Ransomware trends: Cross-platform execution, improving infrastructure and taking sides in war

Share post:

Ransomware gangs are increasingly adapting their code to cross-platform programming languages such as Rust or Golang so their malware can spread to systems running operating systems other than Windows, according to Kaspersky. The observation comes in a report on the latest ransomware trends from Kaspersky researchers on the eve of the third annual Anti-Ransomware Day, which this year is Thursday, May 12th. Writing malware in a cross-platform language makes it easier to port it to other platforms such as Linux, iOS and Android, the report notes. Another reason is that analysis of cross-platform binaries is a bit harder than that of malware written in plain C. Groups shifting to this tactic include
  • Conti. Only certain affiliates have access to a Linux variant of the Conti ransomware, the report notes, one targeting ESXi systems. It supports a variety of different command-line arguments that can be used by the affiliate to customize the execution;
  • BlackCat. Samples have been found that work on Linux. Although the malware is written in Rust from scratch, Kaspkersy found some links to the BlackMatter group as the actor used the same custom exfiltration tool that had been observed earlier in BlackMatter activities;
  • Deadbolt. While written in a cross-platform language, it is currently aimed at only one target: QNAP network-attached storage systems.  It is also an interesting combination of Bash, HTML and Golang, the researchers say. Deadbolt itself is written in Golang, the ransom note is an HTML file that replaces the standard index file used by the QNAP NAS, and the Bash script is used to start the decryption process if the provided decryption key is correct. “There is another peculiar thing about the ransomware.” says Kaspersky: “it doesn’t need any interaction with attackers because a decryption key is provided in a Bitcoin transaction OP_RETURN field.”

Related content: Cyber insurance harder to get

The report notes two other trends: First, the ransomware ecosystem is becoming even more “industrialized”.

“Just like legitimate software companies, cybercriminal groups are continually developing their tool kit for themselves and their customers – for example, to make the process of data exfiltration quicker and easier,” say researchers.

For example, when it started, the Lockbit gang didn’t have a leak portal, was not doing double extortion, and didn’t exfiltrate data before data encryption. That changed over time. Like other ransomware families, the report notes, Lockbit’s infrastructure suffered several attacks, including hacking of the Lockbit administration panels and DDoS attacks to force the group to shut down its activity, that forced it to implement some countermeasures to protect its assets.

The latest security addition is a “waiting page” that redirects users to one of the available mirrors.

Another example of adaptation by ransomware gangs is the shift from publicly available tools for data exfiltration, such as Filezilla, with their own custom – and faster – tools. Lockbit created one called StealBIT. Second, ransomware gangs are taking sides in geopolitical conflicts. For example, on February 25th, Conti said it will retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. CoomingProject, an extortion group, and Stormous (whose code is written in PHP), are also openly supporting Russia. Freeud, a new ransomware variant, supports Ukraine. The Freeud’s ransom note says Russian troops should leave Ukraine. “The choice of words and how the note is written suggest that it is written by a native Russian speaker,” says the report. There have been consequences for taking sides. Pro-Ukraine hackers have emerged such as Anonymous, IT Army of Ukraine and Belarusian Cyber Partisans. In February a Ukrainian researcher released messages from the backend of a Jabber server used by Conti members. Kaspersky offers this advice to CISOs and IT leaders:
  • always keep software updated on all devices to prevent attackers from infiltrating IT networks by exploiting vulnerabilities;
  • focus defence strategy on detecting lateral movements and data exfiltration to the internet.
  • pay special attention to the outgoing traffic to detect cybercriminals’ connections;
  • set up offline backups that intruders cannot tamper with. Make sure responders can quickly access them in an emergency when needed;
  • enable ransomware and EDR protection for all endpoints;
  • provide your security operations centre (SOC) team with access to the latest threat intelligence and regularly upskill them with professional training.
The post Ransomware trends: Cross-platform execution, improving infrastructure and taking sides in war first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways