Reports of Ransomware’s Death Are Greatly Exaggerated

What Is It?

With all the focus crypto currency mining is currently receiving in cybersecurity circles, both from the press and attackers looking for a more lucrative revenue stream, it is prudent not to underestimate the threat that ransomware still poses.

Take the case of the Colorado Department of Transport (DOT). On the February 21, 2018 the staff discovered that all employee machines running Windows were infected with what was later determined to be SamSam ransomware. This forced Colorado DOT to take over 2,000 machines offline, literally sending employees back to pen and paper for their work activities.

While the DOT had backups of the encrypted data, restoring the data is a time consuming process. So much so that it had to work out how to pay employees without fully restored systems. By March 1, approximately 20% of machines were back online, mainly HR and payroll machines which were given recovery priority. Then they were promptly taken offline after another variant of SamSam infected these systems.

A SANS Internet Storm Center (ISC) Diary post by handler Brad Duncan described a large malicious spam campaign resulting in ransomware infection. He found this of note, as it was one of the few major ransomware malicious spam campaigns he had seen so far in 2018. The majority being campaigns related to crypto currency mining and also trojans. The specifics of this campaign aren’t particularly novel, an attached Word document containing a malicious macro. If the recipient is successfully socially engineered to allow the macro to run, it results in a Powershell script which retrieves and executes the ransomware from an external site. All of the attachments were named “ Resume.doc” (with a space as the first character), however each sample had a unique file hash. The attackers also varied the email’s from address, email subject, email headers and email body text in an attempt to avoid detection. The resulting ransomware were determined to be variants of GlobeImposter and Gran Crab.

Ransomware may not currently be the cause du jour of IT security, however as these two examples demonstrate, this does not mean that the threat ransomware poses to corporate environments has diminished.

How Does It Propagate?

None of the malware discussed here self propagates.

Once again, these attacks utilize social engineering to be successful on an infected end user’s machines.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects both the malicious Word documents and ransomware described in the ISC article. Regression testing on the 23 malicious Word document samples showed that they would have all been detected by BluVector 49 months prior to their release. One of the three samples of ransomware would have been detected 15 months prior to its release, with the other two detected 51 months prior.

So far, no specifics on the SamSam variants that infected Colorado DOT machines are available, therefore they cannot be tested against BluVector. However, previous testing on other SamSam variants has shown strong detection results, up to 49 months prior to their release into the wild.

All Threat Reports