This Week in Ransomware: Pseudo Ransomware Attacks Return
U.S., U.K. and Australian cybersecurity agencies are warning of sophisticated ransomware attacks.
![ransomware attack ransomware attack](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltda2c9781dc37cc6d/652436277bdf03a20e5dacb7/4-Ransomware-Computer-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Wiperware is only ransomware in that it masquerades as such when performing a campaign against a specific target, Blumira‘s Matthew Warner said.
“Ransomware and pseudo ransomware do use the same mechanisms to download and deploy their functionality against the impacted hosts, such as PowerShell, wscript and registry modifications,” he said. “The main difference is that the attackers must craft their attacks in a way that allows for maximum success in data destruction rather than trying to encrypt as much as possible while still allowing access for future decryption. Ransomware, especially ransomware as a service, often has a component of ‘customer service’ to allow for bounty payment and recovery of data, and must be built to allow this behavior by the victim.”
For wiperware, the attackers must not only ensure that they can erase data from all useful drives, but do so while their own attack persists on the host until completion, Warner said.
“In the case of the Trellix sample, the attackers maintained an open ping until they completed the deletion of all potentially useful files on the host with a final clean-up step,” he said. “While this data may be recoverable by an incident response team on a case-by-case basis, it would require significant effort and cost per-machine to do so.”
Wipers are really only used in specific and targeted campaigns, Warner said.
“One of the earliest publicly known attacks was against Iranian oil companies and other targets in the Middle East in 2012,” he said. “This was attributed back to the now infamous Equation Group, which themselves were hacked in 2016, which resulted in the WannaCry ransomware and NotPetya wiperware attack through the EternalBlue exploit. Additionally, there were multiple uses of wipers in attacks against Saudi Arabian targets in 2012 and 2016 using Rawdisk, a commercially available tool, which was also used by North Korea’s Lazarus Group in attacks against South Korea and Sony for their release of the movie ‘The Interview.'”
The main reason these pseudo ransomware/wiper attacks are not generally publicized is because they are largely geopolitical in focus, Warner said. These are governments attempting to impact infrastructure or nationalized institutions within another entity that is identified as the target.
“Hacking against commercial targets that are not nationalized is usually done to extract data or access, which will result in profits for the attacker,” he said. “This is often done in large campaigns, such as the 2021 Kaseya ransomware attack, where access was leveraged into a wide ransomware attack against a large number of organizations. When the attacker is wiping a machine, there is only one goal in mind: to make it as difficult as possible to recover data from the infected machines. The biggest change since NotPetya has been the masquerading as ransomware, which results in a slowdown of investigation to determine if data can indeed be recovered when it is actually deleted.”
John Bambenek is principal threat hunter at Netenrich.
“Criminals need to have some sense of symbiosis with a victim environment,” he said. “If they destroy the victim, they cannot get paid or steal information, which is why you don’t see it often. Nation-states in a geopolitical conflict, however, are perfectly willing to engage in sabotage as that is a known tool in the tool chest for them.”
Mike Parkin is an engineer at Vulcan Cyber.
“With pseudo ransomware, the files are effectively wiped,” he said. “With ransomware, if the attackers are ‘being honorable’ then paying the ransom will get the victim’s files back. The disruption is effectively the same, though ransomware has a paid route to recovery.”
“Superficially, the damage is the same [as ransomware], the unavailability of the system and its underlying data,” Bambenek said. “The only difference is that the malware offers no path of recovery besides restoring from backups.”
Organizations can protect themselves against pseudo ransomware by understanding their attack surface and reducing exposure with a defense-in-depth strategy, Warner said.
“In the end, these attacks are no different from other modern attacks against infrastructure,” he said. “They must land on the machine, exploit and run their own processes to perform the desired action, in this case wiping the machine.”
A threat detection and response platform that ties to known attacker techniques such as the MITRE framework is a crucial component of this strategy, Warner said.
“In Trellix’s report, there were several techniques that the threat actors used to execute the attack — including malicious PowerShell usage, disabling firewalls and modifying registry settings,” he said. “Utilizing tools to gain and expand visibility into your environments … is paramount when these types of campaigns.”
Bambenek said ultimately the protective measures are the same for ransomware and pseudo ransomware.
“Organizations need to have a strong disaster recovery plan that is effectively tested,” he said. “Unlike more complicated forms of attacks, wipers are fairly technically simple, so organizations need to have segmented networks, highly controlled administrator permissions, and to have strong controls on Powershell (requiring signed scripts, for instance) in the environment to prevent rapid destruction.”
An increase in attack sophistication is proof of the growing threat that ransomware poses to all organizations. That’s according to a new alert by cybersecurity agencies from the United States, the United Kingdom and Australia.
Over the past several years, ransomware has become the most prevalent threat to organizations in private and public sectors alike, including financial services, food and agriculture, government, health care and other critical infrastructure industries.
