Conti ! Small in name … Blazes in threat acting

A lesser-known ransomware strain known as Conti is using up to 32 simultaneous CPU threads to encrypt files on infected computers for blazing-fast encryption speeds.

Conti is just the latest in a long string of ransomware strains that have been spotted this year. Just like most ransomware families today, Conti was designed to be directly controlled by an adversary, rather than execute automatically by itself.

These types of ransomware strains are also known as “human-operated ransomware,” and they’re designed to be deployed during targeted intrusions inside large corporate or government networks.

This isn’t entirely unique. Other ransomware strains also support multi-threaded operations, running multiple concurrent computations on the CPU to gain speed during their execution and allow the encryption process to finish faster before the file-locking operation is detected and stopped by AV solutions.

Other ransomware strains seen using multiple CPU threads include the likes of REvil (Sodinokibi), LockBit, Rapid, Thanos, Phobos, LockerGoga, and MagaCortex — just to name a few.

Conti stood out because of the large number of concurrent threads it utilized — namely, 32 — which resulted “in faster encryption compared to many other families.”

Tricky network-only encryption mode
However, this was not the solely unique detail that Carbon Black has seen in Conti. The second was a fine-grained control over the ransomware’s encryption targets via a command-line client.

The ransomware can be configured to skip encrypting files on the local drives and encrypt data on networked SMB shares just by feeding the ransomware’s binary a list of IP addresses via the command-line.

“A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.

“This also has the effect of reducing the overall ‘noise’ of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead, the encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user,” Baskin said.

The behavior might also confuse security teams performing incident response, who may not be able to pinpoint the point of entry into a network unless they perform a full audit of all systems, and allowing hackers to linger hidden inside a single machine on the victim’s network.

Conti abuses the Windows Restart Manager
The third unique technique spotted in the Conti code is its abuse of Windows Restart Manager — the Windows component that unlocks files before performing an OS restart.

Sophisticated Ransomeware till date in 2020


As interconnectivity turns the world into a global village, cyberattacks are expectedly on the rise. According to reports, the tail end of last year saw a spike in the average amount of payments made to ransomware attackers, as several organizations were forced to pay millions of dollars to have their files released by malware attackers.

These attempted attacks are just the most recent examples of the escalating threat of ransomware attacks. Below are some of the most malicious ransomware demanding payment in crypto.

WastedLocker

WastedLocker is the latest ransomware created by Evil Corp, a group that has been active since 2007 and is regarded as one of the most lethal cybercrime teams. After the indictment of two alleged members of the group, Igor Turashev and Maksim Yakubets, in connection to the Bugat/Dridex and Zeus banking trojans, Evil Corp reportedly reduced its activity.

By disabling and disrupting backup applications, database services and cloud environments, WastedLocker prevents its victims’ ability to recover their files for a longer period of time, even if there is an offline backup setup. In cases where a company lacks offline backup systems, recovery can be prevented indefinitely.

DoppelPaymer

DoppelPaymer is ransomware designed to encrypt the files of its target, preventing them from accessing files and subsequently encouraging the victim to pay a ransom to decrypt the files. Used by an eCrime group called INDRIK SPIDER, the DoppelPaymer malware is a form of BitPaymer ransomware and was first discovered in 2019 by CrowdStrike software endpoint protection company.

Recently, the ransomware was used in an attack against the City of Torrance in California. More than 200 GB of data was stolen, with the attackers demanding 100 Bitcoin in ransom.

Dridex

According to a report by cybersecurity provider Check Point, the Dridex malware entered the top-10 list of malware for the first time in March 2020 after an initial appearance in 2011. The malware, also known as Bugat and Cridex, specializes in stealing bank credentials using a system of macros on Microsoft Word.

However, new variants of the malware go beyond Microsoft Word and now target the entire Windows platform. Researchers note that the malware can be lucrative for criminals thanks to its sophistication, and is now being used as a ransomware downloader.

Ryuk

Another malware that has resurfaced as a result of the coronavirus pandemic is the Ryuk Ransomware, which is known for targeting hospitals. Ryuk ransomware is still being used to target hospitals. Like most cyberattacks, the Ryuk malware is distributed via spam emails or geo-based download functions.

Revil

As the ransomware landscape continues to be overcrowded by novel malicious solutions, cybercriminal groups such as the REvil (Sodinokibi) ransomware gang have seemingly evolved with the times with increased sophistication of their operation. The REvil gang operates as a RaaS (Ransomware-as-a-Service) and creates malware strains that it sells to other criminal groups.

Recently, the notorious REvil ransomware gang launched an auction to sell off stolen data from companies unable to pay the ransom with prices starting at $50,000 payable in Monero (XMR). Out of privacy concerns, the REvil gang switched from demanding payment in Bitcoin to Monero, a privacy-centric cryptocurrency.

As one of the most active and aggressive ransomware operators, the REvil gang is primarily targeting corporations, encrypting their files and asking for astronomical fees.

PonyFinal

Microsoft’s security team revealed in a series of tweets information regarding a new ransomware called “Pony Final,” which uses brute force to get access to its target network infrastructure to deploy ransomware.

