Ransomware Threat Continues: How Infections Take Place

If cybersecurity consultants and IT admins have learned anything of the current threat environment, it’s that ransomware will continue to be a pervasive and dangerous threat to individual users, enterprises and organizations at large.

When they first emerged, these infections were unlike anything that tech experts had ever seen, combining strong encryption and blackmail tactics to force victims into payment. But, as past cases have shown, even sending Bitcoin to perpetrators doesn’t guarantee that access to important data and platforms will be restored.

According to Trend Micro’s report, Unseen Threats, Imminent Losses, there has only been a slight increase in ransomware detection so far in 2018. However, this doesn’t make ransomware any less of a threat to enterprise security.

Decrease in ransomware families

In the recent past, it seemed like a new ransomware family was emerging on a near-daily basis. New samples – many of which came with interesting and even catchy names – and particularly the different ways in which the ransomware was being served up made it difficult to put proactive protection in place.

Thankfully, Trend Micro researchers identified a 26 percent decrease in new ransomware families during the first half of 2018. In addition, there was only a 3 percent increase in detected ransomware activity overall.

And while this may sound like good news, the level of ransomware activity taking place overall is still high, and this infection strategy remains a favorite among malicious attackers who keep a trained focus on the considerable profits that can result from ransomware delivery.

“Though its prevalence in the cybersecurity landscape has plateaued, ransomware is still something that enterprises should be vigilant against,” Trend Micro stated in its Unseen Threats, Imminent Losses report. “But this change of pace is likely due to the increased attention on ransomware and the resulting improvements in prevention and mitigation methods.”

One of the first steps organizations can take to help bolster their prevention and protection efforts is to understand the different ways ransomware samples and delivered, and how these strategies lead to successful infections. By being aware of and guarding specifically against top ransomware delivery means, organizations can reduce the chances that they’ll be impacted by this threat.

As Trend Micro’s TrendLabs noted in a separate report, Ransomware: Past, Present and Future, samples can be delivered in a number of ways, including through spam and phishing campaigns, compromised websites and webpages, as well as exploit kits. We’ll take a closer look at recent examples of each type.

Despite a drop in ransomware families in early 2018, attacks remain prevalent across all business sizes and industries.

GandCrab: Phishing campaign serves up thousands of malicious spam messages daily

A popular delivery method includes phishing campaigns and connected spam email messages, which often hinge upon social engineering and other strategies to trick users into opening an infected email, link or downloadable attachment.

As ZDNet’s Danny Palmer reported, this approach was used in connection with a recent ransomware phishing campaign, which attempted to infect users with the GandCrab ransomware sample. GandCrab was first identified in January 2018, and security researchers have seen several subsequent updates on the part of ransomware creators to boost potential ransom profits.

This recent phishing campaign centering around GandCrab encompasses phishing email messages that mention important things like payments, invoices, tickets and orders, and also includes a JavaScript attachment that executes the ransomware from an infected URL. The email message directs readers to “open the attachment and reply as soon as possible,” and is signed “HTF Customer Support,” according to a screenshot from Fortinet.

Victims infected with GandCrab are routed to a Tor browser site, which demands $400 in ransom for the decryption key.

“Tens of thousands of GandCrab spam emails are being distributed each day, with mail servers hosted in the US by far the most common target, accounting for three quarters of deliveries,” Palmer wrote. “When it comes to successful infections, the US currently accounts for the fourth largest percentage of victims, behind Peru, Chile and India.”

Ransomware is a continuing problem in the enterprise threat landscape.

Fallout exploit kit delivers GandCrab

In addition to being at the center of a recent phishing spam campaign, Trend Micro researchers also identified the GandCrab ransomware sample in connection with a new exploit kit called Fallout.

The exploit kit, which appears similar to another formerly active exploit kit called Nuclear, leverages a Windows VBScript engine vulnerability patched in May 2018, and/or an Adobe Flash vulnerability patched in February 2017. From there, Fallout can run the SmokeLoader trojan, a known ransomware-supporting program and data-theft malware. In other cases, when SmokeLoader isn’t used, Fallout delivers GandCrab, infecting and locking down Windows systems until users pay the ransom.

Experts recommend ensuring that proper patches are installed to prevent this exploit kit’s use of known vulnerabilities to support infection.

City experiences ransomware infection after drive-by download

In addition to spam emails, phishing campaigns and exploit kits, hackers also continue to utilize drive-by downloads to enable successful ransomware infection. Such was the case when a city employee in Issaquah, Washington opened a malicious PDF file from a nonprofit grant coordination website, The Hacker News contributor Mohit Kumar reported. In this instance, the culprit sample was the well-known CryptoLocker, which has been a pervasive threat since 2013.

Due to a legacy backup system and limited IT and security resources, the infection hit Issaquah and its government IT infrastructure hard.

After the infection, the city invested in a new backup and disaster recovery solution, which, according to city officials, has provided more peace of mind.

Guarding against ransomware

Let’s take a look at a few best practices enterprises should leverage in the proactive fight against malware infection:

  • Awareness and user education: As the GandCrab phishing and spam campaign, as well as the drive-by download case in Issaquah, show, awareness of ransomware tactics is imperative. User education should be a top priority, as users who understand the suspicious signals – as well as proper actions like not opening an email or attachment from an unknown sender – can represent a first line of defense against infection.
  • Timely patching and updating: GandCrab leverages common and previously patched system vulnerabilities to support its malicious infections. In these instances, proper patching could have helped prevent attack. In this way, it’s imperative that enterprises work to apply patches and updates as soon as possible after they are released by vendors.
  • Secure browsers: It’s especially imperative in the case of exploit kit-delivered ransomware that commonly used browsers are appropriately secured. Elements like infected websites, landing pages or malvertisements have proven successful for ransomware hackers in the past. Techniques like URL categorization, which can help filter out malicious websites and content, can be a beneficial, proactive protection practice.

To find out more about current ransomware samples, infection and delivery strategies, as well as top solutions for protection, connect with the experts at Trend Micro today.

Read More HERE