GandCrab: The New King of Ransomware?
19.7.18 securityweek Ransomware
Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 18.
The details come from an analysis (PDF) of the telemetry obtained from the millions of computers using Malwarebytes software. It confirms what has been seen elsewhere: "Ransomware detections dropped this quarter on both the consumer and business sides by 12 and 35 percent, respectively."
This doesn't mean that ransomware has gone away. GandCrab has been the most prolific, partly down to its use by the Magnitude botnet. A decryptor for GandCrab is available on the NoMoreRansom website; but Malwarebytes warns, "there's always a risk that the latest versions being distributed by various exploit kits have no solution in place."
Other new ransomwares highlighted in the report demonstrate either ends of the sophistication spectrum. Spartacus is simple. Although there is no current decryptor, the report suggests, "Spartacus is the kind of software one expects to find offered on a script kiddie forum. There's no online functionality whatsoever." It adds that it seems likely (because the RSA key is embedded in the ransomware), that the private key is held on the author's server. "Decryption for all victims is possible, should this key ever be leaked."
SamSam resides at the sophisticated end of the spectrum. It has had high profile success at the City of Atlanta and Hancock Health this year. "While SamSam has been around for some time, recent evolutions in the attack vector and methodology have proven novel in their approach and successful for the attackers -- raking in over $1 million this year," comments Malwarebytes. Unlike many other ransomwares, SamSam specifically targets and compromises its victims before encrypting the files.
Many commentators have noted that criminal focus has shifted from ransomware to cryptomining in recent months. Malwarebytes telemetry suggests that cryptomining growth has now flattened. It is already declining in the consumer arena, and the firm expects to see it also decline in business attacks next quarter. It suspects that criminals are not receiving the returns on effort they expected; but warns that growth or decline might depend on whether the value of crypto coins goes up or down. Business detections in Q2 grew by just 5%, while consumer detections fell by 36%.
Adware, always near the top of all malware detections, is on the opposite trajectory. Consumer detections grew by 19% (making it the top consumer threat), while business detections fell by 7% (making it the third most prolific threat).
The fastest growing threat for both consumers and businesses has been the return of the backdoor -- growing by 442% up to number three for consumers, and by 109% up to number four for businesses. Malwarebytes puts much of this growth to a malware spreading campaign it refers to as Backdoor.Vools. Since it uses the worm features that exploit vulnerable SMB protocols, Malwarebytes expects it to hang around for months to come.
However, it warns, "The primary fear of Vools' capabilities is not due to its mining component or even its use of ETERNALBLUE, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion. Based on plummeting cryptocurrency values over the last few months, that time is going to come sooner than later."
While backdoors became more popular, spyware dropped in popularity -- at least in business detections. In consumer detections it grew by 32%; but in business detections it fell 41%, dropping from the most detected malware to the fifth most detected. "The top spyware for Q2," notes the report, "was the notorious TrickBot, which added functionality to steal cryptocurrency wallets from its victims." However, Malwarebytes suspects that the fall will continue, and spyware may not be in the top ten threats for business in Q3.
The report reserves particular attention for VPNFilter, "malware that reportedly infected over 500,000 small-office and consumer-grade routers and NAS devices." The FBI has said that Russian government-linked Fancy Bear (APT 28) is responsible for the malware; and although the initial infection vector is unknown, an understanding of its capabilities is growing. It is multi-stage malware that eventually has wide-ranging functionality. Stage 2 can download files, restart devices, copy data, execute programs, kill processes, and set proxies and other configuration parameters.
Stage 3, downloaded by stage 2, establishes a Tor client to send stolen data back to the authors. The malware, notes the report, "is not only capable of harvesting usernames and passwords, but can also change webpages and insert artificial data to deceive users while, at the same time, draining accounts in the shadows. VPNFilter could also be used to perform DDoS attacks or as a catalyst to install other software like coin miners."
Malwarebytes believes that the end of Q2 18 and the beginning of Q3 is "the cusp of another significant change in the cybercrime world." It believes that cryptomining will continue to decline, but that ransomware will stage a comeback. It expects more activity from exploit kits, but they will not regain their earlier importance. It does, however, expect data-stealing threats to increase. Since GDPR will limit the time for companies to retain the personal information of their customers, criminals will resort to stealing it directly from the customer.
But perhaps most importantly Malwarebytes believes that VPNFilter might spawn copycats that will target widely-used devices -- and "a new age of IoT malware, long predicted, may finally come to pass."
Santa Clara, Silicon Valley-based Malwarebytes raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016, bringing the total raised by the firm to $80 million.