As the world celebrates its second Anti-Ransomware Day, we cannot deny that ransomware has become a buzzword in the security world. Not without good reason, this threat may have been around for a long time, but that has now changed. Year after year, attackers have grown bolder and more sophisticated, and of course, systems have been breached. However, most of the media attention ransomware gets is focused on documenting which companies it targets. This report will be withdrawn from the daily ransomware news, at the heart of the matter, to understand how it is organized.
First, we’ll debunk three preconceptions that hinder proper thinking about ransomware threats. Next, we delve into the dark web to show how cybercriminals communicate with each other and the types of services they provide. Finally, we end with two well-known ransomware gangs: REvil and Babuk.
Before you start reading, make sure your data is safely backed up!
Part 1: Three Preconceptions About Ransomware
Preconception #1: Ransomware gangs are gangs
With the rise of activity in 2020, we have seen the emergence of many high-profile gangs in the ransomware world. Criminals have found that victims are more likely to pay the ransom if they can establish some kind of credibility beforehand. To ensure that their ability to recover encrypted files is never questioned, they build their presence online, write press releases, and make sure all potential victims know their names.
But by putting themselves in the spotlight, these groups mask the actual complexity of the ransomware ecosystem. From the outside, they appear to be a single entity. But in reality they are just the tips of the spears. In most attacks, a large number of actors are involved, and one key takeaway is; they provide services to each other through darknet markets.
Botmasters and account sellers are tasked with providing initial access inside the victim’s network. Other members of this ecosystem (named the red team for the sake of discussion) use initial access to gain full control of the target network. In the process, they collect victim information and steal internal files.
The documents may be outsourced to teams of analysts who will attempt to work out the target’s actual financial health in order to determine the maximum ransom price they might pay. Analysts will also be on the lookout for any sensitive or suggestive information that could be used to support their extortion tactics, with the aim of exerting maximum pressure on policymakers.
When the red team is ready to launch an attack, it buys ransomware products from dark web developers, usually in exchange for a ransom cut. An optional role here is the developer of packer, who can add a layer of protection to a ransomware program, making it harder for security products to detect it.
Finally, negotiating with victims may be handled by another team, requiring a whole new set of skills to launder the acquired cryptocurrency when the ransom is paid.
Most interestingly, the various actors in the “ransomware value chain” don’t need to know each other, and in fact they don’t. They interact over the internet and pay for their services in cryptocurrencies. Thus, arresting any of these entities (while helpful for deterrence purposes) will do little to slow down the ecosystem, as accomplice status cannot be obtained, and other providers will immediately fill the void.
We must understand the ransomware world as an ecosystem and treat it as such: it is a problem that can only be solved systematically, for example, by preventing money from circulating within this ecosystem – which is first and foremost from the beginning No ransom is paid.
Preconception #2: Targeted ransomware is targeted
The preceding description of the ransomware ecosystem is notable in terms of how victims are selected. Yes, criminal gangs are getting more reckless and demanding more and more ransoms. But ransomware attacks also have an opportunistic side. As far as we know, the gangs did not read the FT carefully to decide their next targets.
Unsurprisingly, the person who gains initial access to the victim’s network is not the one who later deploys the ransomware, so access collection needs to be treated as a completely separate business. To make it viable, sellers need a steady stream of “products.” It’s not financially wise to spend weeks trying to break out of a stated goal like a Fortune 500 company because it doesn’t guarantee success. Instead, onboarding sellers pursue lower goals. There are two main sources of this channel:
Botnet owner. Well-known malware families are involved in the largest and most impactful campaigns. Their main goal is to create a network of infected computers, although the infection is currently dormant. Botnet owners (botmasters) sell access to a large number of victim machines as a resource that can be monetized in a number of ways, such as launching DDoS attacks, distributing spam, or, in the case of ransomware, exploiting this initial infection Gain a foothold on potential targets.
Seller with access rights. Hackers are looking for publicly disclosed vulnerabilities (1-days) in internet-facing software such as VPN devices or email gateways. Once such vulnerabilities are disclosed, they compromise as many affected servers as possible before defenders apply the corresponding update.
Example of an offer to sell access to an organization’s RDP
In both cases, it was only after the attackers took a step back and figured out who they had hacked into, and whether this infection could lead to a ransom payment. Actors in the ransomware ecosystem do not target because they almost never choose to attack a specific organization. Knowing this fact underscores the importance of businesses keeping their internet-facing services up to date and having the ability to spot latent infections before those services are used for wrongdoing.
