Malware - Ransomware

Ransomware Examples: Recent Attacks and Distribution Methods

Adrien Gendre

February 27, 2020

3 min

Ransomware attacks are on the rise, with hackers shifting their focus from enterprises to MSPs and MSP clients. In Q3 of 2019 alone, ransomware attacks increased by 37 percent, 64 percent of attacks were reported by small businesses, and 24 percent of attacks hit IT vendors or MSPs. Here are just a few recent ransomware examples that have been plaguing business and governments across the globe.

Ryuk

Developed by Russian cybercrime group Wizard Spider, Ryuk ransomware is the culprit in many of the biggest ransomware attacks in 2019. The initial attack begins with a phishing email, but Ryuk is not unleashed at the time the user clicks a link or visits a website.

Instead, an exploit kit, typically Trickbot or Emotet, is installed. Each has the ability to spread through a network and collect the data Ryuk needs to function with efficiency. Once Trickbot or Emotet has done its job, Ryuk is deployed. It then injects its code into processes and paralyzes critical systems, including anti-virus software and databases. The encryption begins and, once complete, the ransom demand is triggered.

In 2019, Ryuk hit the cities of Lake City, Riviera Beach, and Pensacola, FL; Lincoln, NE; and at least five US schools. In December 2019, Ryuk hit a Dallas, TX data center via its MSP, CyrusOne. Florida paid more than $1 million in Bitcoin ransom payments to restore critical systems that had been knocked offline by Ryuk.

The City of New Orleans, which declared a state of emergency in December 2019 after a Ryuk attack in November, has spent more than $7 million recovering from the attack. The attack was closely followed by an attack on ITI College in Baton Rouge in January 2020.

Maze

Maze ransomware, responsible for a slew of 2019 attacks on German government agencies and US-based companies, is a variant of Cha-Cha ransomware. Maze is distributed by the Fallout Exploit Kit, which can infect a computer via drive-by download on a website, typically a malvertising campaign.

Unlike earlier versions of Fallout, the recent, improved version delivers its payload via Powershell, typically through vulnerabilities in Flash and Internet Explorer. Like Emotet and TrickBot, the Fallout exploit kit prepares the computer for further infection from the payload, as in most ransomware examples. When Maze is finally distributed, it determines from the intelligence gathered by Fallout the type of computer being infected. With this information, a custom ransom demand is generated.

In 2019, researchers at Infoblox detected a phishing campaign targeting Italian speaking users. Spoofing the Italian Revenue Agency, the 28 emails detected contained attached Word documents with embedded macros designed to unleash Maze. Users were asked to download the attachment to review the purported Italian Revenue Agency’s financial guidelines.

Sodinokibi

Also known as REvil, Sodinokibi ransomware made an impact in 2019 with a string of attacks on US governments, including 22 Texas municipalities. Hackers distribute Sodinokibi through phishing emails, exploit kits, and server vulnerabilities.

Sodinokibi was first discovered in April 2019 exploiting vulnerabilities in Oracle Weblogic Server. Able to execute remotely without authentication, Sodinokibi has roots in GandGrab ransomware-as-a-service (RaaS), which reportedly has hundreds of affiliates but has recently slowed due to the rising popularity of Sodinokibi, which is also available as RaaS.

Sodinokibi is responsible for the 2019 New Year’s Eve attack on foreign exchange currency company, Travelex, which resulted from unpatched vulnerabilities in Pulse Secure VPN servers. Additionally, throughout 2019, hackers distributed Sodinokibi to a number of SMBs via remote desktop attacks on their MSPs. Malspam was also a popular distribution method, including a foreclosure warning spam campaign detected in May 2019.

In December 2019, Sodinokibi struck LogicalNet, an MSP and hosting provider, then spread to Albany County Airport in NY. Other MSPs hit by Sodinokibi in 2019 included PerCSoft, Synoptek, and CyrusOne.

Mailto (NetWalker)

First detected in August 2019, Mailto ransomware is also known as Netwalker—the name of the decryptor identified shortly after Mailto was discovered. In February 2020, the Australian government issued a warning about an increase in Mailto ransomware attacks. The notice came on the heels of a Mailto ransomware attack on Australian logistics and transportation company, Toll Group, which suffered system disruptions and highly publicized delivery delays.

According to the Australian Cyber Security Center (ACSC), Mailto is spreading via phishing and password-spraying campaigns. In a recent analysis of a Mailto attack, an executable file impersonates Sticky Password, a password management software program. When the user executes a Sticky Password command, the encryption process begins.

One notable characteristic of Mailto is its use of an extensive whitelist, which is unusual for ransomware and designed to skip over files for encryption. Once encrypted, target files are appended with the extension mailto and the ransom note distributed.  

Preventing email-based ransomware

Most ransomware attacks begin with an email, but most email security solutions scan for known malware code. For example, Exchange Online Protection (EOP), which comes standard in Office 365, is good at detecting known variants of malware, but it’s unsophisticated at detecting obfuscated code and other methods of evasion. Solutions like EOP are simply looking for an exact match. Hackers know this and develop their viruses accordingly.

A behavioral-based anti-malware solution scan for malicious behavior, in addition to known malicious code. Malicious behaviors include executable files, suspicious characters, suspect strings and commands, and the value of the file in combination with the email. Together, these features are a strong indication of malware, despite the absence of known malware code.

Finally, protect your business from email-based malware attacks by staying vigilant about email security. Train your staff/users to recognize the signs of phishing emails, provide contextual training if they do fall prey to phishing, and follow these best practices:

  • Check the sender’s email address to look for signs of spoofing.
  • Hover over links in email to see where the URL really leads.
  • Check the URL of the website in your browser for strange characters and country codes.
  • Don’t open attachments from senders you don’t recognize.
  • Use a free URL scanning service like IsItPhishing.AI to see if a URL leads to a phishing page.

Banner Infographic 4 raisons ENSignature signitic