Unlike most malware that use phishing links and emails to trick the user into launching the payload, PonyFinal is distributed using a combination of a Java Runtime Environment and MSI files that deliver malware with a payloader that is activated manually by the attacker. Like Ryuk, PonyFinal is mainly being used to attack healthcare institutions amid the COVID-19 crisis.

Maze

This particular name creating a havoc in leading conglomerates. Taking down the services one by one. The strength is remaining dormant for so long period and hitting at right time . Payload downloader… Lateral movement.. data exfilteration.. encryption.. it’s the chain reaction .

Declining payouts

Despite the overall increase in the number of cyberattacks, experts believe there is a decrease in the number of successful attacks, since for most corporations, ransomware attacks amid a global pandemic are proving to be a final stroke, leaving them unable to pay the ransom.

“It’s very obvious to ransomware attackers that they’ve got a potentially valuable target when they hit a corporate endpoint. It may however be less obvious when they hit a personal device that an employee is using while working remotely, and which is only connected to corporate resources on an intermittent basis.”

Try2Cry.. Making to cry 😢

A new ransomware comes into limelight which is trying to worm its way onto other Windows computers by infecting USB flash drives and using Windows shortcuts (LNK files) posing as the target’s files to tempts them into infecting themselves.

The Try2Cry ransomware was discovered by Karsten Hahn (Malware Analyst at G DATA) when a detection signature designed to spot USB worm components got triggered while analyzing an unidentified malware sample. Try2Cry is a .NET ransomware and also an another variant of the open-source stupid ransomware family

Ten other Try2Cry ransomware samples were found by the security researcher on VirusTotal while hunting down for a variant that wasn’t obfuscated to make the analysis easier, some of them also lacking the worm component.

Decryptable ransomware with a failsafe
After infecting a device, Try2Cry ransomware encrypt .doc, .jpg, .ppt, .xls, .docx, .pdf, .pptx, .xls, and .xlsx files, appending a .Try2Cry extension to all encrypted files. The victims’ files are encrypted using the Rijndael symmetric key encryption algo and a hardcoded encryption key.

Encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash. The IV creation is almost identical to key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash.

Try2Cry’s developer has also included a failsafe within the ransomware’s code designed to skip the encryption on any infected systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names. This is most probably a safeguard measure designed to allow malware’s creator to test the ransomware on his own devices without risking inadvertently locking his own files.

Worming its way through USB devices
The most interesting feature of Try2Cry is its capability to infect and attempt to spread to other potential victim’s devices via USB flash drives. Try2Cry first looks for any removable devices like pendrives and harddrives connected to the compromised computer and it will send a copy of itself named Update.exe to the root folder of each USB device it finds.

Next, it will hide all files on the removable device and will replace them with Windows shortcuts (LNK files) with the same icon. When victim clicked, all these shortcuts will open the original file and will also launch the Update.exe Try2Cry ransomware payload in the background.

This ransomware also creates visible copies of itself on the USB drives, using the default Windows icon folder with Arabic names, in the hope that’s curious victims will click on them and infect themselves. TryCry’s ransomware windows shortcuts also feature the arrows on the side of the shortcut icons which makes it a lot easier to spot after infecting a USB flash drive.

Try2Cry ransomware is also decryptable, a sure sign that it was also created by someone with very little programming experience.

Ransomware Cross Section !

Ransomware isn’t a new phenomenon, but it’s effects are starting to be felt more widely, and more deeply than ever before. Behemoths like CTS , LG, XEROX , INDIA BULLS , Australian Toll Groups , MITSUBISHI, HONDA have all been hit in recent time, and the list is growing.

Maximum percent of companies infected were running up-to-date endpoint protection, which tells us that the problem lies somewhere else. Human error, loose passwords, and lax authentication protocols all contribute to higher risk.

Let’s walk through a typical ransomware attack to understand how attackers gain access to your company’s most valuable asset: unstructured data.

Step 1: Identify a vulnerable network using sophisticated tools to detect and probe networks for lax security protocols, unpatched software, or single-factor-authentication.

Step 2: Scrape user password off the dark web. There are billions available.

Step 3: Use a third-party site to verify the stolen password. Check against data on a common social media site such as LinkedIn.

Step 4: Obfuscate their location by logging in via 50+ worldwide proxies.

Step 5: Pull down your proprietary data, encrypt it, and spread it across the blockchain in data centers across the globe.

Step 6: Demand thousands of dollars for the safe return of your data and cripple your day-to-day operations in the meantime.

This whole process can happen right under your nose. If you decide not to pay, your data may disappear forever. If you don’t take steps to address the underlying vulnerability, it can keep happening over and over.

There are some common-sense approaches to data governance that can help keep data from being hijacked.

First, strong passwords are the first line of defense. Two-factor authentication and a good password manager should be the default posture of every organization.

Second, basic data hygiene and consistent permissions monitoring can limit which data is accessible to a bad actor who logs on with valid credentials.

Third, you must be able to monitor accounts for unusual behavior. When users are suddenly accessing massive amounts of data or downloading hundreds of files at a time, admins need to know.

Finally, ransomware detection should be part of the security posture. This includes scanning unstructured data for suspicious or altered file extensions, known ransomware signatures, and detection of “ransom note” content inside the repository.