In Fortinet’s 2020 Global Threat Landscape Report, they found that ransomware has increased sevenfold from July to December 2020. Their data is based on a marked jump in devices reporting ransomware on a daily basis, from under 2,300 to 17,200 devices.
Some of the top variants of ransomware (that is, the most active) tracked in the second half of last year can be found below, along with a synopsis of who it affects, how it works, how it evades detection and details about the infection chain.
A relatively newer ransomware spotted in 2020, Egregor has been involved in attacks against retailers like Kmart, Ubisoft, Barnes & Noble and the Vancouver Metro System (MalwareBytes & Fortiguard Labs). It affects Windows-based operating systems, and targets well-known organizations, random individuals and small businesses.
The variant is known as ransomware as a service (SaaS) – the operators rent access to the ransomware strain, but rely on other attackers to compromise corporate networks to deploy it.
Egregor has been distributed through Cobalt Strike, used to deliver and launch payloads. According to Malwarebytes, targeted environments are initially compromised through various means including brute-forcing RDP ports and phishing.
Late in 2020, a number of U.S. agencies released an advisory of widespread Ryuk ransomware attacks targeting healthcare and public health sector organizations.
First seen in 2018, Ryuk is spread through tools like Cobalt Strike and PowerShell Empire, as well as Mimikatz to dump plaintext Windows passwords or hash values.
Attackers evade detection by leveraging native Windows tools to perform network discovery and move laterally throughout a network, a technique known as Living of the Land (LotL) – using already-existing legitimate tools to conduct malicious activity.
Learn more in Ryuk Ransomware Targets Healthcare Organizations.
This type of ransomware is human-operated and will steal information, threatening to expose it in addition to encrypting it. It is known as leveraging fileless attack methods to make it more difficult for analysts to investigate.
In a report from Sophos, they found that attackers were able to compromise a target’s network and gain access to domain admin credentials – within 16 minutes of exploiting a vulnerable firewall. The attackers then deployed Cobalt Strike beacons to servers to help deploy the ransomware attack.
Indicators of compromise can be found on the Sophos Github.
Initially detected in January 2020, Thanos is known as a ransomware as a service, allowing attackers to create custom ransomware payloads with developer assistance, according to BleepingComputer.
It affects Windows users and uses tactics to bypass detection by Windows Defender (an antivirus program), as reported by Fortinet. It also leverages commands to stop or bypass detection by other popular antivirus software. Other attack campaigns included delivering a variant of Thanos via Microsoft Excel email attachments, disguised as fake billing and tax repayment documents.
A new Thanos variant was seen targeting a computer’s MBR (master boot record) as part of its infection chain, attempting to lock users out (Security Intelligence). An attack against organizations in the Middle East and North Africa delivered Thanos, including a ransom for $20,000 of bitcoin.
First seen in December 2019, Ragnar Locker targets Fortune 500 and other companies, using a variety of techniques to get network access and move laterally throughout an environment.
Ragnar leverages native Windows administrative tools like PowerShell, Windows Group Policy Objects (GPO) for lateral movement. It targets RDP (Remote Desktop Protocol) connections, exploits managed service providers’ remote management software and domain admin access to gain a foothold in networks and elevate privileges.
It’s one of the ransomware variants seen not only encrypting files, but also exfiltrating data to blackmail victims into paying a ransom.
Learn more in Protecting Against Ragnar Locker Ransomware.
Last year, wearable tech manufacturer Garmin fell victim to the WastedLocker ransomware. WastedLocker attempts to avoid detection by behavior-based anti-ransomware tools, according to Sophos.
Similar to other types of ransomware, it leverages existing Windows features, interacting with Windows API functions from within the memory itself, according to ZDNet. It can also encrypt cached documents in memory to avoid detection by behavior-monitoring software.
In past attacks, WastedLocker campaigns often start with using stolen login credentials. If they have admin credentials not protected by multi-factor authentication, they can easily access a target’s systems through VPN and then disable any security tools.
First spotted in early 2019, The attackers behind Phobos often will target smaller businesses. Phobos often pushes out new variants that evolve their attack methods (Fortinet). In one sample, researchers found a Microsoft Word document with malicious Macro designed to spread the EKING variant on an affected system.
Phobos will scan files on logical drives, network sharing resources and new attached logical drives before encrypting files. In addition to encrypting files, it can terminate active operating system processes, delete local backups, disable recovery mode and your firewall to stop you from rebooting a device to stop the infection (Heimdal Security).
This is a Trojan commonly used to deploy Ryuk ransomware, targeting high-value enterprise targets (BleepingComputer). It’s chosen for its covertness, minimal functionality and obfuscation layer that better evades detection by security tools.
A compromise often starts with a targeted phishing attack, then injection of the BazarLoader backdoor component into legitimate Windows processes like cmd.exe, explorer.exe and svchost.exe. It will deploy a Cobalt Strike beacon that calls for additional exploitation tools that can map a Windows domain and extract credentials.
Ransomware Prevention & Detection
As commonly seen among the top most-active ransomware variants, they typically:
- Leverage stolen, weak or brute-forced credentials for initial access, sometimes via phishing attempts
- Target RDP connections and VPN credentials to log in and turn off security tools
- Evade detection by common security solutions (including Windows Defender and other antivirus software) by using legitimate Windows features to move laterally and deploy additional malicious payloads
- Use certain tools like Cobalt Strike, PowerShell Empire, Mimikatz to assist with ransomware attacks
- Exfiltrate or steal data for blackmail, threatening to release it publicly unless the targeted organization pays the ransom
Blumira can help your organization prevent, detect and respond to attacks before they result in ransomware infection. Our platform detects attackers throughout each stage of a ransomware attack, including scanning, credential access, privilege escalation, data exfiltration and malicious file execution.