This was an increase of 110 attacks compared to the previous quarter.
Source: Intel 471
Some of the top variants of ransomware (that is, the most active) tracked in the second half of last year can be found below, along with a synopsis of who it affects, how it works, how it evades detection and details about the infection chain.
Lockbit 2.0 was the most prominent ransomware variant in Q4 of 2021 and was responsible for 29% of all reported attacks, according to Intel 471. The variant is known as ransomware as a service (SaaS) – the operators rent access to the ransomware strain, but rely on other attackers to compromise corporate networks to deploy it.
Formerly known as ABCD ransomware, the RaaS group emerged in 2019. As of October 2021, Lockbit 2.0 had 203 victims on its leak site. Of those victims, over 80% of its victims are small to medium-sized businesses (SMBs), according to Trend Micro.
Lockbit 2.0 has continued to be active in 2022, prompting the FBI to issue a warning in February. The group uses a variety of techniques, tactics and procedures (TTPs) to launch an attack, which creates challenges for defense teams. It also relies on obfuscation techniques such as decoding strings and self-deleted files to evade detection.
For initial access, Lockbit 2.0 has used tactics such as purchased access, unpatched vulnerabilities, and zero day exploits. Once in an environment, threat actors use tools such as Mimikatz to escalate privileges.
This type of ransomware is human-operated and will steal information, threatening to expose it in addition to encrypting it. It is known as leveraging fileless attack methods to make it more difficult for analysts to investigate.
In a report from Sophos, they found that attackers were able to compromise a target’s network and gain access to domain admin credentials – within 16 minutes of exploiting a vulnerable firewall. The attackers then deployed Cobalt Strike beacons to servers to help deploy the ransomware attack.
Indicators of compromise can be found on the Sophos Github.
A relatively newer ransomware spotted in 2020, Egregor has been involved in attacks against retailers like Kmart, Ubisoft, Barnes & Noble and the Vancouver Metro System (MalwareBytes & Fortiguard Labs). It affects Windows-based operating systems, and targets well-known organizations, random individuals and small businesses.
Egregor has been distributed through Cobalt Strike, used to deliver and launch payloads. According to Malwarebytes, targeted environments are initially compromised through various means including brute-forcing RDP ports and phishing.
Attackers evade detection by leveraging native Windows tools to perform network discovery and move laterally throughout a network, a technique known as Living of the Land (LotL) – using already-existing legitimate tools to conduct malicious activity.
It affects Windows users and uses tactics to bypass detection by Windows Defender (an antivirus program), as reported by Fortinet. It also leverages commands to stop or bypass detection by other popular antivirus software. Other attack campaigns included delivering a variant of Thanos via Microsoft Excel email attachments, disguised as fake billing and tax repayment documents.
A new Thanos variant was seen targeting a computer’s MBR (master boot record) as part of its infection chain, attempting to lock users out (Security Intelligence). An attack against organizations in the Middle East and North Africa delivered Thanos, including a ransom for $20,000 of bitcoin.
First seen in December 2019, Ragnar Locker targets Fortune 500 and other companies, using a variety of techniques to get network access and move laterally throughout an environment.
Ragnar leverages native Windows administrative tools like PowerShell, Windows Group Policy Objects (GPO) for lateral movement. It targets RDP (Remote Desktop Protocol) connections, exploits managed service providers’ remote management software and domain admin access to gain a foothold in networks and elevate privileges.
Similar to other types of ransomware, it leverages existing Windows features, interacting with Windows API functions from within the memory itself, according to ZDNet. It can also encrypt cached documents in memory to avoid detection by behavior-monitoring software.
In past attacks, WastedLocker campaigns often start with using stolen login credentials. If they have admin credentials not protected by multi-factor authentication, they can easily access a target’s systems through VPN and then disable any security tools.
First spotted in early 2019, The attackers behind Phobos often will target smaller businesses. Phobos often pushes out new variants that evolve their attack methods (Fortinet). In one sample, researchers found a Microsoft Word document with malicious Macro designed to spread the EKING variant on an affected system.
Phobos will scan files on logical drives, network sharing resources and new attached logical drives before encrypting files. In addition to encrypting files, it can terminate active operating system processes, delete local backups, disable recovery mode and your firewall to stop you from rebooting a device to stop the infection (Heimdal Security).
This is a Trojan commonly used to deploy Ryuk ransomware, targeting high-value enterprise targets (BleepingComputer). It’s chosen for its covertness, minimal functionality and obfuscation layer that better evades detection by security tools.
A compromise often starts with a targeted phishing attack, then injection of the BazarLoader backdoor component into legitimate Windows processes like cmd.exe, explorer.exe and svchost.exe. It will deploy a Cobalt Strike beacon that calls for additional exploitation tools that can map a Windows domain and extract credentials.
Ransomware Prevention & Detection
- Leverage stolen, weak or brute-forced credentials for initial access, sometimes via phishing attempts
- Target RDP connections and VPN credentials to log in and turn off security tools
- Evade detection by common security solutions (including Windows Defender and other antivirus software) by using legitimate Windows features to move laterally and deploy additional malicious payloads
- Use certain tools like Cobalt Strike, PowerShell Empire, Mimikatz to assist with ransomware attacks
- Exfiltrate or steal data for blackmail, threatening to release it publicly unless the targeted organization pays the ransom
Blumira can help your organization prevent, detect and respond to attacks before they result in ransomware infection. Our platform detects attackers throughout each stage of a ransomware attack, including scanning, credential access, privilege escalation, data exfiltration and malicious file execution.