Other issues in this category (5)
Defeating a hydra
Monday, September 28, 2020
Before the revolution, we knew that: This person was a pickpocket, and he would never partake in a robbery. This person was a burglar, an expert in housebreaking and theft. But, nowadays, pickpockets are engaging in banditry, and burglars are committing murder.
Yuri Klarov The Black Triangle
Encryption ransomware programs encrypt data, banking trojans steal information… Everyone knows that. However: once a network has been penetrated, why limit oneself to executing a single task?
Here's a typical example from one of our investigations:
One of Doctor Web's customers managed to solve all their problems and was quite satisfied with our security experts' work; and the software developer took all the necessary steps to patch the vulnerability.
But it is worth noting that, in that particular case, the target got off lightly. Having gained access to the system, the attacker deployed a rogue mining application that merely increased overall CPU and memory usage, without actually damaging anything. Because the application was running on a type of server that would normally also be running accounting software, the outcome could have been different. For example, if encryption ransomware had been planted in the system (and the attacker had been planning to do just that!)), the cost of the damage would have been enormous. The attacked servers would have become non-operational and files containing valuable information would have gotten encrypted, with the probability of their successful recovery next to zero (as is often the case).
In fact, that would be a logical extension of the mining functionality: Keep mining cryptocurrencies as intended for as long as possible. Then, at the first sign of trouble, encrypt everything and demand a ransom. And if the trojan had been part of a botnet (and these days most rogue mining programs are), the huge number of companies whose infrastructures had been compromised by the miner would suffer.
And here is another case:
Ragnar Locker ransomware operatives encrypted computer systems belonging to Portuguese energy giant Energias de Portugal and demanded a ransom of 1580 bitcoins (roughly 11 million USD).
The attackers claimed that they had managed to steal over 10 terabytes of the company's confidential data. Now the attackers are threatening to leak the data online and notify all its customers and partners about the incident, unless the ransom is paid.
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) ransoms from each firm: one to restore access to the data and one to delete their copy, instead of selling it.
So data gets stolen, and then encryption commences. One way or another, they will pay. But even if a company yields to attacker demands and pays a decryption ransom, there is no guarantee that the criminals will provide the decryption key and the data will be recovered. Should a company go ahead and pay to maintain the integrity of their information, it may still end up in the public domain.
The Anti-virus Times recommends
Any malware infiltration incident presents a mystery, and all the circumstances related to the security breech must be examined in order to unravel it. And the first question is this: Is the file that is being examined the only piece of code that the attackers have deployed, or is it just part of the malicious payload? Naturally, any file that ends up in the hands of malware analysts will, going forward, be recognised as malicious by the anti-virus. But if only one of a hydra's heads is cut off, the ones remaining will continue their nefarious work. Is there a way to detect them too? A client can hand over their entire infected computer for researchers to comb through. But that may be too much of a hassle. Instead, they can provide files that may contain traces of the criminal activity. This is the kind of data collected by the utility in our support engineers' toolkit. The data that helps us detect and eradicate threats.
By the way, the meticulous investigations undertaken by our security researchers can uncover a great deal, including prolonged attacks like this one.