Saturday, October 14th 2017
Weekend Reading 101: On Ransomware's Chains and Carbon Black's Report
Carbon Black, a cybersecurity company that's been founded by former members of the U.S. government's elite team of offensive security hackers, has released a report detailing the continued rise of ransomware's impact, which served as the fire-starter for this piece. Carbon Black's Threat Analysis Unit (TAU) has found that ransomware is an increasingly prolific economical entity, bolstered by a 2,502% increase in sales in the dark web. As with every activity, legal or illegal, the economic footprint follows profit; and in ransomware's case, it's estimated it has yielded around $1 billion just this year. Ransomware even has the advantage of not requiring specialized computer skills, and can be quickly and brainlessly deployed in search of a quick buck.
Carbon Black reports that there are currently more than 6,300 ransomware marketplaces in the dark web, with over 45,000 different product listings, which range in price from $0.5 to $3K (the median price for a DIY ransomware package stands at roughly $10.5). Ransomware sellers are taking advantage of this burgeoning, "quick buck at anyone's expense" reasoning: some ransomware sellers are earning more than six figures yearly, sometimes even more than legitimate software companies. It's no surprise, however that the report points to technologies such as Bitcoin and the Tor network as being two of the most important enablers in this ransomware explosion, besides making it much more difficult for law enforcement agencies to, well, enforce the perpetrators.
To our Forum Dwellers: this piece is marked as an Editorial
There are two fundamental chains in the world of ransomware's creation and distribution: the kill chain and the supply chain.
The ransomware kill chain can be divided in five different modules: Creation > Distribution > Encryption > Payment > Command & Control. The entire kill chain can be distributed via DIU kits that contain all the necessary modules for payload deployment; more exotic solutions, however, may mix and match different authors' and services' codes to achieve a desired, specific effect.
Creation is easy to understand; it's the part of the chain where an author writes, tests, and maintains a piece of ransomware code. These can be written in an all-encompassing, mass-market way, targeting widespread vulnerabilities, or can be written specifically, as needed, for a targeted campaign. Higher levels of code customization naturally make the coding effort more expensive.
Distribution is the means by which ransomware actually reaches users' computers. This can be done via brute force, "spray and pray" methods, such as mail spamming, compromised websites, ads, social engineering, or targeted hacks - as we've seen with some high-profile business attacks, such as with WannaCry.
Encryption/Decryption is the module responsible for encrypting the users' data that will be ransomed - if a ransom is the objective, anyway. After this phase has been successful, usually there's a gaudy, nerve-chilling screen that alerts the user to the ransomed state of their private data, giving instructions for payment and - hopefully - eventual decryption.
Payment is pretty self-explanatory; though nowadays, the rise of cryptocurrencies have decreased the risk of discovery from the perpetrators, especially with the more privacy-focused coins such as Monero and ZCash. Whereas before, VISA or bank transfer payments could leave a trail for eventual perpetrator identification, nowadays it's much more difficult - and oft impossible - to identify the infection source.
The Command & Control module allows for remote control of the users' system and ransomed files, enabling end-to-end operations, and have been increasingly deployed in the wake of the RaaS (Ransomware as a Service) rise in popularity.
Ransomware supply chains can be differentiated in three tiers: Authors, RaaS, and Distributors.
Authors are the weapon makers in the ransomware economy; they are responsible for the creation of new ransomware for sale, and usually have advanced coding skills that allow them to also provide ransomware platforms and/or charge others for training and support in ransomware coding. They can author specific parts of the ransomware kill chain (creation; distribution; encryption; payment; command & control) or develop all-encompassing, DIY packages that pack the entirety of the kill chain or allows users to code their own.
RaaS stands as a way for users to effortlessly distribute ransomware packages. It's usually controlled via a web portal with a GUI (Graphical User Interface) which basically removes all of the coding/deployment work from the user. Ransomware packages and access to these ransomware services can be free (with the service provider taking a cut of the users' successful ransomware attacks), or with an up-front payment which gives access to the needed software packages. The RaaS providers can take more than half the share of the ransomware profits, but some platforms take less than that (like Satan, one fo the more user friendly RaaS, which usually takes a 30% cut from profits, or even just 20%, in the case of Atom (previously known as Shark). These providers usually handle all the hassle of performing the ransomware campaign tracking, Bitcoin transaction monitoring, and Bitcoin distribution. These providers make use of their attack data to perfect and guide their subsequent attacks, based on machine infection success rate, payment rates, and other metrics. Thus, this is effectively "Hacking for Dummies", lowering the barrier of entry to almost laughable levels; no specialization or code knowledge is needed.
The third Tier, Distributors, is naturally collapsing under the weight of the RaaS providers, who offer basically the same service (and more) but with much less user intervention and an overall more automated process. The Distributors are the parts responsible for distributing and delivering ransomware attacks via spam, targeted hacks, or exploit kits
As to the future of ransomware and what it will mean for users of the world wide web and its increasingly important place in our lives, Carbon Black has a number of projections for the ransomware field as we enter 2018, which include:
Sources:
Carbon Black Website, The Ransomware Economy PDF, Barkly, Heimdal Security
Carbon Black reports that there are currently more than 6,300 ransomware marketplaces in the dark web, with over 45,000 different product listings, which range in price from $0.5 to $3K (the median price for a DIY ransomware package stands at roughly $10.5). Ransomware sellers are taking advantage of this burgeoning, "quick buck at anyone's expense" reasoning: some ransomware sellers are earning more than six figures yearly, sometimes even more than legitimate software companies. It's no surprise, however that the report points to technologies such as Bitcoin and the Tor network as being two of the most important enablers in this ransomware explosion, besides making it much more difficult for law enforcement agencies to, well, enforce the perpetrators.
There are two fundamental chains in the world of ransomware's creation and distribution: the kill chain and the supply chain.
The ransomware kill chain can be divided in five different modules: Creation > Distribution > Encryption > Payment > Command & Control. The entire kill chain can be distributed via DIU kits that contain all the necessary modules for payload deployment; more exotic solutions, however, may mix and match different authors' and services' codes to achieve a desired, specific effect.
Distribution is the means by which ransomware actually reaches users' computers. This can be done via brute force, "spray and pray" methods, such as mail spamming, compromised websites, ads, social engineering, or targeted hacks - as we've seen with some high-profile business attacks, such as with WannaCry.
The Command & Control module allows for remote control of the users' system and ransomed files, enabling end-to-end operations, and have been increasingly deployed in the wake of the RaaS (Ransomware as a Service) rise in popularity.
Ransomware supply chains can be differentiated in three tiers: Authors, RaaS, and Distributors.
RaaS stands as a way for users to effortlessly distribute ransomware packages. It's usually controlled via a web portal with a GUI (Graphical User Interface) which basically removes all of the coding/deployment work from the user. Ransomware packages and access to these ransomware services can be free (with the service provider taking a cut of the users' successful ransomware attacks), or with an up-front payment which gives access to the needed software packages. The RaaS providers can take more than half the share of the ransomware profits, but some platforms take less than that (like Satan, one fo the more user friendly RaaS, which usually takes a 30% cut from profits, or even just 20%, in the case of Atom (previously known as Shark). These providers usually handle all the hassle of performing the ransomware campaign tracking, Bitcoin transaction monitoring, and Bitcoin distribution. These providers make use of their attack data to perfect and guide their subsequent attacks, based on machine infection success rate, payment rates, and other metrics. Thus, this is effectively "Hacking for Dummies", lowering the barrier of entry to almost laughable levels; no specialization or code knowledge is needed.
As to the future of ransomware and what it will mean for users of the world wide web and its increasingly important place in our lives, Carbon Black has a number of projections for the ransomware field as we enter 2018, which include:
- An increase in Linux systems targeting;
- Increasingly targeted ransomware attacks towards specific companies such as legal, healthcare, and tax preparers, and specific files, such as proprietary elements;
- Added capability to not only encrypt, but also exfiltrate files, so as to profit from both the ransom and black market sale of the exfiltrated data;
- Ransomware as a smokescreen and false-flag, hiding the true intentions behind the attack, like the Petya/NotPetya case;
- Ransomware as a backup to failures of more specific attacks, due to its easy-to-deploy nature;
- Increased usage of social media as a distributor, with social engineering efforts that lead users to knowingly share compromised links to reduce or eliminate their ransom;
- Persistence-based ransomware, which burrows in the users' system and re-encrypts data for another extortion effort - even more likely to take place in machines where previous ransom demands proved successful.
