Posts Tagged Malware Attack

The New Ryuk Ransomware Attack

Ryuk is a type of crypto-ransomware. It uses encryption as a way to block access to a system or file until the ransom is paid. The ransomware is generally dropped with the help of other malware such as TrickBot or Emotet. Another mode of infection used by Ryuk ransomware is ‘Remote Desk Services’.

The Ryuk attacks were popular in third quarter of 2019, however the ransomware went silent at the onset of COVID-19 quarantine. But, it has returned as new Ryuk ransomware with added features and evolution of tools used to compromise target networks and ransomware deployment.

The most notable feature of new Ryuk ransomware is ‘Speed’. Once a system is infected, the attackers gain access of domain controller and enter early stage of deployment just within a day.

The second notable feature of new Ryuk ransomware is ‘Persistence’. The attackers make multiple attempts by sending renewed phishing emails to establish a contact.

How Is A System Infected?

  • The attackers send a phishing email to the target. The email contains a link, which redirects the user to a malicious document hosted on ‘docs.google.com’.
  • When a user opens the document, its contents are enabled. This allows the document to execute a malicious executable identifier ‘print_document.exe’ as a Buer Loader. Buer Loader is a modular malware-as-a-service downloader.
  • When executed, Buer Loader drops malware files and a Cobalt Strike beacon ‘qoipozincyusury.exe’. it is a modular attack tool which is capable of performing multiple tasks such as providing access to operating system features and establishing a covert command & control channel within the compromised network.
  • Additional Cobalt Strike beacons are downloaded on the system for reconnaissance and to hunt for credentials. Numerous commands are run on the infected system to retrieve information such as list of trusted domains, list of members of ‘enterprise admins’, list of administrators for local machine, list of domain admins, network configuration, etc.
  • Using this data, attackers obtain administrative credentials and connect to domain controller, where they dump data of Active Directory.
  • Using domain administrator credentials, another Cobalt Strike service is installed on the domain controller. It is a chained Server Message Block listener. It allows Cobalt Strike commands to be passed on to the server and other computers on the network. This allows attackers to spread the attack laterally onto other systems in the same network.
  • The Ryuk is launched and it attacks the backup server. In case of detection or interruption by security protocols, the attackers use icacls command to modify access control. This gives them complete control of the system folders on the server.
  • Now, they deploy GMER, a rootkit detector tool. It is used to find and shutdown hidden processes such as antivirus. The ransomware is re-deployed and re-launched multiple times to overwhelm remaining defenses.
  • Ransom notes are dropped in folders hosting the ransomware.

Educate the employees to refrain from opening doubtful emails and documents to prevent the new Ryuk attack.

For more information on the new Ryuk ransomware attack, contact Centex Technologies at (254) 213 – 4740.

, , ,

No Comments

Understanding The Concept Of Ransomware As A Service

Ransomware is a type of malware that extorts money from the target victim by infecting and taking control of the victim’s systems or secured documents stored in the system. Ransomware attacks either locks the computer from normal use or encrypts the documents using a key available with the attacker only.  ‘Ransomware as a Service’ is a kind of ‘Software as a Service’ provided by tech vendor. RaaS can also be defined as a ransomware infrastructure that is rented to hackers on dark web. It is an easy platform for novice hackers (with zero to low knowledge of coding malware) to access ransomware attacks and implant these ransomwares on victim’s machines for claiming extortion money.

How Does RaaS Function?

Here is a simple map of events to explain the functioning of RaaS model:

  • A deceitful vendor offers a tool containing Ransomware on Dark web
  • The package contains all the software and related files needed for a successful ransomware attack
  • Hackers and malicious actors purchase this tool package
  • They use the tools for attacking a victim’s system or network to get hold of computer files and information
  • Depending upon the type of ransomware, it may either lock or encrypt the files
  • The hackers now demand financial ransom in exchange of returning data access to the victim

Similar to other ‘Software as a Service’ models, RaaS involves user services such as provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The buyers of RaaS have the option to order up the capability of the ransomware for launching a more severe attack.

Some important points to note include:

  • RaaS users take deliberate steps to conceal their identity and take deliberate steps to make their actions hard to track. A common practice is to demand payments in digital currency as it is comparatively difficult to trace.
  • Once the victim makes the ransom payment, it is not guaranteed that the hacker will provide the decryption key to the victim. Also, making the ransom payment does not ensure that the hacker will not leak any files or documents.

What Measures Can Be Taken To Combat RaaS Attacks?

Organizations need to take following measures to secure themselves against RaaS attacks:

  • Employees are the most vulnerable entry point but they may be used as first line of defense, if properly educated. Regularly educate them on the latest ransomware attacks and cyber security practices they should employ.
  • Secure the system and network by continuously auditing for any vulnerability. Also, regularly update the cyber security tools for latest versions.
  • Maintain a backup of all the files at a location from where they can be easily retrieved. This helps the business to keep functioning even if the systems are attacked.

For more information on understanding the concept of ‘Ransomware as a Service’, contact Centex Technologies at (254) 213 – 4740.

, , , ,

No Comments

How Are Attackers Targeting Organizations With Steganographic Techniques?

Steganography is the act of hiding secret information within an ordinary, non-secret file or message to avoid detection. The main strengths of steganography are its capacity to keep a message as secret as possible and hide a large amount of data. Cyber attackers are exploiting these strengths to target organizations by launching sophisticated attacks.

Cyber attacks employ steganography to embed malicious code in seemingly benign content to bypass an organization’s cyber security. The basic layout of a cyber attack using steganography is based on four concepts.

  • Social Engineering: When the user opens the compromised document, the malware code instructs the victim to enable content in the document.
  • Network Security Monitoring Evasion: Once the content is enabled, the document runs a PowerShell script to download a file with embedded malware. The file may be as simple as a popular image, a wallpaper, etc. and is stored on a remote server.
  • Manual Analysis Evasion: The attackers make use of obfuscated VB macros to decode the malicious content hidden within the pixels of these images and install the malware.
  • Persistence: The malware is designed to register scheduled tasks to enable the script to survive system reboots.

What Is PowerShell?

Microsoft introduced it as a scripting language and command line. It is now open-source and cross-platform enabling developers to use multiple languages and libraries for building applications for mobile, gaming, desktop, and IoT solutions. It is popular among cyber criminals for launching steganography attacks because:

  • It’s easy-to-use and versatile, providing access to all major OS functions.
  • It is used and trusted by many administrators, allowing PowerShell malware to blend in with benign activity on the network.

What Type Of Information Hidden Is Via Steganography By Cyber Criminals?

Cyber criminals can use the information hiding at different stages of a cyber attack depending upon the kind of information hidden.

  • Identities: Anonymization techniques are used to hide the identities of communicating parties.
  • Communication: Steganography is used to hide the fact that a conversation is taking place. It conceals the data packet flow by using traffic-type obfuscation methods.
  • Content: Cyber criminals may hide the content of data but not the transmission or presence of data itself.
  • Code: The structure of executable malicious code is hidden by binary code obfuscation and masquerading techniques.

With an increase in the number of sophisticated cyber-attacks using Steganographic techniques, the organizations are required to update their cyber security measures.

For more information on the use of steganography in cyber attacks, contact Centex Technologies at (254) 213 – 4740.

, , , ,

No Comments