INC Ransomware Behind Linux Threat

Overview

This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.

Infection Cycle

The malware is a Linux executable in ELF file format. A quick inspection of its strings revealed command-line arguments that can be passed to this ELF file.

Figure 1: List of Command Line Arguments

Upon execution with the identified parameters, the malware appends “INC” to the names of encrypted files.

Figure 2: Debug Output Using the –debug Option

Figure 3: Encrypted files with “INC” appended file extension

The malware also creates a file named “kill,” a shell script using the esxcli utility available in VMWare ESXi to list and kill all virtual machine processes if running in an ESXi environment. Since our analysis was not conducted in such an environment, this command resulted in an error as the utility was not found.

Figure 4: Content of the “kill” and delete scripts

Another file created is “delete,” which is a shell script using the ESXi command-line utility vim-cmd to delete all available virtual machines.
Copies of ransom notes were dropped in directories where files were encrypted, consistent with other ransomware behavior.

Figure 5: Contents of “Inc_readme.html” Ransom note

The parameter ‘–motd’ also changed the message of the day (MOTD) on the infected machine to display the ransom note message upon successful login.

Figure 6: Message of the Day shows ransom note message

Visiting the URL in the ransom note led to a blog site listing all supposed victims.

Figure 7: INC Ransom blog site

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LinuxINC.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

For further details, visit the official man page for MOTD.

 

Blog Subhead

a:8:{s:8:”location”;a:1:{i:0;a:1:{i:0;a:3:{s:5:”param”;s:9:”post_type”;s:8:”operator”;s:2:”==”;s:5:”value”;s:4:”post”;}}}s:8:”position”;s:6:”normal”;s:5:”style”;s:7:”default”;s:15:”label_placement”;s:3:”top”;s:21:”instruction_placement”;s:5:”label”;s:14:”hide_on_screen”;s:0:””;s:11:”description”;s:0:””;s:12:”show_in_rest”;i:0;}

Latest Cyber Threat Intelligence Shows Ransomware Skyrocketing

2021 has already been a record-setting year for cybercrime — and it’s only halfway over. While high-profile attacks such as Colonial Pipeline and Kaseya continue making headlines, businesses of all sizes, across all industries, are noting an increase in cybercrime.

Part of this increase can be attributed to new ransomware techniques, soaring cryptocurrency prices and the continued rise in IoT devices. But a big factor continues to be today’s shifting and distributed IT landscape, which has proven a uniquely enticing environment for launching a variety of attacks.

“In a year driven by anxiety and uncertainty, cybercriminals have continued to accelerate attacks against innocent people and vulnerable institutions,” SonicWall President and CEO Bill Conner said in the official announcement. “The latest data shows that sophisticated threat actors are tirelessly adapting their tactics and embracing ransomware to reap financial gain and sow discord.”

This data, collected by SonicWall Capture Labs threat researchers over the first six months of 2021, is now available in the Mid-Year Update to the 2021 SonicWall Cyber Threat Report —  which arms organizations with actionable threat intelligence to safeguard workforces in today’s business reality. Here are some of the highlights:

Ransomware Continues its Record-Shattering Run

Ransomware was already high going into 2021, but it’s up significantly since then, with attacks increasing a staggering 151% over the first half of last year. April, May and June each saw levels high enough to hit all-time records, and attacks are showing no sign of slowing down. By June 30, SonicWall had recorded 304.7 million ransomware attacks globally — more than the 304.6 million we saw over the entire year of 2020.

RTDMI™ Reaches New Heights

The bad news: Cyberattacks are getting more effective. The good news: Defense methods are getting better too, and in the case of SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI), they’re improving dramatically. Included with the Capture Advanced Threat Protection sandbox service, this technology discovered 185,945 never-before-seen malware variants in the first half of 2021, a 54% year-to-date increase. By leveraging machine learning, RTDMI has become highly effective at identifying new and advanced threats, contributing to a perfect score in the last two cycles of ICSA Advanced Threat Defense (ATD) testing.

IoT Attacks Jump 59%

With the number of IoT devices projected to rise from 13.8 billion today to 30.9 billion in 2025 — and with security standards remaining shockingly lax — cybercriminals are increasingly focusing on IoT attacks. In the first half of 2021, SonicWall threat researchers recorded 32.2 million IoT malware attempts, a jump of 59% year to date.

