Talos Incident Response Talks About New Ransomware Strains
In a previous blog, we talked about how ransomware can be the costliest cyber-attack ever to harm a business. The case of the Texas School District Attack costed a sum total of $2.3 Million USD! While other attacks hit indirectly through data theft, identity theft, or system corruption, a ransomware goes straight for the money. Talos Incident Response Team, a breach specialist division of Cisco Security, came forth with a number ransomware strains and types of attacks, which flooded the cyber space for the past couple of years. They studied targeted ransomware, a type of cyber attack which works on the principle of ‘lock and profit’. In short, a targeted ransomware gains forced entry into specific systems in your network and encrypts all the sensitive data. Then, the hacker makes money off of ransom demands.
The Numerous Ransomware Strains Which Took the Victims By Storm
The SamSam Ransomware was active around 2016. It turned out to be highly lucrative and attacked hospitals, municipalities, and public institutions. The final amount amassed through ransoms was a jaw-dropping 30 Million USD. Two Iranian perpetrators were caught and they faced serious indictment at the hands of the US Government. Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 duped over 200 victims spread over the above-mentioned sectors. They took payment in the form of Bitcoin, a virtual currency that leaves negligible paper trails. Both Savandi and Mansouri are charged with one count of conspiracy to commit wire fraud and one count of conspiracy to commit fraud and related activity in connection with computers. Also, the indictment includes two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer.
Ryuk campaigns dominated 2019, which relied heavily on the Emotet and Trickbot malware strains. This type of an attack takes place by sending payload-stuffed MS Word files along with fake emails. Of course, the emails have provocative subject lines. Similar ransomware strains includes LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis. Recently, attackers have started doxxing, a technique in which the intruder exfiltrates data and holds it hostage. Rather than just encrypting the data, doxxing also includes blackmail. Here, the hacker threatens to release sensitive data to the public, unless the victim makes the payment.
CobaltStrike & Maze
This ransomware has been active in 2020. Cyber criminals widely use the CobaltStrike framework to attack their targets. Once the intruder has gained access, they spend some time scouring the network and gathering intel along the way. Combined with CobaltStrike, the threat actor also used a technique commonly associated with APT-29, leveraging a named pipe (i.e. \\.\pipe\MSSE-<number>-server).
Soon, the payment mechanisms began to take form. First, the actor began exfiltrating the data that they had accumulated. They achieved exfiltration by using PowerShell to connect to a remote FTP server. Then the actor deployed Maze, an infamous ransomware that appeared previously in some high-profile cases.
Targeted ransomware yields higher paybacks and is sure to claim more victims. The criminals are aware that by directly getting their own hands dirty, they will be getting a huge reward. This is much more dangerous than say deploying a script and passively waiting for it to cause damage. However, the reward is equally higher. With ransomware, you can never be sure of a happy ending. Where is the guarantee that the hacker will decrypt the files after receiving the ransom? And so it is best to stay away.
Our Email ATP Solution has been fending off the deadly strain of Maze Ransomware since late 2019. We have built Cloud Email ATP using the best of breed technologies to deliver highly effective and accurate email security. With the services of a powerful partnership at your backing, your security concerns are going to vanish!