Security Market Segment LS
Thursday, 12 November 2020 09:42

Ransomware is now all about data leaks, Kaspersky researchers claim Featured

By
Ransomware is now all about data leaks, Kaspersky researchers claim Pixabay

Ransomware has changed from being just about encrypting a victim's data and become primarily about data exfiltration, the Russian security firm Kaspersky says.

In a detailed blog post about two ransomware families — Ragnar Locker, whom the company described as a veteran operation, and the more recent entrant Egregor — researchers Dmitry Bestuzhev and Fedor Sinitsyn said the data loss was not the main item either, with the publication of stolen data on the Internet being the culmination of an attack.

The duo said there were several main initial vectors: commercial VPN software, RDP-enabled machines which were exposed to the Internet, and also vulnerable router firmware.

"Sometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by other cyber-criminal groups," Bestuzhev and Sinitsyn said.

"And finally, if we recall the Tesla story, the attempt to infect that factory was through someone working at the company. That means physical human access is also a vector. It is complex."

They said Ragnar Locker was highly targeted, to the extent that each sample was tailored for the organisation that was being attacked.

ragnar shame

Screenshot of the Wall of Shame where stolen data is exposed. Courtesy Kaspersky

The group had three .onion domains and one Internet domain, with the latter registered on 16 June; if victims refused to pay, then their stolen data was published on a so-called Wall of Shame section on the websites.

However, Ragnar Locker did not see itself as an extortionist. "Curiously, this group is positioning itself as a bug bounty hunting group," the researchers wrote.

"They claim the payment is their bounty for discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for the victim; and, finally, for not publishing the stolen data.

"Of course, if the victim refuses to pay, the data goes public. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is exposed along with the stolen data."

Bestuzhev and Sinitsyn provided a detailed breakdown of a sample of the Ragnar Locker malware that they had discovered, pointing out that it avoided infecting systems within certain locales – Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russian, Uzbekistan, Ukraine and Georgia.

On any systems outside these locales, the malware stopped certain services on a system that it had gained access to and then proceeded to do it job.

negotiation

Example of a chat negotiating to pay the ransom. Courtesy Kaspersky

The Kaspersky duo said Egregor had been discovered only in September and its code had many similarities with another strain known as Sekhmet and also Maze, which recently shut down its operations.

Egregor had one .onion domain and two Internet domains, the two researchers said. The two surface Web domains appeared to be constantly under attack and hence the Egregor actors had a disclaimer posted on the main page of the .onion domain.

When Egregor gained access to a system, a check was done to see what languages had been installed. If any of Armenian (Armenia) Azerbaijani (Cyrillic, Azerbaijan), Azerbaijani (Latin, Azerbaijan), Belarusian (Belarus), Georgian (Georgia), Kazakh (Kazakhstan), Kyrgyz (Kyrgyzstan), Romanian (Moldova), Russian (Moldova), Russian (Russia), Tajik (Cyrillic, Tajikistan), Tatar (Russia)
Turkmen (Turkmenistan), Ukrainian (Ukraine) or Uzbek (Latin, Uzbekistan) were present, then the attack went no further.

If other languages were used on the system, then the process of halting running services, exfiltration of data and encryption proceeded.

"Unfortunately, Ransomware 2.0 is here to stay," Bestuzhev and Sinitsyn said. "When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the Internet and only then about decryption.

"Why is it so important for the victims that their data is not published? Because possible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational damage and potential bankruptcy.

"As long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about just endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the end."


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments