In a consistently more disruptive and volatile cyberthreat landscape, ransomware attacks have continued hitting the headlines, keeping IT teams up at night
Ransomware has rapidly become the key cyberthreat to organisations globally. This despite an increasingly active and disruptive geopolitical threat picture with individual organisations, global supply chains and critical infrastructure also increasingly targeted by state-linked actors.
As such, the growing and evolving digital ecosystem is both an existential risk and invaluable opportunity for all. Companies that treat it as such and understand the overarching drivers of risk to the digital ecosystem will be better equipped to successfully navigate the complexities of the evolving threat landscape.
This approach will prove the most effective and sustainable in building secure, compliant, and resilient businesses in the information age. For organisations, mitigation measures – built on proactive, threat-led cyber security solutions and well-rehearsed and realistic cyber crisis scenarios, including ransomware – can prevent increasingly capable criminal, state, and non-state threat actors from forcing your business into un-navigable situations.
Cybercriminals have always found success leveraging global epidemics to socially engineer victims in attacks that lead to ransomware and other malware. During past epidemics such as SARS and Ebola, attackers developed a distinct pattern to claim victims. This pattern continues with the current anxiety levels around coronavirus.
Ransomware continues to pose a significant risk to organisations, and using techniques that are growing more and more sophisticated and targeted. The impact these attacks have on organisations has increased to the point where some have gone out of business. Therefore security and risk management leaders need to look beyond just the endpoints to help protect the organisation from ransomware.
The cost of recovery and the resulting downtime in the aftermath of a ransomware attack, as well as the reputational damage, can be 10 to 15 times more than the ransom.
Current malware phishing operations
AZORult – as early as late January 2020, malware distributors launched a campaign with phishing emails that targeted companies whose supply chain operations and revenue streams the outbreak could disrupt. The targeted businesses came from a variety of sectors, including manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetics.
The perpetrators have been sending emails with malicious Microsoft Word documents attached. The attachments install the AZORult malware – a credential and payment card information-stealer. A flaw allows attackers to execute remote code on a vulnerable machine once the malicious document is opened – even without user interaction.
Emotet – similarly, phishing scams are spreading the Emotet Trojan by using malicious messages that purport to contain information about coronavirus. This scam capitalises on a user’s desire to learn more about the coronavirus threat. Included in the emails are Microsoft Office attachments that use malicious macros to infect recipients with Emotet.
Security researchers first identified the Emotet Trojan in 2014 when it was deployed against the financial sector. Emotet uses functionality that helps the software evade detection by some anti-malware products. It also has worm-like capabilities that help it spread to other connected computers. Emotet is one of the most costly and destructive pieces of malware, affecting government and private sectors as well as individuals and organisations.
In 2019, cybercriminals made Emotet even more dangerous by updating its attack methods with the ability to send victims emails from past messages, steal credentials from its victims to send outbound messages, and hijack victims’ email accounts. These techniques make it easier for hackers to trick users into thinking they are responding to a legitimate email.
Social engineering – another campaign cybercriminals are having success with capitalises on conspiracy theories claiming the existence of “unreleased cures” being kept from the public. The email urges recipients to click on an embedded link to receive information about the “cure.” The link then leads users to a fake DocuSign page where they’re encouraged to share personal credentials to receive the information.
Beware of fake domains – these fake domains, e.g. who.int.org, are sent via phishing emails and appear to come from the World Health Organisation (WHO’s legitimate site is who.int). The emails urge victims to click on a link to download a document on health and safety measures. Victims believe the link is taking them to the WHO website, but it redirects them to a fake site that looks like a Microsoft Outlook login page. Here, victims are asked to enter their username and password associated with their email address. If someone enters their credentials, the information is sent to the attackers.
Same old health-scare playbook
Many of the attack methods cybercriminals are using have been deployed during previous international health scares. The only significant difference is the improvements they have made to their attack tools.
- Influenza Pandemic (2019): Cybercriminals conducted a malspam campaign about a new flu pandemic. The emails contained a malicious attachment that, when opened, installed Ransomware on the target’s computer.
- Zika Virus (2016): Researchers discovered an email purporting to be from Saúde Curiosa, a health and wellness website in Brazil. Within the email were links and attachments claiming to be instructions on how to eliminate the virus and the mosquitoes that spread it – one of the links, which infected computers with a form of malware was clicked more than 1,500 times. The malware remains in use by attackers.
- Ebola Outbreak (2014): Cybercriminals sent emails with an attached report on Ebola. Users who clicked on the report activated malware. Cybercriminals also sent emails posing as a well-known Telecom and ISP and offered a presentation on the Ebola virus. The email came with a zip file that installed malware. Cybercriminals sent an email which claimed a cure for Ebola had been discovered and that the news should be covering it. Users who clicked on the link in the email were infected with malware. While none of these older malware formats appear to be a significant threat to organisations today, cybercriminals continue to deploy similar or updated versions.
- AIDS Virus (1989): The first known healthcare-focused ransomware attack targeted AIDS researchers in 1989 and was called the “AIDS virus.” This virus came on a floppy disk and scrambled the contents of its victims’ computers by encrypting filenames and offering to unlock them in return for a “licensing fee” to be transferred to an offshore bank account.
Today, modern ransomware is produced by hackers who have benefited from decades of virus development and who take advantage of industry-standard cryptography to attack their targets.
In the past, AZORult has been used to download ransomware as a secondary infection. In 2018, cybercriminals used AZORult in a massive email campaign to distribute Hermes ransomware. In this case, the victims first lost their credentials, cryptocurrency wallets, and more before losing access to their files in the subsequent ransomware attack.
That same year researchers discovered a new AZORult variant targeting computers around the world. Those infected had the Aurora ransomware installed as well as the information-stealing Trojan. Likewise, in 2019, the STOP ransomware family was deployed in conjunction with AZORult.
The Emotet Trojan has also been used in conjunction with ransomware. In 2019, Emotet was found to have partnered with TrickBot and Ryuk ransomware. This malware combo adapts Emotet to drop TrickBot and modifies TrickBot not only to steal data but also to download the Ryuk ransomware, which encrypts the machine. In this campaign, the attacker can take personal information, passwords, mail files, browser data, registry keys, and more, before encrypting the victim’s machine and ransoming their data.
Assembly assesses, with a moderate-to-high level of confidence, that cybercriminals will follow a pattern we’ve seen before. We expect they will conduct layered attack campaigns similar to those of the recent past. And with a large pool of institutions, organisations, and individuals to target, they can be confident of some success.
Company executives, mid-level managers, administrators of local governments, and, of course, healthcare professionals all have a professional interest in following the latest developments around the spread of coronavirus. And it only takes one tired or overworked individual to click on what he or she believes is a legitimate alert or update.
Mitigating your risk
- Only use trusted news sources for additional information.
- Do not click on links or open attachments in unsolicited email messages.
- Run up-to-date security software across your network.
- Educate users to be on guard for threats, like Emotet, that present emails that appear to be unexpected replies to older email threads, emails that seem out of context, or messages from familiar names but are sent from unfamiliar email addresses.
- Ensure systems are patched on time
- Update endpoint detection & response and anti-virus solutions
- Segregate networks to limit the reach of self-propagating malware
- Review privileged access and users to enforce principles of least privilege / zero trust.
- Keep up to date on blacklists of malicious IPs and compromised websites.
- Use an email security tool that features attachment inspection and disable the ability to run macros from attachments.
- Regularly back up your data on your system and store it offline or on a different network.
- Encrypt your sensitive data.
- Have an incident response plan ready.
Assembly enables fearless protection software against sophisticated cyberattacks through multi-layered prevention, behavioural detection driven by machine learning, and comprehensive response.