Petya, NotPetya, Good Rabbit, Bad Rabbit… the rise of ransomware
February 2, 2018
A type of malicious software designed to block access to a computer system until a sum of money is paid.
‘although ransomware is usually aimed at individuals, it's only a matter of time before business is targeted as well’
The word 'ransomware' might have just made it into the Oxford English dictionary this year, but it has regularly been topping news across the world for the scalps it takes.
The frequency has not just quadrupled but increasingly, the scale of attacks has been overwhelming. Earlier this week, it was announced that the number of cyber-attacks against financial services companies reported to the Financial Conduct Authority (FCA) has risen by more than 80% in the last year! I recently spoke to Amit Serper, self-professed adware party pooper and principal security researcher at EDR and NGAV platform, Cybereason. If you don't know him by the words on his business card, you will know him as the person who developed a vaccine to prevent the Bad Rabbit data-encrypting malware from infecting machines.
Obviously, my first question to Serper was why he thought these type of attacks were on the rise. 'Because they work... People pay the ransom!' Talking about the links between WannaCry, Petya, NotPetya and Bad Rabbit ransomware strains, he said: 'Wannacry and NotPetya were targeted attack, with high probability by a nation state. Bad Rabbit was similar to Petya and NotPetya in the way that it was encrypting the disk and keeping your computer from booting whereas NotPetya was a nation state sponsors attack that compromised the supply chain of a Ukranian software company. Also, the decryption was never meant to work, it was a wiper but that's not the case with Bad Rabbit. Wannacry and NotPetya were using exploits leaked from the NSA but Bad Rabbit didn't.
So how was he able to pinpoint a workaround so quickly?
'I reverse engineered the code. It's what I do 🙂
Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now... pic.twitter.com/3MSSH8WKPb
Raj Samani, Chief Scientist at McAfee says: 'The key definition of what we see in this threat is about holding data to hostage. Charging money for you to get your data back. The reality is that its now morphed into something else- over the past few months we have started to see an indication that this is a threat vector that can be used for other purposes... For example, to smokescreen against something else. In the case of Bank of Taiwan, they saw that ransomware was being used to keep the IT department busy. NotPetya was designed for destruction rather than the sole purpose of making money. So, what we will see in 2018 and beyond is the adoption of this technique called pseudo-ransomware where the ultimate purpose is not to make money but rather as a smokescreen to keep the IT department busy for perhaps something else. We always look at the headlines and then think which country did it but there is speculation on that, but we have always been able to attribute attacks.
And the rise and rise of cryptocurrency will not help the cause of those trying to fight off ransomware.
While the link between ransomware and Bitcoin has been proven, Fortinet researchers, recently, came across a ransomware that only accepts Monero- an open source cryptocurrency created in 2014- for payment, representing a shift away from the widely used and accepted standard Bitcoin in the ransomware space.
This latest ransomware not only asks for payment via Monero, but it also pretends to be a cryptocurrency-related password store. The malware masquerades as a ‘spritecoin’ wallet, asking the user to create their desired password, but does not actually download the blockchain. However, it does secretly encrypt the victim’s data files. It then demands a ransom in Monero cryptocurrency in return for decrypting the victim’s data. Adding insult to injury, during the decryption phase another piece of malware is deployed with capabilities including certificate harvesting, image parsing, and web camera activation.
Reiterating the findings and Samani's prediction of a proliferation of ransomware in 2018, Chris Ross, SVP International at Barracuda Networks says: 'As the biggest cyber threat to businesses, ransomware attacks are becoming ever more widespread. In fact, in a survey we carried out earlier this year , 47% of respondents had been a victim of ransomware!
Even though the attackers were only able to obtain basic personal data within the Uber attack and no sensitive information such as location data or credit card numbers, this information can still be used by cyber criminals for identity theft purposes, which can ruin a person's credit rating. Furthermore, in failing to notify its drivers and customers that their data had been breached, come May 2018 it could have been fined $800 million under the new European Union’s GDPR.
'This attack reiterates that the effects of an attack are no longer limited to the boardroom, or to the organisation itself. From our survey, more than three in ten admitted their customers (35%) and even employees (32%) had lost faith in their cyber security as a result of an attack. Perhaps most shockingly, around one in five reported a temporary closure of the business (21%) or a loss of customers altogether (17%). While it’s not been confirmed that Uber did pay the attackers, we always advise against paying ransoms. Even if you do pay up, there is no guarantee you’ll get your data back or that the attackers will delete your data, as we’re increasingly seeing cyber criminals take the money and run.
Supermarket chain Morrisons has been asked to pay compensation to 5,518 current and former employees whose personal and financial details were published online by a former staff member. Morrisons was …
FastBooking, a Paris-based firm offering booking services for over 1,000 hotels across 100 countries, suffered a major breach when unnamed hackers exploited a vulnerability in an application hosted on the …