New Attack Approach for Revised Ransomware

Tuesday, May 10, 2016 @ 04:05 PM gHale


A new version of the Bucbi ransomware is going about infecting victims in a different way.

The ransomware infections do not rely on social engineering to trick victims into installing the malicious software, but instead, the group behind the attack is doing it themselves, after hacking into vulnerable enterprise networks, said researchers at Palo Alto Networks.

RELATED STORIES
Ransomware Infections Continue Growth
Ransomware Attack Hurts MI Utility
Stolen Emails, Attacks Keep Growing
DDoS Attacks Increase, IoT Risks Growing

Researchers discovered last week that cyber-crime groups were using brute-force attacks against corporate networks running Internet-available RDP (Remote Desktop Protocol) servers. Palo Alto researchers now is saying who is behind these attacks, why and how they’re doing it.

The exact origin of the hackers is unclear, Palo Alto researchers said. The company said the group identified as the “Ukrainian Right Sector,” but evidence in the ransomware code points at a Russian point of origin, especially because of the usage of the GOST algorithm, developed by the former USSR government and only made public in 1994.

Despite the code clues, the Ukrainian Right Sector is a real-world organization, an extremist Ukrainian nationalist political party with paramilitary operations that opposes Russia.

Researchers said this version of the Bucbi ransomware ended up heavily modified. The main three differences are the ransomware now works without needing to connect to an online C&C server, uses a different installation routine, and also employs a different ransom note.

Similarities between the 2014 and the 2016 versions include the presence of many similar debug strings, similar file names, and both use the GOST block cipher function.

Palo Alto researchers said Bucbi’s installation is what has drawn their attention to this specific threat. Bucbi is unique because it relies on attackers brute-forcing their way into corporate networks via open RDP ports.

The company suspects the attackers have used a tool called “RDP Brute (Coded by z668).”

“Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (PoS) specific usernames,” Palo Alto researchers said in a post. “It is likely that this attack originally began with the attackers seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions.”

No matter the type of ransomware, the attack is continuing its growth curve. After all, why not, it is an easy way for attackers to get into systems.

What is interesting to note is the report of the increase in ransomware is not coming from just one research report, but two, plus the FBI.

In one account from Kaspersky’s Q1 IT Threat Evolution Report, the security firm detected 2,900 new ransomware variants (modifications), which represented a 14 percent increase compared to the previous quarter.

Meanwhile, the Enigma Software Group (ESG) also reported in February, they saw a 19.37 percent increase over January in terms of detected ransomware attacks.

On top of those two reports, the FBI reissued its ransomware alert.