Enterprise Beware: Ransomware Continues to Evolve

Ransomware Evolving

Ransomware attacks fall into two general categories – encrypting and non-encrypting.  The first type encrypts files on your hard drive and forces you to pay to have them decrypted. The non-encrypting type uses fairly simple techniques to restrict your access to files or applications, like locking you out of Windows, or keeping your Web browser from running. You are then forced to pay to have access reinstated. Within these categories are many variations and security researchers seem to encounter new, more advanced strains on a regular basis. This rapid development cycle makes it difficult for organizations to mount effective defenses, particularly if they are relying on standard, signature-based solutions.

Be Prepared for New TTPs

As with all threats, the purveyors of ransomware are hard at work developing ways to evade your security with a range of advanced tactics, techniques and procedures (TTPs). Tools such as crypters and packers are implemented to morph ransomware so it evades detection by constantly changing or obfuscating its true nature. Other ransomware exploits are designed to appear as part of normal computer operations, but when executed, they disrupt processes — terminating Windows Task Manager, Registry, System config, and more.  Still others are designed to detect virtual environments and abort execution to evade sandboxes. Attackers are also using the vast underground TOR network to communicate command and control (C&C) callbacks without generating alerts.

Starting in 2016, ransomware actors began to amplify their efforts with new features.  The prevalent Locky-type variants employ these tactics:

  • Deploying infected Microsoft macros and JavaScript file attachments
  • Using RSA and AES encryption that renames files to avoid decryption
  • Encrypting unmapped network drives connected to infected systems
  • Deleting Volume Shadow Snapshots (VSS) to make file restoration impossible
  • Using methods to hide exploits from static analysis tools and more

Ominous Ransomware Strains Have Appeared in 2016

Spurred by the lucrative results ransomware attacks achieve, as well as the speed and anonymity with which they can be launched, new variants are continuously being released.

Here are a few to watch out for:

Samas: This variant targets servers running out-of-date JBOSS systems, a software environment still running and supporting legacy applications in many businesses. This threat was considered so significant that the FBI began warning businesses about it early in 2016 after several hospitals were hit. Hackers use a software tool to automate discovery of vulnerable JBOSS systems and launch an attack that ultimately can spread to all connected computers and even impact backup files.

PowerWare: This variant uses a macro that opens Windows PowerShell, enabling it to download a malicious script without having to write files to the disk. Using this tactic, the malware can blend in with standard activity on the computer and avoid detection as it completes its mission.

Petya: While typical crypto-type malware encrypts files on the hard drive, the Petya strain encrypts the Master File Table (MFT) and the Master Boot Record (MBR), making it impossible for you to access anything on the drive.  Often it is launched with another exploit call Mischa, so that if Petya lacks the privileges necessary to gain access to the MFT or MBR, Mischa is enabled to encrypt files one by one.

Ransom32: This new strain is being sold on the Dark Web in the form of “ransomware-as-a-service,” a criminal innovation that performs like any SaaS platform, complete with a customer service department. Criminal customers enroll in the service, get access to the software and pay the ransomware developer a percentage of their take. Ransom32 is written in Javascript and has been observed using the NW.js framework to infect targets. It is cross-OS compatible, which means it may be able to infect Windows, Linux or Mac users.

KeRanger: This has been identified as the first fully functional ransomware for the OS X platform. It has been observed being delivered in a seemingly innocuous .rtf file that executes after a three-day delay and begins encrypting files. It is a particularly dangerous strain because of its far-ranging capacity to do damage.  It will not only encrypt external drives, connected network volumes and backups, its reach extends to Time Machine backups in the Time Capsule, the very systems designed to restore your files after an incident occurs.

A New Approach to Ransomware Protection is Needed

The frequency and blatant nature of ransomware attacks clearly demonstrate that these threats won’t be defeated by relying on standard security solutions alone. While deploying standard defenses such as blocking known threats, patching vulnerabilities and detecting Indicators of Compromise (IOCs) are critical first steps, a more advanced approach is required.

CrowdStrike, the leader in advanced endpoint protection, employs a powerful array of prevention and detection methods designed to stop ransomware before it can cause damage, delivered via the innovative CrowdStrike Falcon Host Platform. CrowdStrike’s unique three-pronged approach deploys multiple layers of protection that go beyond standard endpoint security, combining built-in endpoint detection and response (EDR), integrated managed hunting, and next-generation antivirus to stop ransomware and other threats — including malware-free attacks. Learn more about CrowdStrike’s unique approach to stopping ransomware by downloading a new white paper, Ransomware A Growing Enterprise Threat.

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial