As Cybercriminals Recycle Ransomware, They’re Getting Faster

Keep your response up to speed as attackers get faster

Like history, ransomware repeats itself. Researchers recently encountered a new variant of a ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources. Let’s take a closer look at this variant, as well as what organizations need to do to remain secure in light of the current threat recycling landscape.

Ransomware’s recycling campaign

Nokoyawa is a new ransomware for Windows that first appeared at the beginning of this year. The first samples found by FortiGuard researchers were gathered in February 2022 and contain significant coding similarities with Karma, a ransomware that can be traced back to Nemty via a long series of variants. The Nemty ransomware family was first reported on by these researchers in 2019. 

The security researchers recently discovered a new variation of this ransomware campaign and noted that the variant has been improving itself by reusing code from publicly available sources. The April 2022 samples include three new features that increase the number of files that Nokoyawa can encrypt. These features already existed in recent ransomware families, and their addition just indicates that Nokoyawa developers are trying to match pace with other operators in terms of technological capability.

The majority of the additional code was copied exactly from sources that were publicly available, including the source of the now-defunct Babuk ransomware leaked in September 2021. For example, criminals included functions to stop processes and services that lower the number of files locked by other programs so the encryption code can encrypt those files. The code – including a list of processes and service names – is identical to Babuk’s implementation.

Nokoyawa also includes code to enumerate and mount volumes in order to encrypt the files on these volumes, which is based again on the same code that was leaked from the Babuk source. It deletes volume snapshots by resizing the allocated space for snapshots of volume shadow copies to 1 byte – and because this size is insufficient for storing snapshots, Windows will delete them. The code looks to be plagiarized from a publicly available proof-of-concept. 

Unsafe at any speed – and getting faster 

The Nokowaya is just another indication that bad actors can move faster than ever – in this case by modifying existing malware with minimal effort using recycled code. 

It’s not the only such example we’ve seen. Last year, we saw this happen with Log4j.  The critical vulnerability in the Apache Log4j Java-based logging framework was so simple to exploit that it allowed attackers to take total control of affected systems. In just a matter of days, Log4j became the most common IPS detection in the second half of 2021.  We also saw that criminals have used a rebranding of DarkSide called BlackMatter on several attacks on U.S. infrastructure. 

While recycling of this kind isn’t exactly new, it’s definitely becoming a more popular tactic for bad actors – with the rise of Ransomware-as-a-Service making it even easier.

Two strategies for stronger security

First, organizations need a deeper understanding of attack techniques. Our researchers analyzed the functionality of malware they’d detected and created a list of the specific tactics, techniques and procedures (TTPs) that the malware would have carried out if the attacks had occurred. This information demonstrates that stopping an attacker early is more important than ever, and that focusing on a few of the detected TTPs can effectively stop a malware’s assault capabilities in some instances.

The top three strategies for the “execution” phase, for instance, represent 82% of the activity. Nearly 95% of the measured functionality is represented by the top two approaches for gaining a foothold in the “persistence” phase. Using this research to prioritize security strategies can have a significant impact on how businesses maximize their protection.

Second, cyber hygiene training is a necessity for everyone in the organization, with home workers, not just organizations, being targets of cyberattacks. Toward this end, there are now many free cybersecurity courses available, including more advanced programs for cybersecurity professionals. Learning the fundamentals of cyberwarfare can help everyone defend their organizations against attacks. Multi-factor authentication and password protection can help protect remote workers’ personal information, and knowing how to spot phishing emails and malvertising schemes will help employees avoid falling for these social engineering ploys.

Staying ahead of the adversary

Everything old is new again in the world of ransomware development. Bad actors are highly efficient; they find out what’s worked before and incorporate it into their new variants. It’s a kind of malware best-of-the-best that no one but criminals want to see. Ransomware-as-a-Service only exacerbates the destructive potential of these new variants. But organizations can strengthen their security posture by getting detailed information on current attack techniques and keeping their employees’ cyber hygiene training up to date.