Ransomware is still a huge threat to organisations, and continues to feature in our investigations. In this issue, we take a look at a few ransomware variants which have emerged as prominent threats. We also share some highlights from social media and the Cyber Security Information Sharing Partnership (CiSP).
#1 - RYUK
RYUK is a type of ransomware which infects victims via Remote Desktop Protocol (RDP) attacks. Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally. This variant is a targeted ransomware where demands are set according to the victim’s perceived ability to pay.
The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack.
Unlike most other ransomware variants, RYUK doesn't rename or change the victims file extensions. It does however still create a HTML file on the desktop called ‘RyukReadMe.txt’ giving the instructions on how to pay the ransom. It also provides a unique ID to the victim which they should include in any email when contacting the suspects.
Earlier this year the NCSC released an advisory document regarding Ryuk ransomware campaigns targeting organisations globally, including in the UK. This can be found at https://www.ncsc.gov.uk/news/ryuk-advisory.
#2 - Snatch
Snatch ransomware is distributed via spam emails that contain infected attachments, but has also been known to hack victims' RDP ports and attempt to brute force the password.
Once encrypted, a file is placed on the victim’s desktop and in every file that has been encrypted called “Readme_Restore_Files.txt". The text file contains the ransom note with instructions for the victim to follow in order to get their files back and the ransom amount.
All the victims’ files are also renamed with the ".snatch" extension. There are currently no tools able to decrypt Snatch, with the remaining solutions being paying the ransom (not advised) or restoring files from a backup/system restore.
#3 - STOP
The STOP ransomware variant surfaced at the back end of 2017, and is typically delivered via phishing attacks.
Once infected the ransomware encrypts victims’ devices, and places a file on the victim’s desktop called "!!!YourDataRestore!!!.txt”.
It was previously seen using the “.DJVU” extension however it now uses the original “.STOP” file extension.
The ransomware demands between $300-$600 and leaves two email addresses and a Bitmessage address for victims to get in touch with to get their files back.
There is currently no tools available to decrypt the data once it has been encrypted, therefore the only way of getting this back is to restore everything from a backup.
#4 - Bitpaymer
Bitpaymer is another variant which has been consistently affecting organisations for some time.
We covered an investigation looking at the interplay between Bitpaymer, Emotet and Trickbot in an earlier case study. You can read this at https://mailchi.mp/efbab03fcde5/cyber-intelligence-report-541609.
#5 - LockerGoga
LockerGoga is found to abuse the same system administration tool used by various other ransomware strains such as Bitpaymer. Cybercrime botnets such as Emotet, Dridex and Trickbot are commonly used as an initial infection vector, prior to retrieving and installing the ransomware.
In many cases it’s difficult to know the root causes of the preceding compromise, especially when the ransomware can encrypt some of the sources which might be used for analysis. Cases observed often tend to have resulted from a trojanised document, sent via email. The malware will exploit publicly known vulnerabilities and macros in Microsoft Office documents.
LockerGoga encrypts files stored on systems such as desktops, laptops, and servers. After the encryption process, LockerGoga leaves a ransom note in a text file (README_LOCKED.txt) in the desktop folder.
- Ransomware was extensibly covered in the NCSC's recent Incident Trends Report, including how to remediate the threat. You can find the guidance on their website at https://www.ncsc.gov.uk/report/incident-trends-report#ransomware.
- In line with national advice, we do NOT recommend paying the ransomware for a number of reasons.
- Firstly, there is no chance that you will actually receive a decryption key if you choose to pay, and even if you do receive a decryption key there's no guarantee it will work as intended.
- Secondly, if criminals know that you are an organisation which is likely to pay out on ransomware, then there is a chance you could be a target for repeat attacks.
- Finally, all ransom payments fund criminal activity, and criminals will continue to employ this tactic if it is consistently successful.
- A good backup policy is essential to countering the effects of ransomware. Know what data is on your backup, and test that they work as expected! In one of our previous ransomware investigations, when it came to restoring from a backup, a company found that their outsourced IT support were only backing up HR files. As a result they lost 6 years' worth of financial and project data.
- Below are a couple of other resources from the National Cyber Security Centre around good backup policies/procedures:
- Another proactive way to mitigate the effects of ransomware is good internal network segmentation. If done correctly, this means that any malware infestation is limited in its ability to affect the whole network. The NCSC guidance on Preventing Lateral Movement is a useful resource which expands on this (found at https://www.ncsc.gov.uk/guidance/preventing-lateral-movement).
- If you or your organisation have been a victim of ransomware or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040. Action Fraud have a 24/7 reporting capability for live incidents.