Breach Notification , Business Continuity Management / Disaster Recovery , Cybercrime

7 Ransomware Trends: Gangs Join Forces, Auction Stolen Data

Can't Stop the Crypto-Locking Malware Attacks? Criminals Keep Hitting Big Targets
7 Ransomware Trends: Gangs Join Forces, Auction Stolen Data
More versions of Jigsaw ransomware (lockscreen ransom note pictured) can now be unlocked for free (Source: Emsisoft)

Ransomware gangs continue to innovate. Indeed, barely a day seems to go by without news of yet another high-profile victim of crypto-locking malware coming to light.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

In just the past week, for starters, reports have emerged of a collaboration between the Maze and Lockbit gangs, as well as the REvil - aka Sodinokibi - operators not leaking stolen data for free when victims don't pay, but instead auctioning it off to the highest bidder. And despite the ongoing COVID-19 pandemic, many gangs have continued to pummel the healthcare sector and its suppliers.

Here are seven of the latest ransomware trends.

1. Maze Offers 'Data Leaking as a Service'

The Maze ransomware gang was the first to begin not just crypto-locking systems, but also stealing and leaking data, to try and force victims to pay. Since beginning to use this tactics in October 2019, about a dozen other gangs or ransomware-as-a-service operations have followed suit, including Nefilim, Sekhmet and REvil (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

The leak sites appear to be a response to fewer victims paying ransoms to attackers. "The reason that they're creating leak sites is because the message got across, right?" says Raj Samani, chief scientist at McAfee. "People, I believe, were paying less and less."

Continuing to be a trendsetter, Maze has now gone a step further, and begun collaborating with the Lockbit gang, by posting data stolen by Lockbit to Maze's dedicated leaks site, according to IBM X-Force researchers. The group didn't previously have a data-leaking site.

The move could be part of a bid by Maze to offer data-leaking-as-a-service to other ransomware gangs, via Maze's relatively high-profile data-leaking site.

"We do not have any specific information on what Maze is receiving for providing this service to other groups, but we strongly suspect that they are getting a percentage of any payment that the victims make in response to the data being posted on the Maze site," says Ole Villadsen, a cyberthreat hunt analyst for IBM X-Force IRIS.

But Maze has continued to expand its leaking syndicate, and by Monday had begun hosting leaks from the RagnarLocker gang, which previously dumped data using the Mega file-sharing site, reports the Ransom Leaks account on Twitter, which tracks ransomware gangs. "RagnarLocker's leak site was hosting leaks on which leaves them vulnerable to takedowns," it reports. "Hosting on Maze's infrastructure means they don't have to worry about it and they can retire their WordPress site."

2. Fresh Shakedown Play: Auctioning Stolen Data

Another innovation that's come to light in recent days is not leaking data, but instead auctioning it for sale to the highest bidder.

Last week, the operators behind the ransomware-as-a-service operation REvil began auctioning data that the gang claims was stolen from Canadian agricultural company Agromart Group, which includes Sollio Agriculture, and promised there would soon be more victims to highlight.

"While ransomware groups have likely sold and traded data in the past, this is the first time that it has actually been sold in an organized auction - but it will probably not be the last time," Emsisoft threat analyst Brett Callow tells Information Security Media Group.

"Selling the data in this way not only provides the criminals with an additional option for monetization, it also puts additional pressure on future victims," he says. "The prospect of their data being auctioned and sold to competitors or other criminal enterprises is likely to concern companies more than the prospect of it simply being posted on an obscure Tor site.”

On the other hand, a shakedown is a shakedown, right? "While there is no substantive difference, I suspect companies may feel more pressured by the prospect of their data being auctioned," Callow adds.

That proposition is set to be further tested, as REvil in recent days has begun data auctions for two more alleged victims: Fraser Wheeler & Courtney LLP, based in Lake Charles, Louisiana; and Vierra Magen Marcus LLP, in Daly City, California. Neither law firm immediately responded to a request for comment.

3. Targeted Ransomware Attacks Continue

Ransomware attacks typically fall into one of two buckets, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. Some attackers practice "smash and grab," gaining access to a network, infecting a bunch of endpoints and then moving on, he says. But other attackers are more advanced, and spend their time conducting reconnaissance, gathering credentials, studying potential avenues for hitting business partners and more.

Attackers wielding any strain of malware may bring more advanced moves, including "living off the land" tactics - using legitimate network administration tools to help escape detection - to bear (see: 10 Ransomware Strains Being Used in Advanced Attacks).

But some types of ransomware appear to get used only for targeted attacks. For example, researchers at BlackBerry and KPMG's UK Cyber Response Services have just released a joint report into Tycoon, a strain of ransomware that uses a Trojanized Java runtime environment to hit both Windows and Linux systems. Security researchers say the ransomware has been seen in attacks targeting organizations in the education and software development sectors, since last December.

