Although the ransomware plague took a nosedive in terms of the victim count years ago, it’s still alive and kicking. It used to home in on any computers indiscriminately, but at some point, the malicious actors realized they could squeeze a lot more profit out of the enterprise than out of individual users. This shift made businesses the most coveted target for ransomware operators.
According to a study by Beazley Breach Response (BBR), a subsidiary of London-based insurance services giant, 71% of ransomware attacks reported by the company’s customers in 2018 targeted small and medium-sized businesses. The researchers believe the reason is that SMBs typically have lower information security budgets than large companies, which turns many of them into low-hanging fruit for cybercriminals to go after.
By Beazley Breach Response (BBR), a subsidiary of London-based insurance services giant, 71% of ransomware attacks reported by the company’s customers in 2018 targeted small and medium-sized businesses. The researchers believe the reason is that SMBs typically have lower information security budgets than large companies, which turns many of them into low-hanging fruit for cybercriminals to go after.
In addition to rethinking the range of intended victims, crooks have changed their attack vectors as well. Spam doesn’t dominate the payload delivery repertoire anymore. It has been largely superseded by more sophisticated techniques, including remote desktop protocol (RDP) exploitation, managed service provider (MSP) hacks, spear-phishing, attacks on relatively safe Apple devices.
To give you the big picture, this article will provide insights into some of the most active ransomware strains that focus on hitting enterprise networks.
Mailto aka Netwalker Ransomware
Originally discovered in August 2019, this file-encrypting culprit remained mostly dormant until early February 2020 when an Australian transportation company Toll Group reporteda serious ransomware incident. On a side note, this firm employs about 40,000 people and has offices in more than 50 countries. Its gross earnings amounted to $127 million last year, so it’s a juicy target from a cybercrook’s perspective.
The binary of this ransomware arrived under the guise of Sticky Password, a popular password manager. Once executed, the offending code raided multiple systems constituting the IT network of Toll Group, crippling data via strong encryption and staining all affected files with *.mailto extension (hence the researchers-coined name of the sample).
This string is additionally concatenated with the attackers’ email address so that the company can negotiate the decryption terms directly. By the way, security analysts found that the developers of this ransomware call it “Netwalker,” based on the name of the decrypt tool touted by the malefactors.
The size of the ransom demanded by the extortionists hasn’t been disclosed, and Toll Group appears to have rejected these demands. In response to the incident, the executives had to shut down the affected services. The company partially switched to manual operation for handling critical business processes. The booking and tracking platform are still offline at the time of this writing.
This enterprise-hunting specimen surfaced in January 2020. It stands out from the crowd due to high-level obfuscation techniques that allow it to stay undetected. After gaining a foothold in a business environment, this ransomware terminates virtual machines, SCADA systems, network maintenance tools, and industrial control systems if found. Then, it encrypts valuable data while skipping files in Windows system directories.
Once the crypto implementation part is completed, the infection appends a random five-character extension to the original filenames and drops a ransom note called “Fix-Your-Files.txt.” This document includes a phrase, “We breached your corporate network,” which clearly indicates what kind of targets the crooks zero in on.
When analyzing the inner structure of encrypted data, researchers discovered that the ransomware adds a file marker that says “EKANS.” That’s SNAKE if you read it backward, which explains why this sample is called that way.
To spread this ransomware, attackers compromise remote management and monitoring (RMM) software and other applications commonly leveraged by managed service providers (MSPs). If this hack is successful, it becomes a launchpad for infiltrating the network of a company doing business with the breached MSP.
First spotted in late December 2019, Ragnar Locker uses the RSA-2048 key to mutilate files. After the asymmetric cipher is applied, the ransomware blemishes filenames with *.ragnar extension followed by a unique victim ID and generates a ransom note named “RGNR_[file extension].txt.” Interestingly, this document looks customized and includes the affected company’s name and victim-specific ransom amount that may reach $600,000 worth of Bitcoin.
An additional issue with Ragnar Locker is that it steals sensitive data from a target organization as part of the attack. In case the company refuses to pay the ransom for decryption, the criminals engage an extra blackmail scenario and threaten to release these files via publicly accessible sources.
This one was discovered in November 2019. It is a spinoff of a lineage that previously gave rise to samples called VegaLocker and Buran distributed via a Ransomware-as-a-Service (RaaS) model. Researchers have traced this family back to a Russian cybercrime gang.
The operators of Zeppelin ransomware focus on attacking tech and healthcare organizations based in the United States and Europe. If the harmful program determines that it has infiltrated a network located in one of the post-Soviet countries (e.g., Russia, Ukraine, Belarus, or Kazakhstan), the attack discontinues.
The primary vector of compromise comes down to exploiting unsecured remote desktop services. When up and running inside a host network, it finds a totality of important files and encrypts them without modifying the original filenames. Meanwhile, it skews the hexadecimal structure of data and adds the “Zeppelin” file marker. The ransom note is a document named “!!! All your files are encrypted !!!.txt”.
Later on, analysts came across a builder application that allows Zeppelin ransomware distributors to generate custom variants of the program that go with unique rescue notes. The tool also provides the perpetrators with several different payload formats to choose from, including *.exe, *.dll, and *.ps1.
The strain dubbed TFlower splashed onto the scene in late July 2019. It infects organizations through unprotected or poorly secured RDP ports. As soon as the furtive infiltration takes place, the ransomware runs a number of commands to disable Volume Shadow Copy Service (VSS) and thereby thwart easy data recovery. When traversing the plagued computers for valuable data to be encrypted, it ignores critical system files and objects stored in the Sample Music folder.
This pest does not modify the names of hostage files. However, when analyzed using a hex editor, every encrypted item turns out to have a “tflower” file marker at the beginning of its deep-level data representation. The ransomware also sprinkles a bevy of rescue notes named “!_Notice_!.txt” across all affected folders. Although TFlower ransomware doesn’t appear to be a particularly sophisticated sample, it encrypts files flawlessly and thus poses a serious risk to companies.
This one made its debut in May 2019. It mainly targets businesses located in the US, Canada, the Netherlands, and France. According to security experts’ findings, MegaCortex affects enterprise networks previously compromised by notorious info-stealing Trojans called Qakbot and Emotet. This fact suggests that the distribution of this ransomware might rely on backdoors created by other malware in a business ecosystem.
When inside, the harmful program executes a modified version of the PsExec remote administration tool. It allows the threat actors to run a specially crafted batch file on contaminated systems and move on to an active phase of the onslaught.
Having scanned the company’s workstations for all forms of potentially important data, the pest executes the encryption process and appends *aes128ctr extension to each file. It also drops a document named “!!!_READ_ME_!!!.txt” that provides ransom instructions. To evade detection, MegaCortex scours the network for mainstream security tools and disables them once spotted.
In light of the rapidly escalating issue of ransomware attacks that target the enterprise, the mantra about an effective data back strategy now makes more sense to organizations than ever before. Additionally, businesses need to harden their defences against this form of malicious code. A good starting point is to check the network for crudely secured RDP connections and patch the loopholes if found.
Also, the employees should learn to identify a phishing attack and refrain from clicking on suspicious links or opening sketchy email attachments. It’s also worthwhile to use an intrusion detection system (IDS) and reliable anti-malware solutions that can stop most ransomware attacks in their tracks.
About the Author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.