Cryptojacking Continues to Climb

Cryptojacking continues to defy reports of its demise: In the first six months of 2021, SonicWall saw 51.1 million cryptojacking attempts, a 23% year-to-date increase. This increase was particularly pronounced in Europe, where 248% more cryptojacking attempts were recorded in the first half of 2021 than the first six months of 2020.

Malware Falls by Nearly a Quarter

So far in 2021, malware has fallen 22% year to date, as the decline of “spray-and-pray” malware continues to impact overall volume. With the speed and magnitude of changes impacting the threat landscape — from the preferred methods of attack to who’s being targeted — it’s never been more important to stay updated on the risks of today … or prepare for the risks of tomorrow.

“With remote working still widespread, businesses continue to be highly exposed to risk, and criminals are acutely aware of uncertainty across the cyber landscape,” Conner said. “It’s crucial that organizations move toward a modern Boundless Cybersecurity approach to protect against both known and unknown threats, particularly when everyone is more remote, more mobile and less secure than ever.”

 

Boost Productivity and Conserve Bandwidth with New SonicWall Analytics Tools

The internet has become an indispensable resource in both professional and personal life — and due to its ubiquity, people have a natural inclination to use corporate networks for both work and non-work-related web applications.

This mingling of personal and professional app usage has increased the speed with which boundaries between home and office are falling. Unfortunately, unbounded and non-selective usage of business-critical organization network for non-work-related web activities has significant downsides.

Unrestricted access to the internet places additional pressures on IT teams responsible for managing a network infrastructure and guarding against security threats. The tendency to use non-work-related internet applications during working hours can hurt organizational productivity — and worse, organizations can be held legally liable for employees’ actions while using company web resources.

To protect organization assets and workforce productivity, internet usage within the corporate network should be checked for fairness and optimized for the organization’s overall performance. However, the abundance of internet resources makes it unfeasible for network administrators to analyze each and every one accessed over the corporate network.

To get a clearer picture of internet usage, those resources need to be classified based on value to the organization, such as into “productive” and “unproductive” categories. Furthermore, this categorization must agree with corporate policy, internet usage policy and industry domain. Successful categorization provides valuable insight into usage patterns and behavior.

Once categorization is established, we must understand which metrics are available for monitoring internet usage patterns, as well as the utility of each metric. For example, when we analyze internet usage patterns from the perspective of how well corporate bandwidth is being utilized or the financial implication of internet bandwidth consumed by non-productive categories, we must look at total data transfer in each productivity group. The data transfer metric is also important from the perspective of network capacity planning.

If we are analyzing internet usage patterns from a workforce productivity point of view, the time spent by employees in different productivity categories is of primary importance. Moreover, to get a complete picture from a workforce productivity perspective, the browsing time data must be correlated with the time of day, determining if usage was during working hours or non-working hours. Lastly, the relative demand of internet resources in an organization is established by the number of connections established to it, which is tracked by the connection metric.

In summary, we need a powerful and intelligent analytical engine capable of:

  1. Ingesting firewall event data at wire speed
  2. Filtering out relevant internet access events
  3. Mapping them to the productivity categories as defined by each organization
  4. Summarizing reports for each productive category in multiple analytical metrics

And for maximum usability, all this functionality needs to be coupled with an apt and intuitive user interface for easy access to reports and analytical data.

To this end, SonicWall has added the advanced capabilities and workflows required to manage the internet productivity of an organization as Productivity Reports in the SonicWall Analytics solution.

SonicWall Analytics is a cloud-native analytics engine designed for speed and scale. The Productivity Reports feature provides fully customizable productive group configuration based on content filtering categories. The thoughtfully designed user interface offers insightful executive snapshots in different productivity categories. Analysts can drill down from those snapshots or jump directly into individual websites, users and web categories to analyze usage patterns and investigate associated threats.

The Productivity Reports’ interface extends beyond reporting and analytical capabilities. For example, it integrates policy creation directly from the report screen to restrict users, websites, or web categories.

To discover the full breadth of SonicWall Analytics, visit www.sonicwall.com/analytics or contact sales for a free trial.

