Ransomware continues to grow and expand, both in the number of attackers and the number of potential victims. This week we feature some of the attackers’ strategies described in recent news items.
What’s next – “Ransomware in a box?” New “Agenda Ransomware” can be customized for each victim
A new ransomware strain called “Agenda”, written in Google’s open source programming language “Go” (aka Golang) was detected and reported by researchers at Trend Micro earlier this week. There has been trend towards using newer languages like Go and Rust to create malware, particularly ransomware.
The fact that many of these languages can operate cross platform makes them a much greater threat. Go programs are cross platform and stand alone. They can execute without a Go interpreter on the host system.
In addition, the creators have added a new wrinkle – making this new variant “easily customizable.” This new strain is being sold on the dark web as Ransomware as a Service (RaaS). Qilin, the threat actor that is selling it to its “affiliates”, claims it will allow them to easily customize, for each victim, the:
- binary payloads
- ransom note
- encryption extension
- list of processes to terminate before encrypting the data
Finally, Agenda has a clever detection evasion technique also used in the other ransomware variant REvil. It changes the user password and enables automatic login with the new credentials. This allows the attacker to use safe mode to reboot and control the victim’s system.
Trend Micro reported that this allowed one attacker to move from reconnaissance to full-fledged attack in only two days. On the first day, the attacker scanned a Citrix server, and on the second day mounted a customized attack.
For more information you can review the original Trend Micro posting.
New Linux ransomware families
Another way that threat actors are expanding the attack surface is by targeting Linux, one of the predominant operating systems used on internet and cloud servers. RaaS offerings are increasing targeting Linux systems.
Although regarded as a very secure operating system, and despite a consistent move to patch vulnerabilities, the large number of Linux offerings used world-wide ensures there are a significant number of vulnerabilities at any given time. Failure to update and patch systems creates a large potential target base.
But software vulnerabilities are not the only area of weakness. Configuration mistakes are often the more likely factor in the breach of a Linux system, according to researchers at Trend Micro.
Remarkably, these include easily remedied issues such as:
- default or weak passwords, and sometimes no password at all
- exposed services and open ports on the internet
- open file shares
To quote Trend’s report, “given the prevalence of Linux, ransomware actors find the operating system to be a very lucrative target.”
Ransomware “going to the dogs” is no joke
As RaaS and customizability become more and more prevalent, there’s an increasing ability to target smaller and more specific groups. We are familiar with ransomware attacking health care organizations, but recently the United Veterinary Services Association has written to its members with recommendations to increase ransomware prevention after an attack that hit more than 700 animal health networks around the world.
It is a reminder that no group, regardless of size or type of business, is immune to ransomware. Every organization must communicate the need to have, at a minimum, the basics of ransomware protection in place:
- user training and awareness,
- regular patching of software,
- multi-factor authentication and unique long passwords,
- limit unnecessary access to reduce the impact of an attack, and
- regular backups and testing of recovery