Cybercrime Tactics & Techniques: Q2 2019Ransomware Retrospective
Jarryd Boyd, Senior Engineer
Years of experience fighting cyber threats, from the networks to the endpoint.
Deep seeded belief in multi layered security approaches
Has worked with fortune 500 companies and small businesses
Who Am I?
Jarryd Boyd, Senior Sales Engineer
Key Takeaways» Ransomware shifts to business targets
» Consumer ransomware drops -12% YoY & -25% QoQ» Business focused ransomware increase by 365% YoY» Ryuk ransomware increase 88% QoQ» GandCrab ransomware decreased 33% QoQ» Ransomware against businesses is a better return on
investment (ROI)» Ransomware evolution will continue, making it more
difficult to defend against
RANSOMWAREAIMS HIGHER
Why the shift?
Business attacks have surged in 2019» At least double the amount of public
attacks in 2018
» Municipal networks have been identified as easy and valuable targets
» Schools, healthcare facilities and manufacturing firms also big targets for these threats
Why the shift?
Return on Investment» More Valuable Targets
» Greater Ransom
» Easier to spread
» Payment is more likely
Why the shift?
New Technologies» EternalBlue
» WannaCry & NotPetya
» Trickbot & Emotet
DETECTIONS
Consumer Product Ransomware Detections 2018 – 2019
Business Product Ransomware Detections 2018 – 2019
Ransomware shifts from consumer to business
REGIONALBREAKDOWN
Region Breakdown by Ransomware Detection Jun 2018 - Jun 2019Business + Consumer Products
North America48%
Europe, Middle East , Africa
35%
Latin America
10%
Asian Pacific
7%
GandCrab
GandCrab
GandCrab
GandCrab
Ryuk
Ryuk
Ryuk
Ryuk
Troldesh
Troldesh
Rapid
Rapid
Rapid
Rapid
Samas
Locky
Locky
Locky
Amnesia
Cerber
Cerber
Cerber Spora
North America
Europe, Middle East , Africa
Latin America
Asian Pacific
Top 5 Ransomware Family by Region Jun 2018 - Jun 2019Business + Consumer Products
GandCrab
Ryuk
Troldesh
Rapid
Samas
Locky
Amnesia
Cerber
Spora
States Most Effected:» Texas
» California
» New York
» Georgia
» North Carolina
United States
GandCrab
GandCrab
GandCrab
GandCrab
GandCrab
Ryuk
Ryuk
Ryuk
Ryuk
Rapid
Rapid
Rapid
Xorist
Troldesh
Troldesh
Troldesh
Cerber
BTCWare
Fantom Memz
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Texas
California
New York
Georgia
North Carolina
Top 5 Ransomware Family Detections by Top 5 U.S. StatesJun 2018 - Jun 2019
Business & Consumer Products
GandCrab
Ryuk
Rapid
Xorist
Troldesh
Cerber
BTCWare
Fantom
Arestocrat
Memz
RANSOMWAREFAMILIES
GandCrab Ransomware» GandCrab Facts
» Ransomware as a Service» Multiple Evolutions» Authors claim to have retired» Methods of infection
» Exploits
» Emails
N=~4,000
31%
45%
-18%
-14%
-37%
-53%
135%-16%
26%
-39%
4… -36%
257%
-66%-82%
850%
-68%
14%
156%
-41%
58%
-55%
321%
-89%
-200%
0%
200%
400%
600%
800%
1000%
Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19
Perc
enta
ge c
hang
e
Months
GandCrab Detections by Percentage Changes Jun 18 - Jun 19Consumer & Business Products
Consumer
Business
Fallout Exploit Kit spreads GandCrab using Flash and MS
Excel exploits
Windows ExploitCVE-2018-8120 used to
spread GandCrab
Multiple campaigns identified spreading
GandCrab Ransomware via malicious Word
macros
Confluence vulnerability CVE-2019-3396 used to compromise
servers & spread GandCrab
Fake CDC Flu e-mail used to spread
GandCrab v 5.2 via malicious Word macros
GandCrab authors claim they are retiring
Ryuk Ransomware» Ryuk Facts
» First observed in mid 2018» Most commonly seen business
ransomware in 2019» Part of the “Triple Threat”» Derived from the “Hermes”
ransomware» Utilizes RSA 2048 & AES 256
encryption
-85%
2163%
-57% -31% -11% -7%64%
330%
48% 50%-11%
-53%
-500%
0%
500%
1000%
1500%
2000%
2500%
Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19
Perc
enta
ge c
hang
e
Months
Ryuk Detections by Percentage Changes 2019Consumer & Business Products
Consumer
Business
Ryuk actively spread as a payload via Trickbot
infections
Ryuk breaks headlines with holiday ransomware attack against Tribune Publishing
Campaigns against organizations continue with a decline in consumer-
focused attacks
Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19
Ryuk Detections Dec 18 - Jun 19Consumer & Business Products
Ryuk spread stays relatively steady during Q2 2019
Rapid Ransomware» Rapid Facts
» First discovered in 2017» Spread through
» Malicious e-mails» Manual Infection
» Rapid infections went up 200% between May and June 2019
-46%
102%
6%
27%
10%
-82%
191%
-11%-23%
-29%
-69%
209%
0%
71%
-78%
122%
-15%
200%
-100%
-50%
0%
50%
100%
150%
200%
250%
Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19
Perc
enta
ge c
hang
e
Months
Rapid Ransomware Detections by Percentage Changes Jun 18 - Jun 19Consumer & Business Products
Consumer
Business
Rapid v 3.0 campaign using fake IRS e-mails
& malicious Word documents
Rapid spread via manual infection
through RDP exploits
New variant of Rapid using .GILLETTE
extension
New variant of Rapid using .guesswho
extension
Troldesh Ransomware» Troldesh Facts
» Also Known As “Shade”» Been around for many years» Spread through malicious e-
mail.» Utilized compromised CMS
platforms to host malware» Historically focused on Russia
until 2018.
