Saturday, October 14th 2017

Weekend Reading 101: On Ransomware's Chains and Carbon Black's Report

Carbon Black, a cybersecurity company that's been founded by former members of the U.S. government's elite team of offensive security hackers, has released a report detailing the continued rise of ransomware's impact, which served as the fire-starter for this piece. Carbon Black's Threat Analysis Unit (TAU) has found that ransomware is an increasingly prolific economical entity, bolstered by a 2,502% increase in sales in the dark web. As with every activity, legal or illegal, the economic footprint follows profit; and in ransomware's case, it's estimated it has yielded around $1 billion just this year. Ransomware even has the advantage of not requiring specialized computer skills, and can be quickly and brainlessly deployed in search of a quick buck.

Carbon Black reports that there are currently more than 6,300 ransomware marketplaces in the dark web, with over 45,000 different product listings, which range in price from $0.5 to $3K (the median price for a DIY ransomware package stands at roughly $10.5). Ransomware sellers are taking advantage of this burgeoning, "quick buck at anyone's expense" reasoning: some ransomware sellers are earning more than six figures yearly, sometimes even more than legitimate software companies. It's no surprise, however that the report points to technologies such as Bitcoin and the Tor network as being two of the most important enablers in this ransomware explosion, besides making it much more difficult for law enforcement agencies to, well, enforce the perpetrators.
To our Forum Dwellers: this piece is marked as an Editorial

There are two fundamental chains in the world of ransomware's creation and distribution: the kill chain and the supply chain.

The ransomware kill chain can be divided in five different modules: Creation > Distribution > Encryption > Payment > Command & Control. The entire kill chain can be distributed via DIU kits that contain all the necessary modules for payload deployment; more exotic solutions, however, may mix and match different authors' and services' codes to achieve a desired, specific effect.
Creation is easy to understand; it's the part of the chain where an author writes, tests, and maintains a piece of ransomware code. These can be written in an all-encompassing, mass-market way, targeting widespread vulnerabilities, or can be written specifically, as needed, for a targeted campaign. Higher levels of code customization naturally make the coding effort more expensive.

Distribution is the means by which ransomware actually reaches users' computers. This can be done via brute force, "spray and pray" methods, such as mail spamming, compromised websites, ads, social engineering, or targeted hacks - as we've seen with some high-profile business attacks, such as with WannaCry.
Encryption/Decryption is the module responsible for encrypting the users' data that will be ransomed - if a ransom is the objective, anyway. After this phase has been successful, usually there's a gaudy, nerve-chilling screen that alerts the user to the ransomed state of their private data, giving instructions for payment and - hopefully - eventual decryption.
Payment is pretty self-explanatory; though nowadays, the rise of cryptocurrencies have decreased the risk of discovery from the perpetrators, especially with the more privacy-focused coins such as Monero and ZCash. Whereas before, VISA or bank transfer payments could leave a trail for eventual perpetrator identification, nowadays it's much more difficult - and oft impossible - to identify the infection source.

The Command & Control module allows for remote control of the users' system and ransomed files, enabling end-to-end operations, and have been increasingly deployed in the wake of the RaaS (Ransomware as a Service) rise in popularity.

Ransomware supply chains can be differentiated in three tiers: Authors, RaaS, and Distributors.
Authors are the weapon makers in the ransomware economy; they are responsible for the creation of new ransomware for sale, and usually have advanced coding skills that allow them to also provide ransomware platforms and/or charge others for training and support in ransomware coding. They can author specific parts of the ransomware kill chain (creation; distribution; encryption; payment; command & control) or develop all-encompassing, DIY packages that pack the entirety of the kill chain or allows users to code their own.

RaaS stands as a way for users to effortlessly distribute ransomware packages. It's usually controlled via a web portal with a GUI (Graphical User Interface) which basically removes all of the coding/deployment work from the user. Ransomware packages and access to these ransomware services can be free (with the service provider taking a cut of the users' successful ransomware attacks), or with an up-front payment which gives access to the needed software packages. The RaaS providers can take more than half the share of the ransomware profits, but some platforms take less than that (like Satan, one fo the more user friendly RaaS, which usually takes a 30% cut from profits, or even just 20%, in the case of Atom (previously known as Shark). These providers usually handle all the hassle of performing the ransomware campaign tracking, Bitcoin transaction monitoring, and Bitcoin distribution. These providers make use of their attack data to perfect and guide their subsequent attacks, based on machine infection success rate, payment rates, and other metrics. Thus, this is effectively "Hacking for Dummies", lowering the barrier of entry to almost laughable levels; no specialization or code knowledge is needed.
The third Tier, Distributors, is naturally collapsing under the weight of the RaaS providers, who offer basically the same service (and more) but with much less user intervention and an overall more automated process. The Distributors are the parts responsible for distributing and delivering ransomware attacks via spam, targeted hacks, or exploit kits

