New Ransomware Formats Double

Uploaded on 2019-09-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

The number of new ransomware samples more than doubled in the first quarter of this year, a new study shows. Cyber criminals are still using spear-phishing tactics, but an increasing number of attacks are gaining access to a company that has open and exposed remote access points and these are being used as methods for ransomware. 

The report from McAfee shows cyber attacks leveraging the file-locking malware have more than doubled this year with hackers modifying attack methods for more lucrative payouts.

Now they have reported that new ransomware increased by 118%, while the most prevalent strains were Dharma (aka Crysis), which has been in operation since 2016 with new versions, GandCrab, which uses AES encryption and puts a file labeled GrandCrab.exe on to the hacked system and Ryuk, which is probably a cyber-crime operation.

GandCrab and Ryuk are using mostly spear-phishing as a distribution mechanism, whereas Dharma is used in Remote Desktop Protocal (RDP) attacks. 

They have also now recorded an average of 504 new threats per minute in Q1 2019, and a resurgence of ransomware along with changes in campaign execution and code. 

More than 2.2 billion stolen account credentials were made available on the cyber-criminal underground over the course of the quarter. Sixty-eight percent of targeted attacks utilised spear-phishing for initial access, 77% relied upon user actions for campaign execution.

“The impact of these threats is very real,” said Raj Samani, McAfee fellow and chief scientist. “It’s important to recognise that the numbers, highlighting increases or decreases of certain types of attacks, only tell a fraction of the story.....Every infection is another business dealing with outages, or a consumer facing major fraud. We must not forget for every cyber-attack, there is a human cost.”

Ransomware Resurgence 
McAfee Advanced Threat Research (ATR) observed innovations in ransomware campaigns, with shifts in initial access vectors, campaign management and technical innovations in the code.

While spear phishing remained popular, ransomware attacks increasingly targeted exposed remote access points, such as Remote Desktop Protocol (RDP); these credentials can be cracked through a brute-force attack or bought on the cyber-criminal underground. RDP credentials can be used to gain admin privileges, granting full rights to distribute and execute malware on corporate networks.

McAfee researchers also observed actors behind ransomware attacks using anonymous email services to manage their campaigns versus the traditional approach of setting up command-and-control (C2) servers. Authorities and private partners often hunt for C2 servers to obtain decryption keys and create evasion tools. Thus, the use of email services is perceived by threat actors to be a more anonymous method of conducting criminal business.

In addition to  Dharma (also known as Crysis), GandCrab and Ryuk, other notable ransomware families of the quarter include Anatova, which was exposed by McAfee Advanced Threat Research before it had the opportunity to spread broadly and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants. 

“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christiaan Beek, McAfee lead scientist and senior principal engineer.....Paying ransoms supports cyber-criminal businesses and perpetuates attacks. There are other options available to victims of ransomware. Decryption tools and campaign information are available through tools such as the No More Ransom project.”

Q1 2019 Threats Activity

  • Attack Vectors. Malware led disclosed attack vectors, followed by account hijacking and targeted attacks.
  • Crypto-Mining. New coin mining malware increased 29%. McAfee ATR observed CookieMiner malware targeting Apple users, attempting to obtain bitcoin wallets credentials. As a by-product, the malware also gained access to passwords and browsing data. Total coin mining malware samples grew 414% over the past four quarters.
  • Fileless Malware. New JavaScript malware declined 13%, while total malware grew 62% over the past four quarters. New PowerShell malware increased 460% due to the use of down-loader scripts. Total malware grew 76% over the past four quarters.
  • IoT. Cybercriminals continued to leverage lax security in IoT devices. New malware samples increased 10%; total IoT malware grew 154% over the past four quarters.
  • Malware Overall. New malware samples increased by 35%. New Mac OS malware samples declined by 33%.
  • Mobile malware. New mobile malware samples decreased 15%, total malware grew 29% over the past four quarters.
  • Security Incidents. McAfee Labs counted 412 publicly disclosed security incidents, an increase of 20% from Q4. Thirty-two percent of all publicly disclosed security incidents took place in the Americas, followed by 13% in Europe and 13% in Asia-Pacific.
  • Regional Targets. Disclosed incidents targeting the Asia-Pacific region increased 126%, Americas declined nearly 3% and Europe decreased nearly 2%.
  • Vertical Industry Activity. Disclosed incidents impacting individuals spiked 78%, education sector increased 50%, healthcare increased 18%, public sector decreased 10%, and financial sector increased 89%.
  • Targeted Attacks. McAfee identified a high number of campaigns that effectively minimised the data reconnaissance required to successfully execute attacks. 

Actors primarily focused on large organisations in the Government/Administration sector, followed by Finance, Chemical, Defense, and Education sectors. Initial access was gained by spear-phishing in 68% of attacks and 77% relied upon specific user actions for attack execution.

  • Underground. More than 2.2 billion stolen account credentials were made available on the cyber-criminal underground over the course of the quarter. 

The largest dark market, Dream Market, announced its plan to close, citing a large number of DDoS attacks. Law enforcement successfully seized and closed operations of xDedic, one of the largest RDP shops reportedly selling access to approximately 70,000 hacked machines.

McAfee:    HelpNetSecurity:     Oodaloop      HealthITSecurity:     BusinessWire

You Might Also Read:

The Top 5 Malware Attack Types:

Ransomware & Malware Make Way For New Attack Vectors:

 

 

« Cyber War In The Middle East Is Escalating
UK Cyber Crime Is Increasing In 2019 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The Networking People (TNP)

The Networking People (TNP)

TNP supplies independent advice allowing large organisations to design, build and operate their own networks independently of the established telecoms companies.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

CyberOne

CyberOne

CyberOne (formerly Comtact) offer a full stack cybersecurity service to ensure our customers understand the cyber maturity of their organisation.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

Hypersecu Information Systems

Hypersecu Information Systems

Hypersecu Information Systems, Inc. is a solution provider dedicated to multi-factor authentication, public key infrastructure and software copyright protection.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

ACROS Security

ACROS Security

ACROS Security is a leading provider of security research, real penetration testing and code review for customers with the highest security requirements.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

Q-Net Security

Q-Net Security

Protect your critical networks. Q-Net Security make hardware that provides the strongest drop-in security for your existing critical infrastructure.

LTIMindtree

LTIMindtree

LTIMindtree is a new kind of technology consulting firm. We help businesses transform – from core to experience – to thrive in the marketplace of the future.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

Chartered Institute of Information Security (CIISec)

Chartered Institute of Information Security (CIISec)

CIISec is dedicated to helping individuals and organisations develop capability and competency in cyber security.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

SGS Brightsight

SGS Brightsight

SGS Brightsight is the largest independent security evaluation lab in the world, with ten recognised labs worldwide.