23%
-24%
-72%
0%
75%
50%
274%
258%
-59%
21%
-66%
-44%
175%
275%
-73%
-21%
41%
-2%
-100%
-50%
0%
50%
100%
150%
200%
250%
300%
Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19
Perc
enta
ge c
hang
e
Months
Troldesh Detections by Percentage Changes Jun 18 - Jun 19Consumer & Business Products
Consumer
Business
Russian focused e-mail campaign pushing Troldesh/Shade via
zipped Office documents
Russian focused e-mail campaign pushing Troldesh/Shade via
malicious PDF documents
Compromised CMS, such as WordPress, sites are used to download malware during malicious e-mail campaign
Troldesh/Shade spread beyond Russia,
to U.S., Japan and other countries
Reported malicious social media links redirect users to
Troldesh/Shade infections
Locky Ransomware» Locky Facts
» Offline since 2018» First appeared in 2016» Upgraded multiple times» Functionality to hide malware
& better encryption
0
5000
10000
15000
20000
25000
30000
35000
Feb-
16
Mar
-16
Apr-
16
May
-16
Jun-
16
Jul-1
6
Aug-
16
Sep-
16
Oct
-16
Nov
-16
Dec
-16
Jan-
17
Feb-
17
Mar
-17
Apr-
17
May
-17
Jun-
17
Jul-1
7
Aug-
17
Sep-
17
Oct
-17
Nov
-17
Dec
-17
Jan-
18
Feb-
18
Mar
-18
Apr-
18
May
-18
Jun-
18
Jul-1
8
Aug-
18
Sep-
18
Oct
-18
Nov
-18
Dec
-18
Jan-
19
Feb-
19
Mar
-19
Apr-
19
May
-19
Jun-
19
Locky Detections Feb 16 - Jun 19
Locky is first spotted in the wild
Necurs Botnet, which spread
Locky, goes down
Locky returns with new anti-analysis tricks.
Two new Locky variants discovered. Spreading via malicious spam using
malicious Office or ZIP files.
Locky takes a break for 3 months to continue
development
Locky fails to recover after cryptocurrency surge pushes
ransomware to the background
Cerber Ransomware» Cerber Facts
» First discovered March 2016» First Ransomware as a service» Most commonly seen
ransomware of 2016» Dec 2017, five Romanian
nationals were arrested.» Cerber went down shortly after
that.
0
10000
20000
30000
40000
50000
60000
70000
Mar
-16
Apr-
16
May
-16
Jun-
16
Jul-1
6
Aug-
16
Sep-
16
Oct
-16
Nov
-16
Dec
-16
Jan-
17
Feb-
17
Mar
-17
Apr-
17
May
-17
Jun-
17
Jul-1
7
Aug-
17
Sep-
17
Oct
-17
Nov
-17
Dec
-17
Jan-
18
Feb-
18
Mar
-18
Apr-
18
May
-18
Jun-
18
Jul-1
8
Aug-
18
Sep-
18
Oct
-18
Nov
-18
Dec
-18
Jan-
19
Feb-
19
Mar
-19
Apr-
19
May
-19
Jun-
19
Cerber Detections Mar 16 - Jun 19
Cerber is first spotted in the
wild
Cerber teams up with Dridexdistribution botnet using MS
Office documents with malicious macro scripts
Cerber distributed via Malvertising with RIG & Magnitude exploit kits
New versions of Cerber distributed both through
e-mail and exploit kits
Magnitude exploit kit adds feature to obscure
Cerber detections
Five Romanians behind distribution of Cerber and
CBT Locker are arrestedAfter arrest, Cerber activity
quickly vanishes. Only cleanup detections from this
point on.
