, they disrupt processes - terminating Windows Task Manager, registry, system config and more. Still others are designed to detect virtual environments and abort execution to evade sandboxes. Attackers are also using the vast underground TOR network to communicate command and control callbacks without generating alerts.

Beginning last year, ransomware actors began to amplify their efforts with new features. The prevalent Locky-type variants employ these tactics:

  • Deploying infected Microsoft macros and JavaScript file attachments;
  • Using RSA and AES encryption that renames files to avoid decryption;
  • Encrypting unmapped network drives connected to infected systems;
  • Deleting Volume Shadow Snapshots (VSS) to make file restoration impossible;
  • Using methods to hide exploits from static analysis tools and more.

New Variants

Spurred by the lucrative results ransomware attacks achieve, as well as the speed and anonymity with which they can be launched, new variants are continuously being released.

Here are a few that should be on your radar:

UIWIX: This variant of WannaCry ransomware demonstrates how quickly threats can morph in the criminal hacker's quest to evade security measures. This improved and stealthier variant was uncovered a mere five days after WannaCry hit the world scene. It operates by stealthily infiltrating systems and immediately encrypting data by appending file names with an extension, rendering them inaccessible. It then creates a text file with a ransom demand informing victims that their files can be restored only by employing an exclusive and pricey decryptor. Like WannaCry, UIWIX is Windows-based and spreads by leveraging vulnerabilities in the Windows OS.

Samas: This variant targets servers running out-of-date JBOSS systems, a software environment still running and supporting legacy applications in many businesses. This threat was considered so significant that the FBI began warning businesses about it early in 2016 after several hospitals were hit. Hackers use a software tool to automate discovery of vulnerable JBOSS systems and launch an attack that ultimately can spread to all connected computers and even impact backup files.

PowerWare: This variant uses a macro that opens Windows PowerShell, enabling it to download a malicious script without having to write files to the disk. Using this tactic, the malware can blend in with standard activity on the computer and avoid detection as it completes its mission.

Petya: While typical crypto-type malware encrypts files on the hard drive, the Petya strain encrypts the Master File Table (MFT) and the Master Boot Record (MBR), making it impossible for you to access anything on the drive. Often it is launched with another exploit call Mischa, so that if Petya lacks the privileges necessary to gain access to theMFT or MBR, Mischa is enabled to encrypt files one by one.

The frequency and blatant nature of ransomware attacks clearly demonstrate that these threats won't be defeated by relying on standard security solutions alone. While deploying standard defenses such as blocking known threats, patching vulnerabilities and detecting indicators of compromise are critical first steps, a more advanced approach is required.

CrowdStrike, the leader in advanced endpoint protection, employs a powerful array of prevention and detection methods designed to stop ransomware before it can cause damage, delivered via the innovative CrowdStrike Falcon Platform®. In fact, CrowdStrike advanced technology ensured that customers were protected against the WannaCry attacks before they struck and is capable of stopping each of the ransomware variants mentioned above and helping to future-proof your organization against attacks.

The CrowdStrike Falcon® platform is the only solution that unites next-gen anti-virus, which includes machine learning and behavioral analytics, with endpoint detection and response, IT hygiene, 24/7 managed threat hunting and threat intelligence to provide continuous breach prevention. The Falcon platform stops the sophisticated attacks that evade standard security including ransomware and fileless techniques.



About the Author

Con Mallon

Con Mallon

Senior Director of Product Marketing, CrowdStrike

As the Senior Director of Product Marketing, Mallon is responsible for CrowdStrike's endpoint protection, threat intelligence and services offerings. Mallon's 20-plus years of experience includes a range of marketing, product marketing and management roles within the technology industry, including seven years at Symantec where he was Senior Director for Mobile Product Management.




Around the Network