Specialists of Group-IB published a studydedicated to the latest encryption attack techniques. Experts say that, compared to the previous period in 2019, ransomware attacks increased by 40%, and the size of the average ransom required even increased significantly. In just one year, the average buyback price increased from $ 6,000 to $ 84,000. At the same time, the stories that appeared in the headlines of the media also became much more dramatic. For example, Ryuk ransomware operators managed to force two cities in Florida to pay a total of $ 1,000,000. The same group attacked the city of New Bedford, Massachusetts, demanding a ransom of $ 5,300,000. When the Korod authorities were able to offer the attackers only $ 400,000, the hackers refused to pay.
According to the Group-IB Computer Forensics Laboratory, the most “greedy” cryptographers of 2019 were the Ryuk, DoppelPaymer, and REvil families: their one-time ransom claims reached $ 800,000.
For example, REvil operators were able to successfully carry out an attack on the supply chain by compromising the Italian version of the WinRar website. They successfully attacked the network infrastructures of 22 Texas municipalities through compromising their IT companies.
Experts believe that since the tactics and tools of cryptographic operators have evolved to sophisticated techniques that were previously distinguished primarily by hacker APT groups, and their goals have shifted to the corporate sector, 2020 can set an anti-record in terms of the number of attacks and the amount of damage.
The fact is that one of the most notable trends in 2019 was the fact that many cryptographic operators began to download large amounts of confidential data from attacked corporate networks. Such actions, in their opinion, significantly increase the chances of a ransom.
So, if the requirements of the hackers have not been met, they reserve the opportunity to earn by selling confidential information on the darknet or simply merge its open access. This method was used by the operators of the families REvil, Maze, DoppelPaymer, and many others.
Another common practice among cybercriminals was the use of banking trojans at the stage of the initial compromise of the network: in 2019, Group-IB experts recorded the use of a large number of trojans in encryption campaigns, including Trojans Dridex, Emotet, SDBBot and Trickbot.
In 2019, most cryptographic operators began using tools that cybersecurity experts use during penetration tests. Thus, cryptographic operators Ryuk, Revil, Maze and DoppelPaymer actively resorted to such tools as Cobalt Strike, CrackMapExec, PowerShell Empire, PoshC2, Metasploit and Koadic, which allowed them not only to conduct reconnaissance in a compromised network, but also to gain a foothold in it, to get privileged authentication data and even full control over Windows domains.
In general, experts say that last year ransomware operators reached a new level – their actions were no longer limited only to file encryption. More and more attackers began to promote ransomware as a RaaS (Ransomware-as-a-Service) service and leased their ransomware in exchange for a portion of the ransom.
Primary attack vector
In 2019, the top 3 vectors of primary network compromise, from which the attacks began, included phishing messages, infection through external remote access services, primarily through Remote Desktop Protocol (RDP), and drive-by attacks.
So, compared with 2018, the number of available servers with an open port of 3389 only increased. The five leaders in their operation in 2019 were China, the USA, Germany, Brazil and Russia. The increase in the number of attacks on RDP is largely due to the discovery of new vulnerabilities: CVE-2019-0708 (BlueKeep), CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226
Phishing emails also remain one of the most common vectors of primary compromise, and most often ransomware Shade and Ryuk hid in such emails. The campaigns of the financially motivated group TA505 that distributed Clop ransomware often began with a phishing email containing an infected attachment that, among other things, downloaded one of the Trojans (FlawedAmmyy RAT or SDBBot).
Last year, the number of available servers with an open port of 3389 exceeded 3,000,000, most of which were located in Brazil, Germany, China, Russia and the United States.
The interest in this compromising vector, which is most often used by the Dharma and Scarab operators, fueled the discovery of five new vulnerabilities in the remote access service, none of which, however, were successfully exploited in cryptographic attacks.
In 2019, attackers also often used infected sites to deliver ransomware. After the user was on such a site, he was redirected to pages that tried to compromise the user's device, taking advantage, for example, of vulnerabilities in the browser. The exploit kits most commonly used in such attacks are RIG EK, Fallout EK, and Spelevo EK.
Some attackers, including Shade (Troldesh) and STOP encryption operators, immediately encrypted the data on the initially compromised devices, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma, did not limit themselves to this and collected information about a compromised network, moving deeper and compromising entire network infrastructures.
A complete list of tactics, techniques and procedures mentioned in the report is given in the table below, which is built on the basis of the MITRE ATT & CK matrix – a public knowledge base that contains tactics and techniques of targeted attacks used by various groups of cybercriminals. They are arranged in order from the most popular (highlighted in red) to the least popular (highlighted in green).
“In 2019, cryptographic operators significantly strengthened their positions, choosing larger goals and increasing their revenues, and there is every reason to believe that this year their results will be even more impressive. Ransomware operators will continue to expand their victim pool, focusing on large industries that have more resources to satisfy their appetites. The increased activity of cryptographers poses a business with a choice: either invest in your cybersecurity to make your infrastructure inaccessible to attackers, or risk facing a ransom demand for decrypting files and paying for flaws in cybersecurity, ”summarizes the leading specialist in the Computer Forensics Laboratory Group-IB Oleg Skulkin.
The report also notes that due to the mass transition of employees to remote work during the COVID-19 pandemic, attackers are identifying more and more new points of compromise and vulnerabilities. Using publicly accessible applications and infecting employees' personal devices will become the most popular ways to gain access to internal networks, experts say.