It seems like it would be easier to win a massive lottery payout than to go a week without ransomware dominating InfoSec headlines. Less than two weeks ago this platform posted about how ransom demands had increased 60% from the first quarter of 2020 to the second quarter. Several other ransomware incidents arose between them that vied for equal attention. Now three events compete for similar attention. Those being the discovery of a new ransomware family, another high profile victim, and a massive spike in ransomware related activity detected by cybersecurity researchers.
First, the new ransomware. Called ProLock it first emerged in late August 2020. While reports were emerging of the ransomware then, it seems that the group responsible for its development and distribution were using the ransomware from the beginning of this year. Further, it seems that ProLock is an evolution of PwndLocker and is likely operated by the same group. Since then both Group-IB and Sophos. Both reports have shone a light on the group’s activities and should help those defending networks to better prevent falling victim to the ransomware.
In summary, the ransomware has been spread with the help of a trojan. ProLock infections have been seen on machines previously compromised by QakBot trojan. The trojan is spread via email spam campaigns or is dropped as a second-stage payload on computers previously infected with the Emotet trojan which has also seen a surge in detected activity recently.
System administrators who find computers infected with either of these two malware strains should isolate systems and audit their networks, as those behind ProLock may be working to compromise the network and create a bad day for all those involved in maintaining a company’s IT infrastructure. Based on this it would seem that the ProLock gang then buys access to the compromised network from those behind QakBot. However, this access seems granted to one compromised machine. Despite this, ProLock is capable of lateral movement within a network. This is achieved by exploiting CVE-2019-0859 a Windows vulnerability that allows an attacker to gain administrator-level access on infected hosts. The ransomware then deploys the MimiKats tool to dump credentials from the infected system.
Like today’s biggest players on the ransomware scene, ProLock is considered human-operated in that it relies on human interaction to conduct the malware’s operations, rather than automating the operations. This is done as it makes it harder to detect network intrusion until it’s too late and data has been encrypted. Like other ransomware families of the type they target corporate networks and demand high ransoms for decrypting data. Researchers have seen demands range from 35 to 90 Bitcoin, in US dollars this would place ransoms in the range of 400,000 to 1,000,000 dollars. The group's past victims include Diebold Nixdorf, the city of Novi Sad in Serbia, and Lasalle County in Illinois.
Yet another High-Profile Victim
Equinix, one of the world's largest providers of on-demand colocation data centers, disclosed that it had suffered a security breach. Equinix is listed on the NASDAQ stock exchange as EQIX and has around 8,000 employees. In a short statement, the company stated,
“Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal systems. Our teams took immediate and decisive action to address the incident, notified law enforcement, and are continuing to investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers. Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix. The security of the data in our systems is always a top priority and we intend to take all necessary actions, as appropriate, based on the results of our investigation. We will update this blog post as appropriate.”
With such a terse and to the point statement, any reader would be forgiven in thinking that the company is downplaying the incident. However, it would appear that this is not the case as there are no reports of major outages being reported at the time of writing, and no wave of customer complaints flooding social media. As to what ransomware strain impacted the company, that information is yet to be released to the public officially. It would seem that the company’s security measures and staff managed to prevent the malware from causing any lasting damage or system outages.
This represents a stark contrast to the way Garmin handled a similar incident which knocked out large portions of the company’s online presence and services. These companies present attractive targets to ransomware gangs as not only do they have good profit records and hackers feel they can demand more in terms of a ransom but involve the immediate effect of their attacks, which often bring down services for impacted companies, but also for their respective customers, all of whom are expecting near-perfect uptime. This usually puts the pressure on the data center or web hosting provider to restore services right away, which may sometimes include paying huge ransom demands.
Massive Spike in Ransomware Activity
In a recent report published by Bitdefender, the security firm noted it had seen a 715% year-on-year increase in detected, and blocked ransomware attacks. Further, adding to the massive spike, researchers also discovered that ransomware attacks and tactics have continually evolved. While some ransomware gangs have thrown in the towel, newer variants are far more damaging and disruptive when compared to their predecessors. In summarizing the effect ransomware has on the current threat landscape, researchers stated,
“Ransomware remained a popular threat throughout our threat landscape for 2020. Focused on encrypting files, documents, databases, and any other relevant file type, ransomware has become the go-to mechanism for threat actors in terms of generating profit. Restricting access to files and leaving behind a ransom note to the victim, file recovery becomes next to impossible without a backup or a ransomware decryption tool. The third option, paying the ransom note, is never advisable, as it shows threat actors that this type of behavior can be profitable and it fuels them with the financial resources to keep developing new ransomware or other threats. While there are multiple ransomware families, from here on we will refer to them as a whole category of threats, unless discussing specific ransomware families.”
The sudden spike in ransomware related activity has been attributed to both the COVID-19 pandemic and the increased reliance of businesses to adopt remote working as the status quo, according to Bitdefender. Another interesting point was the effect of ransomware-as-a-service on the ecosystem in general. While names like Sodinokibi, Ryuk, and Dharma dominate headlines, ransomware families like Zepto and Cryptolocker cause problems and perhaps revelle in the lack of attention received when compared to their more popular cousins. Often these ransomware-as-a-service variants are less advanced than their popular cousins.
This had led many to assume that they are not as dangerous as their more advanced family members. However, while being simpler, this is purely by design so that hackers with only rudimentary knowledge and skills can use them. This greatly increases the number of potential attackers that could compromise a network as well as the damage that can be done despite using malware code deemed simple. In these instances, it is often small to medium enterprises that are targeted and who often feel they have no choice but to pay the ransom.
In defending against ransomware the approach has not changed despite tactics evolving. This is because these preventative measures work. Ensuring that security patches are applied as soon as possible helps to prevent hackers from exploiting known vulnerabilities to gain a foothold inside the network in the first place, while organizations should also apply multi-factor authentication across the ecosystem because that can prevent hackers moving across the network by gaining additional controls. Organizations should also regularly back up their systems, as well as testing those backups regularly as part of a recovery plan, so if the worst happens and ransomware does infiltrate the network, there's a known method of restoring it without the need to pay the gang that successfully encrypted important data.