SD-WAN and VPN Orchestrations: Fast-Tracking Enterprise Growth

If you’re planning to onboard multiple branches or refresh existing sites with newer firewalls, SonicWall now offers options to help you effortlessly fast-track the process.

We recently announced the expansion of our Network Security Manager version 2.3, which introduced three essential firewall management capabilities: Template Variables, SD-WAN, and VPN Orchestration and Monitoring. These new features help facilitate the rapid deployment, provisioning and central management of your enterprise-wide SD-Branch operations globally.

Template Variables

Here’s a typical use case for Template Variables: Say a security operating center (SOC) for a large enterprise retailer wants to quickly build out hundreds of store locations using a single template configuration, eliminating manual configuration at each site. The administrator seeks an easy-to-use tool to automatically assign a unique interface, subnet, gateway IP and static routes to the firewall, all while keeping all other settings and policies consistent across all sites. NSM 2.3’s new Template Variables feature enables them to do precisely this.

When configuring a Template using Template Variables to assign a device-specific value — such as an IP address, subnet and gateway IP, and static route — the admin can make specific firewall parameters requiring a unique value into a variable object within a template configuration. For example, the Template Variables object “testv4Obj” in Figure 1 shows that it can be any octet of the IP address.

For the firewall device named “test,” the second, third and fourth octet are set as variable objects. So, when the Template with Template Variables configuration is committed and deployed, NSM resolves the device-unique value to the associated firewall device. This occurs when the Template gets pushed across multiple devices or device groups.

In this scenario, “test” is assigned an IP address of 10.5.5.10, while “demo_tz670_gen7” is given the value 10.101.1.10. Template Variables preserve the uniqueness of the device-specific value during the commit and deploy process.

Other examples of such parameters are DNS Server IP, Hostname, FDQN, etc. You can also use variables inside access rules in the form of address objects.

Whether you have a single site or hundreds of sites, the Template Variable within the Template configuration workflow makes building out any number of sites super-fast. It does this by auto-provisioning device-specific configurations for each firewall. As a result, distributed enterprises can onboard and secure new branch facilities quickly and easily, eliminating separate manual setups for each device at every location.

SD-WAN Orchestration and Monitoring

The use case for the SD-WAN Orchestration feature is similar to that of Template Variables. A typical scenario is a distributed enterprise SOC that wants to operationalize multiple branches with SD-WAN connectivity to communicate with one another.

The admin wants to — from one place — centrally deploy, provision and manage SD-WAN networks and application routing services across all sites. The goal in a case like this is to ensure business-critical applications never slow down or shut off and that they continually operate at peak performance. The NSM 2.3 SD-WAN Orchestration feature enables the enterprise SOC to do all that.

Using an intuitive, self-guided workflow, administrators can build, operate and manage an enterprise-wide SD-WAN network. This is done by establishing and enforcing application-based traffic and other traffic steering configurations across and between thousands of sites, all with minimal effort.

SD-WAN Monitoring feature lets admins proactively observe the health and performance of their SD-WAN environment, such as interface status, utilization and performance service level. The information allows network infrastructure teams to:

  1. Troubleshoot and resolve issues quickly
  2. Ensure consistent SD-WAN configurations across all sites
  3. Drive the optimal level of WAN and application performance

VPN Orchestration and Monitoring

Setting up and configuring VPNs in a distributed enterprise with multi-location and multi-cloud networks can be burdensome. It may even be problematic for specific deployment scenarios and less experienced administrators. Enterprise SOCs want to make this process easier for their network admins — and they expect a simple and procedural way to set up VPN settings and policies so that any network admin at any skill level can configure everything via a streamlined process. Once VPN tunnels are established across the enterprise, enterprise SOCs also demand visibility into all network traffic going through the VPN tunnels.

The NSM 2.3 VPN Orchestration feature helps admins establish site-to-site connectivity and communication quickly and without errors by using a repeatable, self-guided workflow. This feature enables them to centrally configure VPN settings and policies using a wizard-based, step-by-step setup process.

Additionally, the VPN Monitoring feature gives admins complete visibility into their entire VPN environment’s activities, health and performance. Admins can leverage this information to monitor connection status, data transfers and bandwidth consumed over those VPN tunnels. At the same time, alerts allow admins to proactively maintain the integrity of VPN connections, ensuring continuous connectivity between sites.