As to the future of ransomware and what it will mean for users of the world wide web and its increasingly important place in our lives, Carbon Black has a number of projections for the ransomware field as we enter 2018, which include:
  • An increase in Linux systems targeting;
  • Increasingly targeted ransomware attacks towards specific companies such as legal, healthcare, and tax preparers, and specific files, such as proprietary elements;
  • Added capability to not only encrypt, but also exfiltrate files, so as to profit from both the ransom and black market sale of the exfiltrated data;
  • Ransomware as a smokescreen and false-flag, hiding the true intentions behind the attack, like the Petya/NotPetya case;
  • Ransomware as a backup to failures of more specific attacks, due to its easy-to-deploy nature;
  • Increased usage of social media as a distributor, with social engineering efforts that lead users to knowingly share compromised links to reduce or eliminate their ransom;
  • Persistence-based ransomware, which burrows in the users' system and re-encrypts data for another extortion effort - even more likely to take place in machines where previous ransom demands proved successful.
As it stands, the ransomware economy is approaching cloud-service levels of ease-of-access and platform enablement. This, coupled with the fact that there will always be profits to be made so long as users are willing to pay the ransom - and surveys show a majority of users would be willing to pay the price - there will always be motivation towards ransomware usage. The RaaS philosophy has enabled authors to focus on authoring, distributors to focus on distributing, and users to simply press the proverbial red button in massively higher quantities than before, which is why ransomware is a booming economy. With increased specialization from the different players in the supply ad kill-chain and increased distribution numbers, the frequency and severity of attacks is only going to increase. Knowledge may not be the more effective way of combating this kind of attacks, but awareness is surely better than the alternative. Sources: Carbon Black Website, The Ransomware Economy PDF, Barkly, Heimdal Security
Add your own comment

18 Comments on Weekend Reading 101: On Ransomware's Chains and Carbon Black's Report

#1
Raevenlord
News Editor
Disclaimer: I'm not a security analyst, expert, nor anything of the sort. I'm just a curious news editor who likes to delve into most subjects. That said, if anyone who is more knowledgeable on the matter wants to chime in or clarify something, please do.
Posted on Reply
#2
lynx29
Well done @ravenlord that was very great read. I am currently writing my pol sci masters thesis on the role of government in cryptocurrency regulation. I know most will disagree with me, I know the system is not great, but still our tax payer money seems to work like 60% of the time, sadly it is better than nothing... think about it, if Monero and those ever gain traction there would be no way to ever get tax collection because people will just use Monero to Monero wallets for payment, we can not allow people to undermine government... I know wall street is criminal, etc etc... there is no easy answer, Cicero admitted this in Ancient Rome, but the checks and balances system he laid out is the best there is, as it limits tyranny and also the bureaucratic state.

Le Pen of the International Monetary Fund said she is going to take a closer look at cryptocurrency regulation just a couple days ago, the United Nations banning all exchanges worldwide is the only way to stop cryptocurrency in its tracks. If you think I am wrong and want to Bitcoin/Monero to reign supreme, please, tell me what is going to pay for old peoples medicine, or we just going to let everyone die off and no longer pay taxes? Why should some of us pay taxes then at all? If we give people an option to not pay, they won't pay. We either become politically active and try to better the world the best we can, or we give up and every man for himself, and forget living past age 65 ish, cause you won't be able to afford your meds, I promise you that.
Posted on Reply
#3
trog100
i think its anti crypto propaganda.. governments dont like it which means they will use all means possible to kill it..

scary scary boogey man stuff..

trog
Posted on Reply
#4
syrup
I've been setting up my new main rig over the past several weeks, and my behaviour's certainly changed since doing the same six years ago, in trying to avoid ransomware and malware getting onto the system.

Original Windows media used for install, not created on my possibly-insecure old system. Secure Boot fully enabled - no CSM. Standard Windows account as my primary, after years of Admin + UAC. Home network treated as a 'public network' with file sharing off.

Perhaps the biggest change (and biggest hassle) is suspicion over the integrity of software downloads. Simply downloading from the developer's own website or somewhere trustworthy like FossHub no longer seems to be enough, and even the software signing process is vulnerable. I'm now downloading installation files from multiple sources, comparing hashes, doing file reputation checks with AV software and just basically trying in a sort of ad-hoc way to manage this risk, but you can never be sure.

Software update mechanisms seem similarly vulnerable and I think one day we might see one of these leveraged for something really big and nasty, so I'm tending to switch them off and do things manually. This can delay security patches, so it's a judgement call.

I've never used software that'd generally be considered suspicious, but certain software I have doubts about (e.g. DVDFab) will now be relegated to my old rig which won't my personal files stored on it.

