Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, found out that the year of 2019 was marked by ransomware evolution and was dominated by increasingly aggressive ransomware campaigns, with its operators resorting to more cunning TTPs, reminding those of APT groups to get their victims shell out. The number of ransomware attacks increased by 40 percent last year, according to Group-IB’s incident response engagements and industry researchers data, while devious techniques employed by the attackers helped them to push the average ransom grow over tenfold in just one year. The greediest ransomware families with highest pay-off were Ryuk, DoppelPaymer and REvil.
The findings come as highlights of Group-IB whitepaper titled “Ransomware Uncovered: Attackers’ Latest Methods”, closely examining the evolution of the ransomware operators’ strategies over the past year, issued today.
Big Game Hunting
Last year, ransomware operators matured considerably, having joined Big Game Hunting and going beyond file encryption. More groups started distributing ransomware, and Ransomware-as-a-Service (RaaS) adverts opted to focus their attacks on big enterprise networks rather than individuals. TTPs employed by ransomware operators showed that they came to resemble what once was considered a modus operandi of primarily APT groups — last year saw even trusted relationship and supply chain attacks conducted by ransomware operators.
Another feature that ransomware operators started to share with APT groups was downloading of sensitive data from victims’ servers. It should, however, be noted, that unlike APT groups that download the info for espionage purposes, ransomware operators downloaded it to then blackmail their victims to increase the chances of ransom being paid. If their demands were not met, they attempted to sell the confidential information on the black market. This technique was used by REvil, Maze, and DoppelPaymer operators. Big Game Hunters frequently used different trojans to gain an initial foothold in the target network: in 2019, a wide variety of trojans was used in ransomware campaigns, including Dridex, Emotet, SDBBot, and Trickbot.
In 2019, most ransomware operators actively used post-exploitation frameworks. For instance, Ryuk, Revil, Maze, and DoppelPaymer actively used such tools, namely Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic, which helped them collect as much information as possible about the compromised network. Some operators used additional malware during their post-exploitation activities, which gave them more opportunities to obtain authentication data and even full control over Windows domains.
How it all began
In 2019, the majority of ransomware operators used phishing emails, intrusion through external remote services, especially through RDP, and drive-by compromise as initial attack vectors. Phishing emails continued to be the most common initial access technique. This technique’s main admirers were Shade and Ryuk. Financially-motivated threat actor TA505 also started its Clop ransomware campaigns from a phishing email containing a weaponized attachment that would download FlawedAmmy RAT or SDBBot, among others.
Last year, the number of accessible servers with an open port 3389 grew to over 3 million, with the majority of them located in China, the United States, Germany, Brazil, and Russia. This attack vector was popularized among cybercriminals by the discovery of five new Remote Desktop Service vulnerabilities, none of which however was successfully exploited. Dharma and Scarab operators were the most frequent users of this attack vector.
In 2019, attackers also frequently used infected websites to deliver ransomware. Once a user found themselves on such a website, they are redirected to websites, which attempt to exploit vulnerabilities in, for example, their browsers. Exploit kits most frequently used in these drive-by attacks were RIG EK, Fallout EK, and Spelevo EK. Some threat actors, such as Shade (Troldesh) and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze, and Dharma operators, gathered info about the intruded network, moving laterally and compromising entire network infrastructures. The full list of the TTPs outlined in the whitepaper can be found in the heat map below, which is based on MITRE’s revolutionary ATT&CK matrix. They are ordered from the most commonly used (red) to the least commonly used (green).
Figure 1 — Heat map of ransomware operators’ TTPs based on MITRE’s ATT&CK matrix
After a relative lull in 2018, the year of 2019 saw ransomware returning at full strength, with the number of ransomware attacks having grown by 40 percent in 2019 year-on-year. The larger targets determined greater ransoms — the average figure soared from $8,000 in 2018 to $84,000 last year, according to the industry researchers. The most aggressive and greediest ransomware families were Ryuk, DoppelPaymer and REvil, whose single ransom demand reached up to $800,000.
Senior Digital Forensics Specialist
Despite the vim, showed by ransomware operators recently, there is still a number of measures that can be taken to ward off ransomware attacks. They include, among others, using VPN whenever accessing servers through RDP, creating complex passwords for the accounts used for access via RDP and changing them regularly, restricting the list of IP addresses that can be used to make external RDP connections, and many others. More recommendations can be found in the relevant section of the whitepaper.