Mon, Oct 7, 2019
From February through the end of August, Kroll investigated over 100 cases of ransomware for clients across diverse industry sectors. Our findings are underscored by a variety of open- and closed-source reporting, including an August 2019 advisory by the Cybersecurity and Infrastructure Security Agency about the “rapid emergence of ransomware across our Nation’s networks.”
In August alone, Kroll observed seven different variants of ransomware, including newer arrivals such as Tflower and DoppelPaymer. Even Ryuk, the ransomware most often detected, has been characterized by multiple different strains and variants.
The increase in variants is making it more difficult for organizations, incident responders and law enforcement to triage ransomware cases. For example, decryptors for new variants may not become publicly available in a timely manner. Likewise, it may take time to produce case studies or anecdotal reporting on how or if threat actors will decrypt the data if the ransom is paid.
Kroll intelligence analysts conclude that large-scale ransomware campaigns are often carried out by tightknit cyber-criminal groups, such as Indrik Spider1, that are motivated by profit. These groups will often operate on their own or are solicited to offer their ransomware as a service (RaaS) to paying customers. As a result, access to these pieces of ransomware is often very restricted and they are not typically offered for sale or for rent on the forums or peer-to-peer chat groups. However, once a group is done with a ransomware campaign, that source code is sometimes leaked, and new pieces of ransomware can be created out of that code.
The result of fewer large ransomware campaigns on forums and peer-to-peer chat applications has been a greater presence of smaller, lesser-known ransomware. Often this malware is developed by small groups or individuals looking to make a name for themselves within this specific community.
One example of this can be found on the top-tier Russian forum Exploit. The ransomware dubbed “Buran” has been offered for sale, with the seller claiming it will work on every version of Windows from XP to 10, encrypt files without changing extensions and delete restore points for the user. It is being sold for a few thousand dollars, and at the time of analysis, it does not appear any user has verified the effectiveness or validity of this specific Buran offering. Interestingly, no one has confirmed whether it is connected to the Buran ransomware strain that is currently reported to be spread via a RIG exploit kit.2
User advertising the "Buran" variant for sale in dark web forum
Below is a list of ransomware (including any related variants) that Kroll has encountered year-to-date in the course of its investigations. Ryuk ransomware accounted for more than triple the number of incidents over the second most common type, Sodinokibi.
The full list includes:
Dharma/CrySIS | Hermes | RobbinHood |
DoppelPaymer | Matrix | Ryuk |
Evil Locker | Mr.Dec | SamSam |
GandCrab | Nozelesn | Snatch |
GlobeImposter 2.0 | Phobos | Sodinokibi |
WannaCry | Tflower |
Hopefully, your organization will not become a victim of ransomware. However, preparing for the worst-case scenario can help you respond in a quicker, more deliberate manner and limit the impact on your operations. Scott Hanson, a senior vice president in our Cyber Risk practice, recommends that your IT personnel and management team discuss the following best practices now and be ready to implement them quickly in the event you become a victim. \
A well-thought-out incident response plan (IRP) is vital if you suffer a ransomware attack. An IRP that is tested on a regular basis will be the “battle plan” that coordinates all the parties enterprise-wide that are necessary to manage a ransomware attack: IT and InfoSec, finance, risk and business continuity, human resources and legal, as well as external partners such as insurers, legal counsel and investigative or forensics responders.
Arranging an incident response retainer with a highly experienced cyber security first responder such as Kroll, can provide additional peace of mind. Kroll offers three incident response retainer plans with no surprises. With our prepaid plans, Kroll lets you customize your retainer with a wide variety of industry-leading reactive and proactive services that ensure you maximize the value of your cyber security investment.
Sources
1.Malpedia entry, https://malpedia.caad.fkie.fraunhofer.de/actor/indrik_spider
2.“Meet Buran: The New Delphi Ransomware Delivered via RIG Exploit Kit”, Acronis website, https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.