Preconception #3: Cybercriminals are criminals
Well, strictly speaking, they are. But because of the diversity of the ransomware ecosystem, it’s also an area that goes far beyond what it appears to be. Of course, there is a documented looseness between the ransomware ecosystem and other areas of cybercrime such as swipe or point-of-sale (PoS) hacking. But it’s worth pointing out that not all members of this ecosystem come from the cybercriminal underworld. In the past, high-profile ransomware attacks have been used as a means of destruction. It is not unreasonable to argue that some APT participants are still employing similar tactics to destabilize rival economies while maintaining strong deniability.
Likewise, a report published last year about the Lazarus gang attempting big goals. ClearSky found similar activity, which they attributed to the Fox Kitten APT. The researchers note that the apparent profitability of ransomware attacks has attracted some state-backed hackers to the ecosystem as a way to circumvent international sanctions.
The data suggests that such ransomware attacks represent only a small fraction of the total. While they don’t represent what defenses companies need to take, their presence creates additional risks for victims. On October 1, 2020, OFAC released a memo stating that companies sending money to attackers need to ensure that recipients are not subject to international sanctions. The announcement appears to be in effect as it has impacted the ransomware market. There is no doubt that due diligence on ransomware operators is a challenge in itself.
Part II: Dark Web Hoaxes
through market channels
When it comes to selling cybercrime-related digital goods or services on the dark web, most information is concentrated on a few large platforms, although there are multiple smaller themed platforms focused on a single topic or product. We analyzed three major forums for ransomware-related offers. These forums are the main platform for cybercriminals using ransomware to communicate and trade. While there are hundreds of various advertisements and offers on the forum, for our analysis we have picked only a few dozen offers that have been verified by forum management and posted by groups with good reputations. These advertisements include a wide variety of offers, from the sale of source code to regularly updated job advertisements, available in English and Russian.
Different types of offers
As mentioned earlier, the ransomware ecosystem consists of actors playing different roles. Forum sections of the dark web reflect this, although offers on these marketplaces are primarily for sales or recruitment. As in any market, when carriers need something, they proactively update ad placements on forums and take them down as soon as the demand is met. Ransomware developers and operators of affiliated ransomware programs (“Ransomware as a Service”) provide the following capabilities:
· Invitation to join Partner Network, an affiliate program for ransomware operators
· Advertisements for ransomware source code or ransomware generators
The first type of engagement assumes a long-term partnership between the ransomware operator and the affiliate. Typically, 20% to 40% of the profit is shared, while the remaining 60-80% is reserved for affiliate members.
Example of an offer listing payment terms in a partner program
While many ransomware operators are looking for partners, some are selling ransomware source code or DIY ransomware packages. Offers range from $300 to $5,000.
Selling the ransomware source code or leaking samples is the easiest way to profit from ransomware, in terms of the technical proficiency of the ransomware and the effort put in by the seller. However, since the source code and examples quickly lose their value, such proposals are also the least profitable. There are two different types of offers – with and without support. If the purchased ransomware is not supported, then once detected by a cybersecurity solution, the ransomware buyer will need to figure out how to repackage it on their own, or find a service that offers sample repackages – which is still easy for security solutions detected.
Services that provide support (admittedly more prevalent in the financial malware market) often provide regular updates and make decisions about malware updates.
In this regard, darknet forum offers have not changed much compared to 2017.
Ransomware developers sometimes advertise build programs and source code as one-time purchases with no customer support
Offers ransomware subscriptions and add-ons that look very similar to advertisements for any other legitimate product, just with different benefits and price ranges
Some large gangs are invisible on the dark web
While the number and scope of offers available on the dark web is certainly not small, the market does not reflect the entire ransomware ecosystem. Some large ransomware gangs either work independently or seek out partners directly (for example, Ryuk was able to access the systems of some of its victims after Trickbot infection, to our knowledge, suggesting a potential partnership between the two groups) . As such, forums typically host smaller players – either mid-sized RaaS operators, or smaller players or newbies selling source code.
Ground rules for membership on the dark web
The ransomware market is a closed one, and the operators behind it are very careful about who they choose to work with. This caution is reflected in the advertisements and additional criteria that operators place in selecting partners.
The first general rule is geographic restrictions on operators. When malware operators work with partners, they avoid using malware in their jurisdictions. Strictly follow this rule, partners who do not follow this rule will quickly lose access to projects they have been working on.
Additionally, operators screen potential partners, such as checking knowledge of the country they claim to be from, as in the example below, to reduce the chances of hiring undercover police officers. They may also impose restrictions on certain nationalities based on their political views. These are just some of the ways operators are trying to ensure their security.
In this example, the gang proposes to vet new affiliates by asking obscure questions about the history of the former Soviet republic and often only Russian-speaking people can answer
According to the ad, Avaddon may consider English-speaking members if they have established a reputation or can provide a bond
For a more detailed overview, we’ve selected two of the most notable large-scale ransomware in 2021.
