Encrypted ransomware captured in micro-virtual machines

The latest Threat Insights report from HP finds that ransomware is now less likely to be delivered by email than by humans.

The National Cyber Security Centre (NCSC) has recently published its Annual Review. At the same time, a new Threat Insights Report from HP has further analysed the current cybercrime landscape.

The NCSC report shows it uncovered 15,354 campaigns that had used coronavirus themes as a "lure" to fool people into clicking on a link or opening an attachment containing malicious software. However, HPs researchers found that only 5% of the emails they examined used this as a lure - so while this is significant, it is still not a primary tactic.

HPs report found the use of thread jacking was common, where hackers gain access to a user's inbox and send reply all messages within threads to lure people into clicking on malicious content. Aside from thread-jacking, hackers still favour ‘traditional’ hooks to lure users: Two fifths of Emotet malware lures delivered via email that could be identified included invoices, purchase orders and contracts; almost a third (31%) were forms and messages; while nearly a quarter (24%) were amendment notifications.

The NCSC report also said it handled more than three times as many ransomware incidents in 2020 than last year. Again, this is an area covered in the HP report which found a shift in the way ransomware is being delivered. While in the past ransomware was often delivered via email – a user would open an email attachment or link, and the ransomware would immediately start encrypting their files – this is less common now, as ransomware operators have become more selective about which organisations they target. Today, attackers will often have already gained access to victim systems through Trojans, such as Emotet. They then use their access to understand and move around a victim’s network before deploying ransomware in as little as a matter of hours.

More generally, the HP report also shows that Emotet spam campaigns have increased by more than 1,200% in Q3 2020 (July to September), compared to Q2 2020. Enterprises are being specifically targeted, with a quarter of Emotet spam sent to .org domains, while Japanese and Australian organisations were most affected by Emotet spam activity; analysis shows that 32% of samples were sent to Japanese domains, while nearly 20% targeted Australian domains. Almost half (43%) of threats delivered via email in Q3 were Trojans.

Alex Holland, a senior malware analyst at HP who researched the report has commented: “The typical pattern of Emotet campaigns we have seen since 2018 suggests that we are likely to see weekly spam runs until early 2021. The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors.

"Within underground forums and marketplaces, access brokers often advertise characteristics about organisations they have breached – such as size and revenue – to appeal to buyers. Ransomware operators in particular are becoming increasingly targeted in their approach to maximise potential payments, moving away from their usual spray and pray tactics. This has contributed to the rise in average ransomware payments, which has increased by 60%.”

The report was compiled between July and September 2020 using customer data collected from HP’s Sure Click Enterprise. HP Sure Click traps malware within secure micro-virtual machines, isolated from the network and device. A side effect of protecting users in this way is it can capture malware that has not been detected by other security tools, because it tricks the malware into showing its hand – even for malware that’s only designed to execute after human interaction. HP Sure Click then allows it to run in a secure environment; this gives researchers access to the full kill chain providing rich threat telemetry around how the malware behaves.

This visibility meant that in one campaign, HP saw hackers encrypting malicious documents with Microsoft Word’s ‘Encrypt with Password’ feature, to slip past network security and detection tools. The malware, in this case TrickBot, would only deploy if the user entered a password sent with the phishing email. This meant that most anti-virus tools weren’t able to access the file to scan it. However HP were able to watch it in the micro-VM - a relatively simple tactic, but one that has proven to be effective in bypassing detection.

The data illustrates the failings of detection, and highlights why organisations need to focus on proactive protection measures, as Ian Pratt, Global Head of Security for Personal Systems at HP Inc. explains: We need to reinvent how we approach security; a new, hardware-powered approach is needed that stops putting the burden of security on users by isolating threats to ensure they cannot infect PCs or spread through corporate networks.

"While the industry assumption to date is that protection can't work, we are challenging this by offering a new, architecturally sound approach to the problem that is transparent to the end user. Key to this is making the shift to a model that doesn’t rely on detection, but instead uses sound security engineering practises – such as fine-grained isolation, the principle of least privilege (PoLP) and mandatory access control - to provide protection without the need for detection."


Main image courtesy of iStockPhoto.com

MORE ABOUT: