Ransomware gangs are increasingly adapting their code to cross-platform programming languages such as Rust or Golang so their malware can spread to systems running operating systems other than Windows, according to Kaspersky.
The observation comes in a report on the latest ransomware trends from Kaspersky researchers on the eve of the third annual Anti-Ransomware Day, which this year is Thursday, May 12th.
Writing malware in a cross-platform language makes it easier to port it to other platforms such as Linux, iOS and Android, the report notes. Another reason is that analysis of cross-platform binaries is a bit harder than that of malware written in plain C.
Groups shifting to this tactic include
- Conti. Only certain affiliates have access to a Linux variant of the Conti ransomware, the report notes, one targeting ESXi systems. It supports a variety of different command-line arguments that can be used by the affiliate to customize the execution;
- BlackCat. Samples have been found that work on Linux. Although the malware is written in Rust from scratch, Kaspkersy found some links to the BlackMatter group as the actor used the same custom exfiltration tool that had been observed earlier in BlackMatter activities;
- Deadbolt. While written in a cross-platform language, it is currently aimed at only one target: QNAP network-attached storage systems. It is also an interesting combination of Bash, HTML and Golang, the researchers say. Deadbolt itself is written in Golang, the ransom note is an HTML file that replaces the standard index file used by the QNAP NAS, and the Bash script is used to start the decryption process if the provided decryption key is correct. “There is another peculiar thing about the ransomware.” says Kaspersky: “it doesn’t need any interaction with attackers because a decryption key is provided in a Bitcoin transaction OP_RETURN field.”
The report notes two other trends:
First, the ransomware ecosystem is becoming even more “industrialized”.
“Just like legitimate software companies, cybercriminal groups are continually developing their tool kit for themselves and their customers – for example, to make the process of data exfiltration quicker and easier,” say researchers.
For example, when it started, the Lockbit gang didn’t have a leak portal, was not doing double extortion, and didn’t exfiltrate data before data encryption. That changed over time. Like other ransomware families, the report notes, Lockbit’s infrastructure suffered several attacks, including hacking of the Lockbit administration panels and DDoS attacks to force the group to shut down its activity, that forced it to implement some countermeasures to protect its assets.
The latest security addition is a “waiting page” that redirects users to one of the available mirrors.
Another example of adaptation by ransomware gangs is the shift from publicly available tools for data exfiltration, such as Filezilla, with their own custom – and faster – tools. Lockbit created one called StealBIT.
Second, ransomware gangs are taking sides in geopolitical conflicts.
For example, on February 25th, Conti said it will retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. CoomingProject, an extortion group, and Stormous (whose code is written in PHP), are also openly supporting Russia.
Freeud, a new ransomware variant, supports Ukraine. The Freeud’s ransom note says Russian troops should leave Ukraine. “The choice of words and how the note is written suggest that it is written by a native Russian speaker,” says the report.
There have been consequences for taking sides. Pro-Ukraine hackers have emerged such as Anonymous, IT Army of Ukraine and Belarusian Cyber Partisans. In February a Ukrainian researcher released messages from the backend of a Jabber server used by Conti members.
Kaspersky offers this advice to CISOs and IT leaders:
- always keep software updated on all devices to prevent attackers from infiltrating IT networks by exploiting vulnerabilities;
- focus defence strategy on detecting lateral movements and data exfiltration to the internet.
- pay special attention to the outgoing traffic to detect cybercriminals’ connections;
- set up offline backups that intruders cannot tamper with. Make sure responders can quickly access them in an emergency when needed;
- enable ransomware and EDR protection for all endpoints;
- provide your security operations centre (SOC) team with access to the latest threat intelligence and regularly upskill them with professional training.