Commodity Ransomware is Here

Brian Krebs recently posted a blog on a slick ransomware-as-a-service interface called “Philadelphia,” enabling almost anyone to launch a ransomware campaign. It’s almost as easy as ordering pizza. The criminal developers even had the heart to offer a “mercy” feature should a victim plead for access to ransomed family photos of lost family and friends. Welcome to the new world of commodity malware.

We see of lot of trending campaigns on TruSTAR and Krebs’ post supports a lot of insights we have gleaned from analyzing incident data on our platform. We have outlined a couple of them below.

Insight #1 — The Exploit Kit Playbook: Our customers’ incident reports show (Figure 1) multiple ransomware campaigns relying on the easy to buy RIG exploit kit (EK) combining it with commoditized ransomware like Cerber and Locky. Check out our blog post on how to how analysts use TruSTAR visualizations. The playbook for creating new ransomware campaigns has been written and everyone is following it.

Figure 1. TruSTAR Visualization Showing Multiple Campaigns Using RIG EK

Insight #2 — Block and Tackle: Blocking a specific exploit kit or ransomware software will lead to short term disruption of some campaigns but bad actors will find a different exploit kit or ransomware to weaponize and evolve into a new campaign. Figure 2 visually shows this evolution.

Figure 2. TruSTAR Visualization Showing Multiple Campaigns Using RIG EK

In Figure 2 we have a slice of TruSTAR data January to early June of 2016 which shows Angler was the predominant EK being seen in reports submitted to TruSTAR and in the wider security community until it was disrupted due to arrests of a criminal hacking gang in Russia. When Angler EK went down cyber criminals began searching for a new go-to EK and in early September 2016 RIG EK became the predominant EK in use by cyber criminals. From the visualization you can also see a connection between infrastructure and payload IoC’s initially being used with the Angler EK are now being delivered by the RIG EK.

Ransomware is very serious and we don’t mean to make light of it here. Ransomware campaigns bar access to critical data but they can also be used to disrupt system operations. Recall the Hollywood Presbyterian ransomware attack just over a year ago. The attack disrupted emergency room operations and patients had to be diverted to other hospitals.

It is worth remembering what we said here last year: there is no reason after one victim has been hit by a particular ransomware attack that others must fall victim to the same attack. Krebs’ piece — and our data insights underscore commoditized ransomware campaigns will become increasingly opportunistic, and will not be as targeted. There is no need to fight alone and not be made aware of the “unknown knowns” of ransomware. Protect your company today. TruSTAR’s incident exchange can help identify trending campaigns and provide context to mitigate against these campaigns.

Interested in learning more about how to read TruSTAR graphs? Click here.