by Chris Bonatti, IECA, Casper Wyoming
Forward by Laura Baker: I like Chris’s dry sense of humor in his writing and I hope you do too!
A lot of industry pundits have proclaimed 2019 as “The Year of Ransomware”, but frankly that’s not exactly plumbing the depths of punditry. What with seemingly half the school districts, universities and hospitals in the US being taken down by various ransomware campaigns last year, it’s not exactly rocket science. What’s slightly less obvious is that this past year has also set the stage for potentially bigger ransomware exploits in 2020.
Once the bad guys figured out that they could extort money by encrypting users’ data, we could be assured that this class of malware was here to stay. We’ve thus far seen two major stages of ransomware evolution.
The first stage was mainly opportunistic, only infecting systems when users slipped up in cyber-hygiene. Much of this first stage malware was evidently developed by amateurs, with a lot of strains including critical implementation errors that either allowed recovery without paying the ransom, or made recovery impossible even if the ransom was paid.
A second stage of more aggressive ransomware then started to appear. These programs didn’t wait for the user to slip up, but employed zeroday exploits and known (but possibly unpatched) exploits to directly invade systems. Many employed a “dropper” design, wherein one type of malware is used to gain access though a weakness in the Remote Desktop Protocol (RDP) or Common Internet File System (CIFS), and then “drop” a second type of malware into the system to encrypt files. This more professional stage of ransomware included such highly successful ransomware such as SamSam, WannaCry, NotPetya, LockerGoga, and Ryuk. Most examples of the second stage were believed to have been developed by highend global threat actors.
The start of the third stage, in our opinion, was sparked in January 2018 by the advent of the GandCrab ransomware campaign. GandCrab didn’t introduce any new, unique technology, but rather a new business model that has been termed Ransomware-as-a-Service. We think a better term would be a Ransomware Franchise. The operators of this model developed and operated the GandCrab infrastructure, but recruited various third parties to “distribute” the ransomware to its victims. The lion’s share of the ransom proceeds were provided to these third parties as an incentive to further spread the malware, saving them the complexity and risks that plagued amateurs in the first stage. In spite of their generosity to their “franchisees”, the GandCrab operators reportedly took in a total of $2 billion over 18 months.
With GandCrab operators announcing their “retirement” in May, we promptly saw a new ransomware effort, called Sodinokibi or REvil, adopt the same franchise model. We predict that the success of the franchise model will encourage others to adopt it, making the third stage of ransomware evolution more aggressive than ever. Since 2019 saw nearly a 100% rise in ransomware attacks over 2018, and a fourfold increase in companies choosing to pay the ransom demands, there is plenty of reason to be alarmed and good reason for you to check your defenses before we see what 2020 holds.
For the full article and more information on Ransomware, visit the IECA website and download the newsletter at https://www.ieca.com/newsletter/2001-IECA_Cyber_Bulletin.pdf