Over the past year, we have seen many different types of ransomware attacks evolving, especially evolving into multistage ransomware that not only ransoms data, but also exfiltrates as much data as possible. Below is a brief overview of three of the most common modern ransomware attacks we are seeing today.
Ryuk Ransomware (feat. Emotet & TrickBot)
The Cybereason Nocturnus team researched a campaign that used a multi-stage attack to stealthily deliver the Ryuk ransomware. This spanned from Emotet’s delivery of TrickBot, to TrickBot’s information stealing capabilities, lateral movement, and use as a downloader for Ryuk, and finally to Ryuk’s ransomware capabilities. With Ryuk, the attacker is able to encrypt data on the machine and ransom it back to the victim, with the potential to cost victims significant sums of money due to downtime, recovery costs, and damage to reputation.
Takeaway: Many companies impacted by Ryuk aren’t just hit by ransomware, but also additional malware that collects credentials and persists on the network. This is further confirmation that ransomware attacks are evolving to damage organizations as much as possible.
The Cybereason Nocturnus team dissected a campaign to deliver the GandCrab ransomware to an international company based in Japan. GandCrab was one of the most prevalent ransomwares in the threat landscape and was constantly evolving and perfecting its delivery methods to evade detection.
Bitdefender estimates that GandCrab is responsible for 40% of all ransomware infections globally, which demonstrates exactly how effective it has become. The authors are known to iteratively and quickly update GandCrab with stealthy new delivery mechanisms and other adaptations.
Takeaway: Before being retired, GandCrab was continuously evolving and had many variants. The only way to reliably prevent this ransomware is through security tools that can identify and correlate behaviors, and not just use signature-based prevention.
The Cybereason Nocturnus team analyzed Sobinokibi, a highly evasive ransomware that takes many measures to prevent its detection by antivirus and other means. The authors of Sodinokibi have previously been connected to the same authors of the prolific GandCrab ransomware, which was recently retired.
When Sodinokibi first emerged, it exploited vulnerabilities in servers and other critical assets. As time went by, it also leveraged other infection vectors such as phishing and exploit kits.
There were several instances where the Sodinokibi ransomware purposefully searched for an AV made by South Korean security vendor Ahnlab in an attempt to inject its malicious payload into the trusted AV vendor.
Takeaway: Sodinokibi is another ransomware that uses a suite of tricks, including obfuscated PowerShell commands, to evade existing defenses. This highlights the need to have comprehensive prevention and detection on the endpoint.
Check out our latest whitepaper, Ransomware Decoded, for a glimpse of what modern ransomware looks like and how they're evading legacy prevention solutions.