Security Week 20: Ransomware Myths

On May 12, Kaspersky Lab experts published a large report on the evolution of attacks with data encryption and subsequent extortion. The article primarily focuses on the organization of this criminal business and examines attacks on large companies. One of the clear trends of the year was the hunt for “big game” by criminal gangs - relatively large organizations capable of paying a serious ransom in digital currency. The report comes amid daily news of attacks on businesses, including high-profile events such as the attack on the Colonial Pipeline company.



The most important thing to know about such groups is that they are complex and do not work autonomously. This threat cannot be eliminated even if the organizers of a separate campaign are found and arrested. The ecosystem will stop working only if it loses its income, that is, when the affected people stop paying the ransom. The study provides examples of recruiting new organizations and identifies typical roles: credential vendors, malware developers, analysts responsible for cryptocurrency laundering.



The most relevant myth, which is refuted in the article, is the assertion that the targets of attacks are chosen in advance. In fact, they are found randomly. Most often, the owners of botnets and brokers selling access to compromised computers and servers post information about potential victims, and the goals are determined "based on availability." There is an important recommendation for IT security personnel here: you need to timely detect individual incidents related to penetration into the protected perimeter or malware infection. There may be a time lag between this first call and a full-scale attack to avoid serious consequences.



The study details the activities of two large ransomware groups, REvil and Babuk. Among other things, there is more aggressive pressure on potential victims, motivating them to pay the ransom faster. For this purpose, websites with examples of stolen data are created on the darknet, and information about leaks is “leaked” in the media. Conversely, victim support is improved to facilitate the "customer experience" - for example, a separate chat is created to communicate with ransomware. In a previous publication by Kaspersky Lab experts on the topic of “custom” ransomware, a decrease in the number of large-scale attacks was noted. The new report shows where the attention of cybercriminals has shifted, and details the transformation of criminal operations into a complex and ramified business.



What else happened



The attack on the operator of the Colonial Pipeline in the United States resulted in a brief interruption in the supply of oil products on the country's east coast, sparked panic at gas stations and is likely to lead to further changes in the measures to combat cybercrime. There were many publications about this attack last week, but not all information has been confirmed. Here are the most interesting articles:



  • An analysis of the DarkSide faction claiming responsibility for the attack from Brian Krebs. Earlier on Twitter, he either jokingly or seriously pointed out an obvious fact about malicious encryption programs with Russian-speaking roots: they avoid a system with a Cyrillic layout.




Localization was also noted in the Kaspersky Lab report, but in a different context: Russian-speaking organizers of attacks try not to work with English-speaking partners, fearing counter-attacks or information leakage. For a language proficiency test, one example suggests using local folklore.



  • An analysis of the technical features of the malware used by DarkSide in previous attacks.


  • Officially unconfirmed information according to which Colonial Pipeline paid the extortionists $ 5 million. It claims that the organizers of the attack lost access to their infrastructure, as well as to crypto wallets.
  • Analysis of the movement of funds in Bitcoin wallets, presumably belonging to DarkSide.


In addition to this incident, "IB-life" is going on as usual. The big event was the study on vulnerabilities in devices and the Wi-Fi protocol itself. The collection of attacks Fragattacks ( project site , discussion on Habré) exploits vulnerabilities that do not depend on the type of encryption (up to WPA3), and can be used to steal data or redirect the user to malicious resources.



Swedish researcher Pontus Johnson found a vulnerability in the concept of a universal Turing machine , proposed back in 1967 ( article The Register, research paper). In this purely theoretical exercise, a way was found to run arbitrary code. Reason: Lack of input validation.



A method for transferring arbitrary data and receiving information from devices based on iOS and MacOS is proposed . The vulnerability of the Bluetooth protocol and the features of the Find My technology are used to find lost devices.



MSI warns of fake sites that distribute malware under the guise of the popular Afterburner overclocking utility.



All Articles