My backup scheme hasn't changed much as it's always been pretty decent - one always-connected daily backup, and two alternating weekly backups on separate, disconnected drives. But you have to wonder if that's enough when there's the prospect of ransomware lying dormant until it thinks it's targeted all the backups.

There's more (e.g. limiting IoT devices), but this is TLDR enough already. Makes me pine for the days of standalone Windows 3.1 systems when all one had to worry about was catching the Michaelangelo virus from a friend's dodgy floppy.
Posted on Reply
#5
AsRock
TPU addict
trog100
i think its anti crypto propaganda.. governments dont like it which means they will use all means possible to kill it..

scary scary boogey man stuff..

trog
What's scary is your need to put your name after each post, pun intended.

I don't believe they be killing off ransomware any time soon, to many dumb people with computers. In fact it's only going to increase.
Posted on Reply
#6
theoneandonlymrk
lynx29
Well done @ravenlord that was very great read. I am currently writing my pol sci masters thesis on the role of government in cryptocurrency regulation. I know most will disagree with me, I know the system is not great, but still our tax payer money seems to work like 60% of the time, sadly it is better than nothing... think about it, if Monero and those ever gain traction there would be no way to ever get tax collection because people will just use Monero to Monero wallets for payment, we can not allow people to undermine government... I know wall street is criminal, etc etc... there is no easy answer, Cicero admitted this in Ancient Rome, but the checks and balances system he laid out is the best there is, as it limits tyranny and also the bureaucratic state.

Le Pen of the International Monetary Fund said she is going to take a closer look at cryptocurrency regulation just a couple days ago, the United Nations banning all exchanges worldwide is the only way to stop cryptocurrency in its tracks. If you think I am wrong and want to Bitcoin/Monero to reign supreme, please, tell me what is going to pay for old peoples medicine, or we just going to let everyone die off and no longer pay taxes? Why should some of us pay taxes then at all? If we give people an option to not pay, they won't pay. We either become politically active and try to better the world the best we can, or we give up and every man for himself, and forget living past age 65 ish, cause you won't be able to afford your meds, I promise you that.
So are you marching on PayPal , apple et al etc next week??? Or do you think their plans are different??
Posted on Reply
#7
MrGenius
theoneandonlymrk
So are you marching on PayPal , apple et al etc next week??? Or do you think their plans are different??
What post is that a reply to? Are you seriously trying to make a connection of some sort between PP, Apple, and crypto-currencies? As if there's anything they could possibly have in common? The money in your PP account is taxed. The money Apple is lining their pockets with is taxed. Your crypto-do-da invisible untraceable money is not. And until it is it's at minimum unethical. At least slightly immoral. And bordering on(if not totally) illegal. Enjoy it while it lasts.

Anyway...about as off topic as we could possibly be.
Posted on Reply
#8
silentbogo
Ransomware is a two-sided coin. On one hand you have hackers who use it for profit, on the other you have cybersecurity companies and various government agencies who use the fear of it for profit.
For example, quite recently in Ukraine we had a Petya (or NotPetya) outbreak (I posted few pics of victims in my workshop back in June), so now our government used this as means to justify expenses on a "new and improved" cybersecurity taskforce, and introduce a paid "virus alert" service, which will notify all subscribers about a virus attack based on their reports of virus attack. So, basically a pointless moneygrabbing scam.
Taskforce is funded through taxes, but makes profit from customers.... what can go wrong?
Posted on Reply
#9
trog100
AsRock
What's scary is your need to put your name after each post, pun intended.

I don't believe they be killing off ransomware any time soon, to many dumb people with computers. In fact it's only going to increase.
i recon its an age thing.. old geezers like me think its normal to put their names on things they write.. :)

but news articles like the one this thread is about are ether about making money or "control" or both..

kind of odd really cos governments are trying to ban "cash" because its not traceable and can be used by bad buys and bugger me now they have just found out about "untraceable" crypto which can also be used by bad guys.. he he

my own country now has a new word.. "radicalized" they are also thinking about sending people to jail for reading or viewing anything that might "radicalize" them..

blame it all on the internet is what i say. :)

some very very scary boogey man stuff is going on.. best not to take any of it at face value.. :)

trog
Posted on Reply
#10
theoneandonlymrk
MrGenius
What post is that a reply to? Are you seriously trying to make a connection of some sort between PP, Apple, and crypto-currencies? As if there's anything they could possibly have in common? The money in your PP account is taxed. The money Apple is lining their pockets with is taxed. Your crypto-do-da invisible untraceable money is not. And until it is it's at minimum unethical. At least slightly immoral. And bordering on(if not totally) illegal. Enjoy it while it lasts.

Anyway...about as off topic as we could possibly be.
The payment transaction goes to Apple or PayPal cutting banks out the loop and they pay taxes whatever dude.