Ransomware groups have increased their impact by:
Targeting cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud APIs, and data backup and storage systems to deny access to cloud resources and encrypt data.
Targeting MSPs. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, the United Kingdom and Australia say there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
Attacking industrial processes. Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.
Attacking the software supply chain. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise.
Targeting organizations on holidays and weekends. Ransomware threat actors may view holidays and weekends, when offices are normally closed, as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations.
“Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model,” the alert said. “Additionally, cybersecurity authorities in the United States, Australia and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates and freelancers. It is often difficult to identify conclusively the actors behind a ransomware incident.”
Saryu Nayyar is CEO and founder of Gurucul.
“Phishing attacks on remote workers are compounding successful initial compromises as home networks are much less secure,” she said. “Combined with traditional corporate phishing attacks, it is no surprise why compromise is inevitable and these types of attacks are the primary mechanism by which ransomware gets a foothold in most organizations.”
The rapid move to cloud infrastructure means security has followed rather than led, making these environments more susceptible to attack than on-premises networks, Nayyar said.
“We know that targeting these environments is a top attacker initiative for 2022,” she said. “Perimeter and defensive technologies are not enough to stop these types of attacks. Organizations need to invest in newer and more advanced technologies for monitoring, detection and response much earlier in the attack kill chain to be successful. This requires looking at more advanced analytics and behavioral profiling beyond what current extended detection and response (XDR) and security information and event management (SIEM) solutions offer. In addition, the current class of rule-based machine learning (ML) in these solutions is incapable of identifying new variants and emerging ransomware threats.”
An increase in attack sophistication is proof of the growing threat that ransomware poses to all organizations. That’s according to a new alert by cybersecurity agencies from the United States, the United Kingdom and Australia.
Over the past several years, ransomware has become the most prevalent threat to organizations in private and public sectors alike, including financial services, food and agriculture, government, health care and other critical infrastructure industries.
Ransomware groups have increased their impact by:
Targeting cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud APIs, and data backup and storage systems to deny access to cloud resources and encrypt data.
Targeting MSPs. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, the United Kingdom and Australia say there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
Attacking industrial processes. Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.
Attacking the software supply chain. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise.
Targeting organizations on holidays and weekends. Ransomware threat actors may view holidays and weekends, when offices are normally closed, as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations.
“Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model,” the alert said. “Additionally, cybersecurity authorities in the United States, Australia and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates and freelancers. It is often difficult to identify conclusively the actors behind a ransomware incident.”
Saryu Nayyar is CEO and founder of Gurucul.
“Phishing attacks on remote workers are compounding successful initial compromises as home networks are much less secure,” she said. “Combined with traditional corporate phishing attacks, it is no surprise why compromise is inevitable and these types of attacks are the primary mechanism by which ransomware gets a foothold in most organizations.”
The rapid move to cloud infrastructure means security has followed rather than led, making these environments more susceptible to attack than on-premises networks, Nayyar said.
“We know that targeting these environments is a top attacker initiative for 2022,” she said. “Perimeter and defensive technologies are not enough to stop these types of attacks. Organizations need to invest in newer and more advanced technologies for monitoring, detection and response much earlier in the attack kill chain to be successful. This requires looking at more advanced analytics and behavioral profiling beyond what current extended detection and response (XDR) and security information and event management (SIEM) solutions offer. In addition, the current class of rule-based machine learning (ML) in these solutions is incapable of identifying new variants and emerging ransomware threats.”
Pseudo ransomware attacks are on the rise, posing an entirely different threat than traditional ransomware.
According to ThreatPost, disruptive malware attacks on Ukrainian organizations, posing as ransomware attacks, are likely part of Russia’s effort to undermine Ukraine’s sovereignty. This has occurred as Russia threatens to launch an invasion of Ukraine.
Last week, Trellix released its first major research report. The Advanced Threat Research Report examines the most noteworthy cybercriminal activity in the third quarter of 2021.
While discussing the report, Raj Samani, chief scientist and fellow at Trellix, said pseudo ransomware will pose a prominent threat in 2022.
“This year we rolled out from log4j, straight into pseudo ransomware attacks,” he said. “If January is anything to go by, this year will bring many more critical events to address.”
The Nuts and Bolts of Pseudo Ransomware
But what exactly is pseudo ransomware? We asked cybersecurity experts to weigh in.
Matthew Warner is Blumira‘s CTO and co-founder. He said the major difference is motive.
“Pseudo ransomware, also known as wiperware, is often geopolitical in nature and aims to destroy the victim’s systems rather than offer the opportunity to decrypt them,” he said. “This differs from most of today’s financially-motivated ransomware actors that tend to use tactics such as double extortion to obtain ransom.”
Wiperware’s messages delay recovery investigations as impact is determined, Warner said.
“When NotPetya was utilized in 2017, the message indicated a method of communication via email, similar to this new variant using P2P Tox,” he said. “In both situations, recovery is not generally possible.”
Scroll through our slideshow above for more on this topic and more ransomware news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like