18 Comments on Weekend Reading 101: On Ransomware's Chains and Carbon Black's Report
Le Pen of the International Monetary Fund said she is going to take a closer look at cryptocurrency regulation just a couple days ago, the United Nations banning all exchanges worldwide is the only way to stop cryptocurrency in its tracks. If you think I am wrong and want to Bitcoin/Monero to reign supreme, please, tell me what is going to pay for old peoples medicine, or we just going to let everyone die off and no longer pay taxes? Why should some of us pay taxes then at all? If we give people an option to not pay, they won't pay. We either become politically active and try to better the world the best we can, or we give up and every man for himself, and forget living past age 65 ish, cause you won't be able to afford your meds, I promise you that.
scary scary boogey man stuff..
trog
Original Windows media used for install, not created on my possibly-insecure old system. Secure Boot fully enabled - no CSM. Standard Windows account as my primary, after years of Admin + UAC. Home network treated as a 'public network' with file sharing off.
Perhaps the biggest change (and biggest hassle) is suspicion over the integrity of software downloads. Simply downloading from the developer's own website or somewhere trustworthy like FossHub no longer seems to be enough, and even the software signing process is vulnerable. I'm now downloading installation files from multiple sources, comparing hashes, doing file reputation checks with AV software and just basically trying in a sort of ad-hoc way to manage this risk, but you can never be sure.
Software update mechanisms seem similarly vulnerable and I think one day we might see one of these leveraged for something really big and nasty, so I'm tending to switch them off and do things manually. This can delay security patches, so it's a judgement call.
I've never used software that'd generally be considered suspicious, but certain software I have doubts about (e.g. DVDFab) will now be relegated to my old rig which won't my personal files stored on it.
My backup scheme hasn't changed much as it's always been pretty decent - one always-connected daily backup, and two alternating weekly backups on separate, disconnected drives. But you have to wonder if that's enough when there's the prospect of ransomware lying dormant until it thinks it's targeted all the backups.
There's more (e.g. limiting IoT devices), but this is TLDR enough already. Makes me pine for the days of standalone Windows 3.1 systems when all one had to worry about was catching the Michaelangelo virus from a friend's dodgy floppy.
I don't believe they be killing off ransomware any time soon, to many dumb people with computers. In fact it's only going to increase.
Anyway...about as off topic as we could possibly be.
For example, quite recently in Ukraine we had a Petya (or NotPetya) outbreak (I posted few pics of victims in my workshop back in June), so now our government used this as means to justify expenses on a "new and improved" cybersecurity taskforce, and introduce a paid "virus alert" service, which will notify all subscribers about a virus attack based on their reports of virus attack. So, basically a pointless moneygrabbing scam.
Taskforce is funded through taxes, but makes profit from customers.... what can go wrong?
but news articles like the one this thread is about are ether about making money or "control" or both..
kind of odd really cos governments are trying to ban "cash" because its not traceable and can be used by bad buys and bugger me now they have just found out about "untraceable" crypto which can also be used by bad guys.. he he
my own country now has a new word.. "radicalized" they are also thinking about sending people to jail for reading or viewing anything that might "radicalize" them..
blame it all on the internet is what i say. :)
some very very scary boogey man stuff is going on.. best not to take any of it at face value.. :)
trog
People aren't undermining government , Most work , we English pay our fair share of tax Before i buy my first pint and at point of sale ,out of paypacket before I get it and on most things I buy, apple and their like spend my LIFEs earnings a year paying for people to come up with TAX Dodges.
Oh and you started the tangent i just replied, go citizen smith fight he people , err hang on that's not right.
Your Rant against crypto would be better suited to its own or another thread imho.
This is what I remember as well. Ransom ware has been around a long time. I don't really care about bitcoin but please don't throw your education around to belittle people. Education does not teach your everything, and I have an MS in CS and an MBA from university of California.
But do look up PayPal and apples payment options then when you realise my first point was right ,wake up n smell the coffee.
Proof ,,,,like you provided anything but an opinion.
And I am 41 now and I would honestly put about 50% of what I have been taught in the bin as total bull, it truly is the winner that writes history and they frequently have a skewed perception that they must, have to and are absolutely are right.
They were not.
if you want real knowledge school is the last place to find it.. :)
trog