People aren't undermining government , Most work , we English pay our fair share of tax Before i buy my first pint and at point of sale ,out of paypacket before I get it and on most things I buy, apple and their like spend my LIFEs earnings a year paying for people to come up with TAX Dodges.

Oh and you started the tangent i just replied, go citizen smith fight he people , err hang on that's not right.
Posted on Reply
#11
lynx29
theoneandonlymrk
The payment transaction goes to Apple or PayPal cutting banks out the loop and they pay taxes whatever dude.

People aren't undermining government , Most work , we English pay our fair share of tax Before i buy my first pint and at point of sale ,out of paypacket before I get it and on most things I buy, apple and their like spend my LIFEs earnings a year paying for people to come up with TAX Dodges.

Oh and you started the tangent i just replied, go citizen smith fight he people , err hang on that's not right.
Obviously I can't write my 40 page thesis on the matter here. However, if you think that is all I am arguing and to the extent of why I am arguing it, then cheers and have a good week. :)
Posted on Reply
#12
theoneandonlymrk
lynx29
Obviously I can't write my 40 page thesis on the matter here. However, if you think that is all I am arguing and to the extent of why I am arguing it, then cheers and have a good week. :)
You are arguing about this in the wrong thread then since your focus is on one minor enabler instead of the malware chain of supply and the report on how easy it is, on point without crypto the ransomers would obviously demand Cash sent to some third world handling nation, they will always find a way round laws.

Your Rant against crypto would be better suited to its own or another thread imho.
Posted on Reply
#13
lynx29
theoneandonlymrk
You are arguing about this in the wrong thread then since your focus is on one minor enabler instead of the malware chain of supply and the report on how easy it is, on point without crypto the ransomers would obviously demand Cash sent to some third world handling nation, they will always find a way round laws.

Your Rant against crypto would be better suited to its own or another thread imho.
care to show me one instance of Ransomware before cryptocurrency came about? in which they used cash wired? or going to just keep whining and not providing evidence for your arguments like your average undergraduate student? lul
Posted on Reply
#14
LFaWolf
http://www.newsbtc.com/2016/03/25/whats-first-bitcoin-ransomware/amp/

This is what I remember as well. Ransom ware has been around a long time. I don't really care about bitcoin but please don't throw your education around to belittle people. Education does not teach your everything, and I have an MS in CS and an MBA from university of California.

lynx29
care to show me one instance of Ransomware before cryptocurrency came about? in which they used cash wired? or going to just keep whining and not providing evidence for your arguments like your average undergraduate student? lul
Posted on Reply
#15
theoneandonlymrk
lynx29
care to show me one instance of Ransomware before cryptocurrency came about? in which they used cash wired? or going to just keep whining and not providing evidence for your arguments like your average undergraduate student? lul
I can't be bothered your clearly so intelligent i should just follow your opinion like a sheep because your perception being a grad???? Is so so much more well informed then mine.

But do look up PayPal and apples payment options then when you realise my first point was right ,wake up n smell the coffee.

Proof ,,,,like you provided anything but an opinion.

And I am 41 now and I would honestly put about 50% of what I have been taught in the bin as total bull, it truly is the winner that writes history and they frequently have a skewed perception that they must, have to and are absolutely are right.
They were not.
Posted on Reply
#16
trog100
i was talking to my 11 year grandson a while back.. i like telling him things.. but it is difficult when it gets around to "history".. trying to explain to him that the victors do get to write the history books and exactly what that means.. or to be little more accurate.. knowing that most of what the kid is being taught is bollocks makes it difficult being a modern day grandad.. he he

if you want real knowledge school is the last place to find it.. :)

trog
Posted on Reply
#17
lynx29
LFaWolf
http://www.newsbtc.com/2016/03/25/whats-first-bitcoin-ransomware/amp/

This is what I remember as well. Ransom ware has been around a long time. I don't really care about bitcoin but please don't throw your education around to belittle people. Education does not teach your everything, and I have an MS in CS and an MBA from university of California.
Thank you for the link, even though this is not my main argument against BTC it is nice to have this extra information, I do appreciate it, instead of just spouting nonsense and not backing it up, we must be vigilant in our providing of sources, thank you for doing so, it will indeed make me reconsider a couple things.
Posted on Reply
#18
lexluthermiester
Raevenlord
Disclaimer: I'm not a security analyst, expert, nor anything of the sort. I'm just a curious news editor who likes to delve into most subjects. That said, if anyone who is more knowledgeable on the matter wants to chime in or clarify something, please do.
Good of you to say. I am somewhat of a IT Security expert and have to say you didn't miss much. Your conclusions and findings were as spot-on as they need to be. Scary digital world we have these days, eh?
Posted on Reply
Add your own comment