"To deploy this ransomware, the threat actor needs to establish a foothold into the organization, do reconnaissance, identify targets and gain access," Eric Milam, vice president of threat intelligence at BlackBerry, tells ISMG (see: Report: Tycoon Ransomware Targets Windows, Linux Systems).

4. Healthcare Keeps Getting Hit

Despite the pandemic, and some ransomware gangs pledging to try and not hit healthcare organizations, security experts say they've seen no cessation in attacks targeting the sector. In fact, the healthcare sector may be getting hit more than ever before (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).

Two more ransomware attacks against healthcare organizations that have recently come to light involved incidents at Woodlawn Dental Center in Cambridge, Ohio; and Mat-Su Surgical Associates in Palmer, Alaska. Both incidents potentially involved attackers stealing sensitive data and were reported to the Department of Health and Human Services' Office for Civil Rights

5. More Free Decryptors

The “Billy the Puppet” image used for the original Jigsaw ransomware variant's ransom demand.

Thankfully, the current ransomware story isn't all doom and gloom.

The No More Ransom project, which provides free decryptors for a number of strains of ransomware, recently added free decryptors for JavaLocker and Vcryptor ransomware.

Also in recent days, Emsisoft released a free decryptor for RedRum ransomware, which it says "encrypts victim's files using AES256 GCM and RSA-1024, adding the extension ".id-.[].redrum" to files."

Emsisoft has also released an updated decryptor for Jigsaw, giving it the ability to decypt the .ElvisPresley variant. (Jigsaw can include a range of filenames, including .fun but also .gdpr and .payransom, among many others.) The firm also updated its Mapol ransomware decryptor, adding coverage for more varieties.

Security experts recommend ransomware victims use both No More Ransom as well as ID Ransomware, maintained by Emsisoft employee Michael Gillespie (@demonslay335), to identify the strain of ransomware with which they've been hit, to see if free decryptors or workarounds might be available to restore encrypted data.

No More Ransom offers this via the site's "Crypto Sheriff" page, while ID Ransomware offers it from the homepage. Both services allow victims to upload an encrypted file for identification, while ID Ransomware also gives victims the ability to upload a ransom note for identification purposes.

6. Unfixed Flaws Get Exploited by Others

Unfortunately, security experts haven't cracked every strain of ransomware in use, meaning there aren't free decryptors for many strains of crypto-locking malware. But that may only be part of the problem for an organization that discovers its systems have been forcibly encrypted, with a gang demanding a ransom in return for the promise of a decryption key or decryptor tool.

Indeed, experts have long warned that many successful ransomware attacks must be seen as being part of a bigger incident response challenge (see: Surviving a Breach: 8 Incident Response Essentials).

Namely, many breaches do not begin or end with ransomware. Before infecting systems with crypto-locking malware, attackers may have gained remote access to the network via brute-forced remote desktop protocol credentials or a phishing attack. Then they may have spent weeks or months leapfrogging to other systems, conducting reconnaissance, potentially stealing administrator-level access credentials for Active Directory as well as stealing sensitive data to potentially leak it later if victims do not immediately pay.

Even after a company experiences a ransomware outbreak, the current attackers may not be finished, and new attackers may come calling to try and find weaknesses the company hasn't yet fixed.

"Toll Group was attacked a second time because it failed to secure its network after the first attack," Emsisoft's Callow says, referring to the Australian shipping giant, which got hit by a Netwalker - aka Mailto - attack in March, only to get hit about six weeks later by the Nefilim gang. Likewise, mailing equipment manufacturer Pitney Bowes was recently hit by a ransomware attack - it's blamed Maze - after being previously hit by ransomware in October 2019, reportedly by Ryuk.

7. Gangs May Still Be Camped Out

Sometimes, attackers remain camped out in victims' networks after hitting it with ransomware. For victims, one challenge can be that attackers can eavesdrop on their post-breach response plans. Recently, for example, "REvil and Maze seemingly continued to have post-incident access to Agromark and ST Engineering’s networks," Callow says.

In the latter attack, Singapore-based defense contractor ST Engineering has confirmed that its North American subsidiary VT San Antonio Aerospace was hit by the Maze ransomware gang. ST Engineering hasn't said when the attack began. Documents subsequently leaked by attackers, however, include an incident response report - suggesting that attackers continued to enjoy remote access to systems - saying the firm's systems were crypto-locked by attackers on March 7. But the veracity of the leaked data - which may have been altered by Maze - could not be confirmed.

REvil's leak site includes an auction for data allegedly stolen from Sollio Agriculture's Agromark Group before its systems were crypto-locked. (Source: Emsisoft)

Similarly, in the case of Sollio Agriculture's Agromark Group, REvil has leaked a June 2 email that appears to be an internal company communication detailing how the company is responding to the ransomware infection, including by crafting an internal communications message, speaking with attorneys and "talking with a consultant to better understand the profile of the pirats' [sic] Twitter account and take some defensive measures."

The internal email adds in red text: "Do not forward this email."

Sollio Agriculture didn't immediately respond to a request for comment about the veracity of the leaked data, when it detected the attack or when it was remediated.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.