Ransomware 101: The most Detrimental and Wide-spread Cyber Security threats ☠️ and its new trend in 2020 (Part 1/2)
What is Ransomware? Why you should learn about it?
Ransomware is among the most detrimental and wide-spread cyber-security threats. Hackers are using it to encrypt files on the user’s device and demand ransom payments for file decryption.
For the last few months this year, ransomware attacks have been targeting educational institutions all over the world while the trend of double extortion attacks continued. Some related ransomware like Maze and Netwalker were very active. As an user, you must stay vigilant.
In 2020, Ransomware are becoming more active than usual.
According to a research by ‘Recorded Future’ (an International Cyber Threat Intelligence Company), there were 9 ransomware attacks against educational institutions in just 2 months from July to September this year, 4 of them against universities [1]. Newcastle University in UK was forced to suspend most of its information technology services due to the attack [2]. In fact, ransomware are not limited to educational institutions, other organisations such as banks, hospitals, governments and power companies have also fallen as main victims to such attacks.
The 2 major trends of Ransomware. How the Ransomware gangs do their ‘jobs’ ?
By observing, learning and researching the attack tactics and malware in the pass few months. In this article, I would like to introduce TWO major trends in ransomware attack tactics, they are called ‘Double Extortion’ and ‘Fake Decryptor’.
📌 Double Extortion
Normally, if you perform a regular backup and keep it offline, your critical data can be safeguarded against ransomware threats. If your system is unfortunately locked by ransomware, you can recover your data from offline backup to resume operation.
However, ransomware gangs have started to use a new tactic, which is called ‘Double Extortion’, to increase the chance of getting paid.
Before encrypting the victim’s databases, the attackers would extract a large quantity of sensitive information, and request their victim to pay ransom. If the victim ignores ransom’s demands, some of the attackers will threaten to post the stolen information on the internet to put extra pressure on their victims to pay for it. In other cases, instead of data leaking, some ransomware attackers might auction it for higher illegal return.
In the past few months, a rise of ransomware attacks aiming high-profile companies which hold a large number of sensitive data. For example, a large retail company[3] has encountered double extortion ransomware in Hong Kong.
There are 2 most active ransomware attackers using this tactic.
1. Maze Ransomware
The very first reported case of using double extortion tactic was Maze Ransomware gang back to November 2019. They threatened a large American security staffing company to upload 5GB of its sensitive data on their dedicated data-leaking site if they don’t pay for it. Maze ransomware actively attacks and collaborate with other ransomware gangs, such as Lockbit and Ragnar gang, by publishing stolen data from other gangs.
The Maze ransomware attacks involve leveraging phishing emails and brutal force attacks on remote desktop service. Once they gained initial access to the target system, attacks will follow by using remote shells (Windows Remote Management) to weaken the security control by modifying Group Policy in Active Directory, exfiltrating sensitive data and deploying the ransomware.
2. REvil Ransomware
In early June, the operators behind REvil started auctioning data that claimed to be stolen from an agricultural company and threatened more victims will suffer the same attack. Not only an escalation in tactics aimed at coercing victims to pay, but also signal that ransomware gangs are searching for new ways to profit from their crimes. Victims may suffer attack from from another attack operators who bid the leaked data in auctions. For example, attackers can conduct target phishing attacks on victims by using the leaked information.
📌 Fake Decryptor
Many victims whose device is encrypted by ransomware, may try to search for available decryptor to recover their data. However, you should be aware of the traps while searching.
A fake decryptor called STOP Djvu Ransomware[4] has been distributed to lure victims with the promise of free decryption recently. Yet, the fake decryptor actually infects the system with another ransomware that makes the situation even worse while no data can be recovered.
When a victim enters their information in the decryptor (as Figure 1) and clicks on “Start Scan”, the program will extract an executable to encrypt the data and add the extension “.ZRB” to files in the computer. The ransomware will create ransom notes named ‘ — DECRYPT — ZORAB.txt’ in each folder where files are encrypted. This note contains instructions on how to contact the ransomware operators for payment instructions.
The good news is that Emsisoft has released a decryptor for Zorab[5]. The victims whose device is locked by Zorab.
Coming up next week… Part 2 — Security Advice
From the latest trend of ransomware, it can be seen that protecting the digital assets from being compromised is the most important method to against ransomware
In the next part 2 article, I will try to summarise some useful security advice for Enterprises and Normal Users. How can you do the best to prevent from ransomware inflection and if your device/system is infected by ransomware, what proper recommended measures you should perform.
[1] Chart of the week ransomware attacks on schools https://therecord.media/chart-of-the-week-ransomware-attacks-on-schools/
[2] DoppelPaymer ransomware hits Newcastle University, leaks data
[3]Live Updates: Maze Ransomware Attacks
https://cyware.com/blog/live-updates-maze-ransomware-attacks-5bce
[4] Remove STOP/DJVU Ransomware Virus (2020 Guide) https://geeksadvice.com/remove-djvu-ransomware-virus/
[5] https://www.emsisoft.com/ransomware-decryption-tools/zorab
