Jon AbbottLatest Ransomware Trends

Increasing In Sophistication

I think three new ransomware variants and techniques are a clear sign that this has now happened. This article will give a brief description of these strains of ransomware:

1. Full virtual machine deployment
2. New ransomware called Tycoon
3. Cookie consent delivery method

I will more importantly provide guidance about how you can prevent your business from succumbing to each of these new attack methods.

Full Virtual Machine Deployment

What

A hacking group who call themselves Ragnar Locker are using an entirely new deployment method. The traditional method involves installing the ransomware directly onto the victim’s desktop. The new method that Ragnar Locker are using is instead to install a legitimate 122MB virtual machine on the victim’s computer; hidden within that virtual machine is a 49kB ransomware executable.

Why

The reason for going through all the hassle of creating a silent installation of a virtual machine is because once the virtual machine is booted, it doesn’t have any antivirus software installed. The victim’s computer cannot see inside the virtual machine and cannot scan it for viruses, meaning that the ransomware can execute without detection. The virtual machine has access to the network and mapped drives via the victim’s computer. The approach is then simple:

1. Steal a large amount of data.
2. Encrypt all the data and bring systems offline.
3. Demand a very large ransom payment because they have your data and your computer systems.

Prevention

The attackers must gain some form of access to the victim’s computer in the first place to install the virtual machine. Therefore latest patches, decent anti-malware, good password management, DNS protection and team training are all going to help.

However for this particular attack method the best defence is to utilise AppLocker. A strong AppLocker policy ensures that only authorised applications are permitted to run. This would mean that the installation of the rogue virtual machine would never run in the first place.

Tycoon Ransomware

What

One of the latest ransomware variants is called Tycoon is exploiting the Java image format. The ransomware is delivered as ZIP and then executes a Java Runtime Environment. Another huge difference is this ransomware is able to attack both Windows and Linux systems.

After the attack all you are left with is an email giving you the details of how to pay the ransom.

Why

This move towards using uncommon programming languages and obscure data formats is becoming more common as attackers try to avoid detection.

I think the reason for attacking Windows & Linux is multiple, firstly it is likely that they are trying to cause maximum damage. If one attack renders all of the Windows & Linux systems inoperable then the business is likely to be taken completely offline. It is also a sign that they are targeting server infrastructure, again going for maximum damage.

Lastly, there is the factor to consider about efficiency. Just like any development team, if they are able to achieve more with less they will. Remember that hackers are operating very much like a business, so the time and effort they put into their attacks are always a factor in their design methods.

Prevention

To start with you want to prevent it getting to your environment in the first place. A good email protection tool such as Mimecast or Proofpoint Enterprise may block it via email. Some strong email attachment rules will also assist.

However they may try breaking in to deploy, in which case frequent vulnerability scanning of your external network is critical. Also you need to be looking at your remote connection method and ensure they are secure and have MFA enabled etc.

If they do need to manage to get it, then it would be relying on AppLocker for the Windows machines. For the Linux servers you need to performing good password access management and regularly testing them against a vulnerability scanner.

Infected Cookie Consent Logo

What

An old Cookie Consent solution has been hijacked and is now being used to deliver ransomware via an infected PNG image which is actually a Java script.

Why

This is a particularly sneaky way to deliver ransomware and although this isn’t a widespread attack, if only 1000 websites start getting comprised and their cookie consent solution is changed to deliver ransomware, it could become a huge issue. As even the most paranoid IT security expert would probably not be thinking when clicking on a Cookie Consent that it contains ransomware.

Prevention

At the moment it appears that an up to date Windows defender is protecting against this particular strain. However if it evolves then maybe need to rely on DNS protection, we will monitor this and update you if it does start to evolve.

Summary

As you can see the list is extensive, therefore having a great cyber security posture and a tool to clearly monitor that posture is going to be vital to protect against this next generation of attacks.