The first is the REvil (aka Sodinokibi) gang. The ransomware has been advertised on the dark web since 2019 and has a strong reputation as a RaaS operator. The gang’s name, REvil, frequently appears in news headlines in the information security community. In 2021, REvil operators demanded the highest ransoms.
Another is Babuk locker. Babuk is the first new RaaS gang discovered in 2021, indicating a high level of activity.
Example of an ad served by REvil
REvil is one of the most prolific RaaS operations. The gang’s first activity was in April 2019, after another now-defunct ransomware gang, GandCrab, was shut down.
To distribute ransomware, REvil works with affiliates hired on cybercrime forums. The ransom demand is based on the victim’s annual income, and the distributor can receive 60% to 75% of the ransom. Use Monero (XMR) cryptocurrency for payments. According to interviews with REvil operators, the gang earned more than $100 million from operations in 2020.
Developers regularly update the REvil ransomware to avoid detection and increase the reliability of ongoing attacks. The gang announces all major updates and new partner projects in various threads on the hacker forum. On April 18, 2021, the developers announced that the *nix implementation of the ransomware was in closed beta.
REvil notified of internal testing of *nix implementation of ransomware
REvil uses the Salsa20 symmetric flow algorithm to encrypt the contents of files and keys through an elliptic curve asymmetric algorithm. The malware sample has an encrypted configuration block with a number of fields that attackers can fine-tune the payload. The executable can terminate the blacklist process before encryption, steal basic host information, and encrypt unwhitelisted files and folders on local storage devices and network shares.
Ransomware is now mainly distributed through compromised RDP access, phishing, and software exploits. Affiliates are responsible for gaining initial access to the corporate network and deploying lockers—a standard practice for the RaaS model. It should be noted that the gang has very strict rules on the recruitment of new members: REvil only recruits highly skilled partners who speak Russian and have experience entering the network.
After a successful attack, there is privilege escalation, reconnaissance and lateral movement. The operator then evaluates, steals and encrypts sensitive files. The next step is to negotiate with the company being attacked. If the victim decides not to pay the ransom, then the REvil operator will start at it. Sensitive data of the attacked company was posted on the onion Happy Blog website. The strategy of publishing leaked confidential data on data breach sites has recently become mainstream in Big Game Hunting.
Example of post on REvil blog with data stolen from victim
Notably, ransomware operators have begun using voice calls to their business partners and journalists and using DDoS attacks to force victims to pay the ransom. According to the operator, in March 2021, the gang launched a service at no additional cost that allows member organizations to contact victims’ partners and media for maximum pressure, plus DDoS (L3, L7) as Paid service.
REvil has announced a new feature to schedule calls to media and target partners to apply extra pressure when a ransom is demanded
According to research, the malware affected nearly 20 industries. The industries that suffered the most were engineering and manufacturing (30%), followed by finance (14%), professional and consumer services (9%), legal (7%) and IT and telecommunications (7%).
Victims of this campaign include Travelex, Brown-Forman Corp., the pharmaceutical group Pierre? Pierre Fabre and the well-known law firm Gruberman? Charles? Companies such as Grubman Shire Meiselas & Sacks. In March 2021, the gang hacked into Acer and demanded a $50 million ransom, an all-time high.
On April 18, 2021, a member of the REvil gang announced that the group was about to announce its “highest-profile attack ever,” in a post on a forum for recruiting new members. On April 20, the group posted on Happy Blog. Numerous blueprints of what purportedly be Apple devices have been posted on the website. According to the attackers, the data was stolen from Quanta’s network. Quanta Computer is a Taiwanese manufacturer and one of Apple’s partners. Quanta’s initial ransom demand was $50 million.
REvil’s target activity has surged over the past few quarters
REvil is the poster child for Big GameHunting. In 2021, we will see a trend of more ransom demands for sensitive company data. Using new tactics to pressure victims, aggressively developing non-Windows versions, and regularly recruiting new affiliates, all suggest that the number and scale of attacks will only increase in 2021.
The Babuk locker is another gang in the big ransomware campaign in 2021. In early 2021, we discovered several incidents involving this ransomware.
At the end of April 2021, the attackers behind Babuk announced the end of the campaign, saying they would be releasing their source code in order to “do something like open source RaaS.” This means that we may see a new wave of ransomware campaigns, as long as various smaller attack groups use the leaked source code for their operations. We’ve seen this happen with other RaaS and MaaS projects – last year’s Cerberus banking Trojan targeting Android is a good example.