PREDICTIONS
The Ransomware of Tomorrow
Increased use of manual infections
» We’ve seen an increasing trend of manual attacks using ransomware
» Manually disable security tools» Greater risk to attacker if they
leave behind clues
Additional ‘blended’ attacks
» We will see continued development of infection methods that work off each other.
» Automated + manual infection attacks are far more successful
Ransomware will continue to pair up other malware
» Much like we’ve seen with Ryuk, Trickbot and Emotet
» We are near the end of the ‘single purpose’ malware era.
The Ransomware of Tomorrow
Additional development of infection venues
» As we’ve seen with new exploits & malicious scripts over the last year
» Infection venues will always be developed upon, to find a more effective way of attack.
Consumer facing ransomware will vanish
» Ransomware has shown it is far more powerful against organizations
» Ransomware focused on consumer is likely to be replaced by adware, spyware or crypto miners.
Ransomware use will continue through the year
» The trend of using ransomware has become too popular to avoid
» We will continue to see ransom attacks throughout the year
» New approaches to security technology and/or proactive efforts by companies should slow this down.
ConclusionRansomware is here to stay, at least for a while» Proactive protection is required
» Detection based on behavior» Identification of valuable data to be better protected» Establishment of company wide guidance on ransomware
» It’s not about if, but when» There are many avenues for infection when it comes to organizational networks» Methods that have worked for decades continue to work (i.e. spear phishing)» Providing users with options to report suspicious e-mails is a good first step
» Attacks are a case by case situation» A single method for protection from ransomware may not be viable for all organizations» Paying the ransom depends on the overall cost to the organization» Getting back up and running is paramount
The Educational Threat LandscapeEducation Organization Overall Detections (June 2018–Aug 2019)
Data has been normalized to identify trends14,00
0
12,000
10,000
8,000
6,000
4,000
2,000
0June 3, 2018
July 23, 2018
Sept 11,
2018
Oct 31, 2018
Dec 20, 2018
Feb 8, 2019
Mar 30, 2019
May 19, 2019
July 8, 2019
Aug 27, 2019
Treasure Trove of Personal and Financial Data
STUDENT AND STAFF PERSONALLY-IDENTIFIABLE INFORMATION
EDUCATION TECHNOLOGY PROVIDERS, VENDORS, OR THIRD-PARTY SUPPLIERS
FINANCIAL INFORMATIONPUBLIC COMMUNICATION CHANNELS AND THE SCHOOL SYSTEM
Knowledge Share
Malwarebytes Prevention Layers
Anti-Exploit
Anti-Malware
Web Protection
Malwarebytes:Addressing Today’s Threat Landscape
Malwarebytes: The Most Trusted Name in Security
INNOVATION
Including:• Behavioral identification of
ransomware• Machine Learning techniques• Fileless attack detection
8 PATENTED TECHNOLOGIES+ 10 PENDING
BY THE NUMBERS
500k Downloads
Per Day
3M Remediation Events Per Day
Tens of Thousands of Business Customers
~25% Growth YoY35% R&D Spend
Run Rate Business, Cash Flow Positive
$150M -$200M
Global Research Team
ACCOLADES
Gartner positions Malwarebytes in the Visionary quadrant 2018 Magic Quadrant for Endpoint Protection Platforms
PREVENTMultiple
Protection Layers
Effective Solution Components
DETECTAdvanced Detection
Techniques
Effective Solution Components
RESPONDComprehensive
Remediation
Effective Solution Components
Malwarebytes Endpoint Protection and Response
#1 TRUSTED NAME IN REMEDIATION
UNMATCHED THREAT VISIBILITY
COMPREHENSIVE ATTACK CHAIN PROTECTION
EDR WITHOUT COMPLEXITY
We Don’t Just Find It. We Fix It.
Protection, Detection, and Response Layers
Granular Endpoint Isolation• Isolates endpoints to stop the
bleeding• Prevents malware from
connecting to C&C• Locks remote attackers out
Thorough Remediation• Cleans up primary payload• Detects and removes all dynamic
and related threat artifacts• Minimizes end-user impact
Ransomware Rollback• Performs just-in-time backups of
file changes• Logs/associates changes with
specific processes• Rollback damage up to 72 hours
Try Now: malwarebytes.com/business/trial
Learn More: malwarebytes.com/business
See What Others Miss: malwarebytes.com/remediationmap
Let’s Take Your Questions
THANK YOU