Over the past year, we have seen many different types of ransomware attacks evolving, especially evolving into multistage ransomware that not only ransoms data, but also exfiltrates as much data as possible. Below is a brief overview of three of the most common modern ransomware attacks we are seeing today.
The Cybereason Nocturnus team researched a campaign that used a multi-stage attack to stealthily deliver the Ryuk ransomware. This spanned from Emotet’s delivery of TrickBot, to TrickBot’s information stealing capabilities, lateral movement, and use as a downloader for Ryuk, and finally to Ryuk’s ransomware capabilities. With Ryuk, the attacker is able to encrypt data on the machine and ransom it back to the victim, with the potential to cost victims significant sums of money due to downtime, recovery costs, and damage to reputation.
Takeaway: Many companies impacted by Ryuk aren’t just hit by ransomware, but also additional malware that collects credentials and persists on the network. This is further confirmation that ransomware attacks are evolving to damage organizations as much as possible.
The Cybereason Nocturnus team dissected a campaign to deliver the GandCrab ransomware to an international company based in Japan. GandCrab was one of the most prevalent ransomwares in the threat landscape and was constantly evolving and perfecting its delivery methods to evade detection.
Bitdefender estimates that GandCrab is responsible for 40% of all ransomware infections globally, which demonstrates exactly how effective it has become. The authors are known to iteratively and quickly update GandCrab with stealthy new delivery mechanisms and other adaptations.
Takeaway: Before being retired, GandCrab was continuously evolving and had many variants. The only way to reliably prevent this ransomware is through security tools that can identify and correlate behaviors, and not just use signature-based prevention.
The Cybereason Nocturnus team analyzed Sobinokibi, a highly evasive ransomware that takes many measures to prevent its detection by antivirus and other means. The authors of Sodinokibi have previously been connected to the same authors of the prolific GandCrab ransomware, which was recently retired.
When Sodinokibi first emerged, it exploited vulnerabilities in servers and other critical assets. As time went by, it also leveraged other infection vectors such as phishing and exploit kits.
There were several instances where the Sodinokibi ransomware purposefully searched for an AV made by South Korean security vendor Ahnlab in an attempt to inject its malicious payload into the trusted AV vendor.
Takeaway: Sodinokibi is another ransomware that uses a suite of tricks, including obfuscated PowerShell commands, to evade existing defenses. This highlights the need to have comprehensive prevention and detection on the endpoint.
Check out our latest whitepaper, Ransomware Decoded, for a glimpse of what modern ransomware looks like and how they're evading legacy prevention solutions.
Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.
All Posts by Cybereason Team
LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...
There have been over 200 ransomware attacks that have made headlines in 2021 so far - to understand how we got here, let's look at how the ransomware threat has evolved over the years...