Babuk Announcement on Termination of Operations
The gang apparently customized a unique sample for each victim, as it included the organization’s hardcoded name, individual ransomware notes, and the extension of encrypted files. Babuk’s operators also use the RaaS model. Before an infection, the branch office or operator compromises the target network, so they can determine how to effectively install the ransomware and assess sensitive data to set the highest realistic extortion price for the victim. The team behind Babuk defines its group as CyberPunks that “randomly test corporate network security” using RDP as an infection vector. The gang handed 80 percent of the ransom to its members.
Example of an ad served by Babuk
Babuk advertises on hacker forums in Russian and English. Beginning in January 2021, an announcement about the new ransomware Babuk appeared on a forum, and subsequent posts focused on updates and membership recruitment.
Babuk’s statement to the press explains their strategy and victim choice
Babuk’s whitelist prevents targeting of the following countries: China, Vietnam, Cyprus, Russia and other CIS countries. The carriers also banned attacks on hospitals, nonprofit charities and companies with annual revenue of less than $30 million, according to ZoomInfo. To join the membership program, partners must pass an interview on Hyper-V and ESXi hypervisors.
Babuk may be the first ransomware gang to make headlines for publicly declaring its negative attitude towards the LGBT and BLM (Black Lives Matter) communities. It is because of this fact that the organization excludes these communities from their whitelist. But in a post on the Babuk data breach website about the results of two months of work, the gang reported that they had whitelisted LGBT and BLM foundations and charities.
Regarding the encryption algorithm, Babuk uses a symmetric algorithm combined with Elliptic Curve Diffie-Hellman (ECDH). After successful encryption, the malware adds “How To Restore Your Files.txt” to each processed directory. In addition to the text, the ransom note also contains a list of links to screenshots of some of the stolen data. This proves that the malware sample was made after the victim’s data was leaked. As mentioned above, each sample is tailored to a specific target.
In the ransom note, the gang also advised victims to use its personal chat portal to negotiate. These steps are not limited to Babuk, but are common in Big Game Hunting in general. Notably, the text of the ransom note also contains a pointer to. A private link to a related post on the onion data breach site, which is not accessible from the site’s home page. Here are some screenshots, along with textual descriptions of the stolen file types, and the general threat to victims. If the victim decides not to negotiate with the cybercriminals, the link to this post will be made public.
The group behind Babuk locker targets large industrial groups in Europe, the US and Oceania. Target industries include, but are not limited to, transportation services, the healthcare sector, and various industrial equipment suppliers. In fact, recent cases suggest that Babuk operators are expanding their targeting. On April 26, the Washington, D.C. Police Department confirmed that its network had been breached, and that Babuk’s operator claimed responsibility for the incident and put it on their own. The onion data breach website announced the attack.
Babuk announces successful raid on DC Police Department
According to a post on the site, the gang stole more than 250GB of data from the Washington, D.C. Police Department’s network. As of this writing, the police department has three days to negotiate with the attackers; otherwise, the group will begin leaking data to criminal gangs. Babuk also warned that it will continue to attack US state-owned companies.
Screenshots of documents stolen by Babuk from DC Police Department network posted on leaked website
On April 23, 2021, we published ransomware statistics showing a significant drop in the number of users exposed to this threat. These numbers should not be misinterpreted: while it is true that random individuals are less likely to suffer from ransomware than in the past, the risk to companies has never been higher.
Always eager to maximize profits, the ransomware ecosystem has grown and can now be seen as a systemic threat to companies worldwide.
There was a time when SMBs could mostly ignore the challenges posed by information security: they were small enough to be unseen by APT attackers, but large enough to be immune to random and general attacks. Those days are over, and now all companies must be prepared to guard against criminal gangs.
Thankfully, such attackers usually get a head start, and having the proper security measures in place can go a long way.
On May 12, or Anti-Ransomware Day, Kaspersky encourages organizations to follow these best practices to protect your organization from ransomware:
Update the software on all devices frequently to prevent attackers from exploiting vulnerabilities to infiltrate your network.
Focus your defense strategy on detecting lateral movement and data breaches. Pay special attention to outgoing traffic to detect cybercriminal connections. Set up offline backups that intruders cannot tamper with, ensuring they can be quickly accessed in an emergency.
To protect the company environment, train your employees. Specialized training courses can help.
Conduct a cybersecurity audit of the network and remediate any vulnerabilities discovered externally or internally.
Enable ransomware protection for all endpoints.
Install anti-APT and EDR solutions for advanced threat discovery and detection, investigation and timely remediation of incidents.
If you become a victim, never pay the ransom. It does not guarantee that you will get your data back, but it will encourage criminals to continue their activities. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet, eg: https://www.nomoreransom.org/en/index.html