Posts

Ransomware-as-a-Service, Open-Source Malware Fueling Attack Spikes in 2019




Ransomware is too lucrative to fade away. Its brilliance is in its simplicity. And shifting trends make it easier than ever to leverage in cybercriminal activity.

As each passing day presents us with a new ransomware victim, we can clearly see that ransomware is here to stay — and businesses and organizations should invest now to protect their brand, networks, data and customers.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — a 15% year-to-date increase over 2018.

The most alarming ransomware data was sourced from the U.K. After enjoying a 59% decline in ransomware in 2018, the region saw ransomware volume jump 195% year-to-date for the first half of the year.

RaaS, open-source malware on the rise

But it’s not just about volume. Globally, cybercriminals continue to pivot toward new tactics. Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019.

Cerber has long been one of the most powerful and damaging ransomware families in use. This is primarily because it is available as a service offering for low monthly prices.

Other ransomware — like HiddenTear and Cryptojoker — are available via open-source kits. This means that criminals with very basic coding skills can grab an open-source malware and customize it to meet their objectives. In many cases, this changes the core of the malware and helps it evade signature-only security controls (e.g., antivirus, unsupported firewalls).

In June 2019 alone, SonicWall Capture Labs threat researchers logged more than 3 million hits by the Cerber.G_5 RaaS signature alone.

FY 2018 1H 2019
Family Volume Type Family Volume Type
Cerber 101.6 Million RaaS Cerber 39.5 Million RaaS
BadRabbit 7.8 Million Custom Gandcrab 4.0 Million RaaS
Dharma 7.3 Million Custom HiddenTear 4.0 Million Open Source
LockyCrypt 6.1 Million Custom CryptoJoker 2.4 Million Open Source
CryptoJoker 5.6 Million Open Source Locky 1.8 Million Custom
Locky 2.4 Million Custom Dharma 1.5 Million Custom
Petya 1.9 Million Custom

As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

What is ransomware as a service (RaaS)?

Ransomware as a service, or RaaS, is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, you subscribe to a service delivery model to reduce CapEx, always have the latest offerings, gain predictable pricing and receive support.

Legitimate or note not, business models always have to tackle the method of distribution. Will they sell directly to end users, through a channel of distributors or a mix of both?

The same holds true with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution — all the while collecting a cut of the prize.

BleepingComputer offered an informative breakdown on how a typical payment model would work.

“Unlike most ransomware-as-a-service offerings, in order to become an affiliate a would-be criminal has to pay to join a particular membership package,” BleepingComputer wrote. “These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and gets extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options.”

Ransomware-as-a-Service RaaS is the New Normal

Business models always have to tackle the method of distribution, will they sell directly or through a channel of distributors or a mix of both. The same is with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution all the while collecting a cut of the prize.

Throughout the past year, and even until the large-scale WannaCry attacks, floating between the peaks of the infamous events are small focused attacks en masse from rebranded exploit kits. In the past quarter, we have discovered a mix of developer hobby/chaos-malware, rebranded ransomware, and repackaged RaaS ransomware.

  • Trumplocker
  • AlmaLocker
  • Jigsaw
  • Lambda
  • Derialock
  • Shade
  • Popcorn

Recently, one author showed how easy it is to launch a ransomware attack within an hour… with zero hacking skills. So what does this mean to an organization like yours? Should this scare you? Simply put, attacks from more sources equals more attacks but SonicWall has your back.

First off, organizations can have the front-line protection of our award-winning multi-engine network sandbox, SonicWall Capture Advanced Threat Protection (ATP) Service. Capture ATP automatically takes suspicious code at the gateway of your network, and runs it in three parallel engines (and counting) to see what it wants to do from the application, to the OS, to the software that resides on the hardware. We find the newest ransomware families and updates this way.

Secondly, our Capture Labs research team catches many new variants of ransomware and malware in multiple ways as well as from a multitude of external sources. Once new ransomware families are found (either from Capture ATP, a honeypot, or another Capture Labs source), the intelligence is cross-pollinated to the rest of the SonicWall portfolio of security products.

Lastly, organizations can expect to be hit by a wide range of ransomware attacks and should ensure they have a good backup policy and focus on awareness training.

To learn more, watch this video to see how SonicWall stops ransomware:

Three Ways to Protect Your Business Against Ransomware-as-a-Service

Last week I was at one of our sales offices in Utah. I heard an interesting story about how a dentist office called in to ask for threat prevention against ransomware. The dentist office had been affected by ransomware twice in a short period of time. Twice, they paid the ransom to ensure business continuity and customer retention. This is a common story across many small to medium-sized businesses (SMBs) though we seldom hear about them in the media.

According to a study conducted in June 2016 by Osterman Research Inc., 30 percent of the ransom amounts demanded are $500 or less, reflecting the size of businesses affected by the attacks. SonicWall’s GRID threat research team has seen massive increases in ransomware infections for 2016, mostly coming from small and medium businesses. A new variant of ransomware, Ransomware-as-a-Service (RaaS), designed to be user friendly and deployable by anyone, can simply download the virus either for free or for a simple fee.

Ransomware-as-a-Service

Even simple measures can help protect against ransomware. Here are three ways:

Training

The same study shows that 67 percent of U.S. cyberattacks originate via phishing through emails. Organizations requiring employees to do security awareness training once a year at least are less likely to get infected than companies that do it less frequently. Training alone is not sufficient, but can provide the necessary first line of defense for a lot of businesses.

Data backup

Ransomware exists because organizations keep paying the attackers for their data.  With a good data backup infrastructure, businesses can redeem itself quickly by cleaning up their network and restoring the data from backup.

Technology

Advanced threats like ransomware attack all kinds of businesses. After multiple attacks, a big business can revive itself and get back on track. However, SMBs cannot afford such multiple attacks. Small amounts paid multiple times can quickly add up, and result in closure of a small business. It is even more important today for SMBs to invest in strong and advanced security solutions available through next-generation firewalls.

SonicWall firewalls have been protecting SMBs all over the globe for more than 25 years. With the comprehensive SonicWALL Gateway Security Suite providing gateway anti-virus, URL/web filtering and intrusion prevention services, businesses were protected 24x7x365 against known malware. With the recent increase in unknown malware and zero-day threats, the new Advanced Gateway Security Suite (AGSS) includes SonicWall Capture ATP,  a multi-engine network sandboxing solution, providing advanced threat protection to all SonicWall firewalls including the TZ Series for SMBs.

Discover best practices and download our solution brief: How to protect against ransomware.

Use the Advanced Gateway Security Suite from SonicWall.