Ransomware attackers expand the attack surface. This Week in Ransomware – Friday, Sept 2

Ransomware continues to grow and expand, both in the number of attackers and the number of potential victims. This week we feature some of the attackers’ strategies described in recent news items.

What’s next – “Ransomware in a box?”  New “Agenda Ransomware” can be customized for each victim

A new ransomware strain called “Agenda”, written in Google’s open source programming language “Go” (aka Golang) was detected and reported by researchers at Trend Micro earlier this week. There has been trend towards using newer languages like Go and Rust to create malware, particularly ransomware.

The fact that many of these languages can operate cross platform makes them a much greater threat. Go programs are cross platform and stand alone. They can execute without a Go interpreter on the host system.

In addition, the creators have added a new wrinkle – making this new variant “easily customizable.” This new strain is being sold on the dark web as Ransomware as a Service (RaaS). Qilin, the threat actor that is selling it to its “affiliates”, claims it will allow them to easily customize, for each victim, the:

  • binary payloads
  • ransom note
  • encryption extension
  • list of processes to terminate before encrypting the data

Finally, Agenda has a clever detection evasion technique also used in the other ransomware variant REvil. It changes the user password and enables automatic login with the new credentials. This allows the attacker to use safe mode to reboot and control the victim’s system.

Trend Micro reported that this allowed one attacker to move from reconnaissance to full-fledged attack in only two days. On the first day, the attacker scanned a Citrix server, and on the second day mounted a customized attack.

For more information you can review the original Trend Micro posting.

New Linux ransomware families

Another way that threat actors are expanding the attack surface is by targeting Linux, one of the predominant operating systems used on internet and cloud servers. RaaS offerings are increasing targeting Linux systems.

Although regarded as a very secure operating system, and despite a consistent move to patch vulnerabilities, the large number of Linux offerings used world-wide ensures there are a significant number of vulnerabilities at any given time. Failure to update and patch systems creates a large potential target base.

But software vulnerabilities are not the only area of weakness. Configuration mistakes are often the more likely factor in the breach of a Linux system, according to researchers at Trend Micro.

Remarkably, these include easily remedied issues such as:

  • default or weak passwords, and sometimes no password at all
  • exposed services and open ports on the internet
  • open file shares

To quote Trend’s report, “given the prevalence of Linux, ransomware actors find the operating system to be a very lucrative target.”

Ransomware “going to the dogs” is no joke

As RaaS and customizability become more and more prevalent, there’s an increasing ability to target smaller and more specific groups. We are familiar with ransomware attacking health care organizations, but recently the United Veterinary Services Association has written to its members with recommendations to increase ransomware prevention after an attack that hit more than 700 animal health networks around the world.

It is a reminder that no group, regardless of size or type of business, is immune to ransomware.  Every organization must communicate the need to have, at a minimum, the basics of ransomware protection in place:

  • user training and awareness,
  • regular patching of software,
  • multi-factor authentication and unique long passwords,
  • limit unnecessary access to reduce the impact of an attack, and
  • regular backups and testing of recovery

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Jim Love
Jim Lovehttp://www.changethegame.ca
I've been in IT and business for over 30 years. I worked my way up, literally from the mail room and I've done every job from mail clerk to CEO. Today I'm CIO and Chief Digital Officer of IT World Canada - Canada's leader in ICT publishing and digital marketing.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.