Cisco Security Blogs: How Adversaries Are Refining and Improving Ransomware in 2017

A valuable article, entitled, "How Adversaries Are Refining and Improving Ransomware in 2017", appeared yesterday on Cisco's Blog. The post was authored by Edmund Brumaghin, an important threat researcher with Cisco Talos, who, "has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc."



Derive Technologies is a Cisco Premier Partner, focused on the entire Cisco portfolio: Hyperconverged Infrastructure, Cloud, IoT, Collaboration, Mobility, Security, Switched Networking, Software, and more. This includes Cisco Security solutions comprising Advanced Malware Protection, Cloud Security, Email Security, Network Visibility and Enforcement, Next-Generation Firewalls, Next-Generation Intrusion Prevention Systems, Policy and Access, Router Security, Security Management, VPN Security Clients, and Web Security. For this reason, closely following and working to mitigate sophisticated attacks such as WannaCry, Peyta, Satan (referenced below), and more ransomware and malware threats, Derive has partnered with Cisco to offer comprehensive protection solutions for data center, cloud, data/information, web, mail and messaging and other platforms.

Please learn more about these collaborative threat protection solutions from Derive and Cisco by contacting a Derive Cisco Security Consultant. Please call (212) 363-1111, or complete the form on this page (please indicate "Cisco Ransomware Protection" in the form's comments).

Please also read the important article below.


How Adversaries Are Refining and Improving Ransomware in 2017

By Edmund Brumaghin - July 26, 2017


Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of the more high-profile tools leveraged by adversaries, has undergone this same evolution, as we explain in the Cisco 2017 Midyear Cybersecurity Report. Delivery, obfuscation, and evasion are the core elements currently driving malware innovation—and many of these innovations, in turn, drive the use of ransomware by actors in the shadow economy.

Here’s a quick look at some of the key trends in ransomware we’ve observed during the first half of 2017:


RaaS platforms

Ransomware-as-a-Service (RaaS) platforms, such as Satan, are becoming commonplace, significantly decreasing the “barrier to entry” for threat actors who want to get into the ransomware business without doing the hard work of programming, or amassing network resources. The operators of the RaaS platforms take a portion of adversaries’ profits, similar to the way in which many legitimate software platforms work. Some of the operators even provide additional “customer service,” such as deploying the ransomware and tracking the progress of ransomware distribution campaigns over time, making it even easier for threat actors to launch and manage their ransomware campaigns.


Open-source codebases

Open-source ransomware codebases are also being leveraged by adversaries to help them launch new ransomware campaigns quickly. As covered in the MCR, several open-source ransomware codebases such as Hidden Tear and EDA2 have been released publicly “for educational purposes” Threat actors can simply tweak the code to suit their specific objectives and then deploy the malware to launch ransomware attacks. We know that this is a strategy used by some adversaries: many of the supposedly new ransomware families that Cisco has recently observed appear to be directly based on these open-source codebases.


Anonymized, decentralized infrastructure

In a bid to stay below the radar as their attacks find new victims, creators of ransomware and other malware campaigns are also leveraging new techniques for evading detection by defenders. One such technique is the use of anonymized and decentralized infrastructure and network protocols that can obfuscate command-and-control infrastructure. Cisco researchers have noted an increase in the use of services that leverage Tor, such as Tor2Web, which makes it easier for bad actors to use Tor without changing their malware code to natively support it. This also makes the command-and-control infrastructure more difficult to track and makes it more resilient to server takedowns.


A re-embrace of email as an attack vector

Another ransomware-related trend observed by Cisco and covered in the MCR: An uptick in spam volume globally, which parallels a decline in exploit kit activity. Emails with password protected Office documents, or PDFs containing embedded documents may require recipients to interact with the files, such as clicking “OK,” or inputting a password before any malicious activity is encountered which can help the messages bypass sandboxing technologies.


RDoS attacks

Some adversaries are also experimenting with extorting victims using the threat of distributed denial of service (DDoS) attacks. In these attacks, dubbed ransom denial of service (RDoS), the perpetrator threatens to disrupt the victim’s website or other services using a DDoS attack unless a ransom is paid. According to research by our partner Radware, nearly half of all companies suffered at least one cyber ransom incident in 2016—either a specific ransomware attack, or an RDoS attack (17 percent).

Radware research also shows that a cybercriminal group called the Armada Collective have been responsible for most RDoS attacks to date, with ransoms demanded ranging from 10 to 200 bitcoins (about US$3,600 to US$70,000).

Given the cleverness of adversaries, defenders can’t assume that when they’ve blocked one type of threat, bad actors won’t figure out a way around their defenses. As the Midyear Cybersecurity Report makes clear, staying a step ahead of this innovation is key to outwitting attackers.


(Content and Photographs Copyright © 2017 Cisco Systems. All Rights Reserved.)

Legal Disclaimer

Some of the individuals posting to this site (*to the Cisco Systems website and its blog), including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.



Derive and Cisco Ransomware Defense

As above, you can learn more about threat protection solutions from Derive and Cisco by contacting a Derive Cisco Security Consultant. Please call (212) 363-1111, or complete the form on this page (please indicate "Cisco Ransomware Protection" in the form's comments).