Security Experts:

Increasing Involvement of Nation-states in Ransomware Attacks

Business is Now the Primary Target for Ransomware, and Nation-States are Among the Attackers

The revenue gap in ransomware distribution is continuing to grow. The successful are getting more successful -- but there are more and more unsuccessful ransomware campaigns. Successful ransomware tends to be targeted -- typified by SamSam throughout the greater part of 2018. Spray and pray commodity ransomware, while still growing in numbers, is getting less successful in use.

In his latest analysis of ransomware trends, Recorded Future's threat intelligence analyst Allan Liska points out that the ransomware market is still growing, but the number of successful ransomwares is declining. He cites Cryptgh0st. "It was first discovered in May 2018 and by the end of August, virtually all mentions of the ransomware disappeared," he writes. The bitcoin wallet associated with this ransomware shows only two incoming transactions -- one for around $370 and the other for $6.

Nevertheless, the market is growing in terms of numbers. In 2017, Recorded Future tracked 635 ransomware campaigns. In February 2018, the number had grown to 1,105 -- and in January 2019 it had reached 1,463. But, says Liska, there are dozens of campaigns similar to Cryptgh0st, where the biggest noise comes from the fake 'how to remove ransomware' websites. 

At the other end of the financial spectrum -- the successful end -- are the targeted campaigns aimed at specific organizations rather than consumers. Compare SamSam's estimated profits of more than $5.9 million by mid-2018, to Cryptgh0st's $376. The more elite and successful criminals are migrating from consumer ransomware to corporate network ransomware, often using RDP as the entry point.

The only exception to this rule is GandCrab. GandCrab still spreads primarily via phishing and exploit kits -- but it is unique. It is ransomware as a service focusing on consumer delivery backed by effective and efficient development. As anti-virus vendors get better at detecting and defending against it, the developers evolve their product and move on. For example, In October 2018, BitDefender released a decryptor for GandCrab versions 1, 4 and 5. But within 12 hours, a new version of the ransomware with no available decryptor was released.

At the same time as BitDefender released its decryptor, it blogged, "Considering the lowest ransom note is $600 and almost half of infected victims give in to ransomware, the developers might have made at least $300 million in the past couple of months alone." Liska thinks this estimate may be a little high. "I think their estimate is... optimistic," he told SecurityWeek, "but it wouldn't surprise me if they earned in the $100 million range."

Whichever figure is correct, GandCrab is an immensely successful ransomware, dwarfing even SamSam's income. "The team behind GandCrab doesn't appear to be slowing down at all," warns Liska, "so expect to see more from them in 2019."

Apart from GandCrab, the ransomwares that thrived in 2018 were the targeted attacks from malware such as SamSam, BitPaymer and CrySiS. The most common entry point was via RDP. "Once the attackers have successfully gained access to the exposed system, they use it as a jumping off point into the core of the network, installing their ransomware onto target machines and often disabling backups and other protections."

The iconic SamSam attack is that against the City of Atlanta in early 2018. Atlanta declined to pay a ransom believed to be set at around $50,000 -- but the disruption caused has been extensive. The city has estimated that incident response and security overhaul costs could hit $17 million. Cities are, to a certain extent, replacing healthcare as the target of choice. Liska told SecurityWeek that healthcare has had the budget to fix its security issues, and has become a harder target. Cities, however, are notoriously bad at security, and the politicians have been reluctant to spend taxpayer dollars on 'invisible' projects.

Two relatively new trends that Liska expects to expand are blended ransomware attacks, and an increasing involvement of nation-states in ransomware attacks. He does not believe that nation-states will directly attack the utility side of the critical infrastructure for fear of cyber or even kinetic reprisals from the West. However, sanction-affected states -- such as North Korea -- will use ransomware as a way of generating funds. They will also likely experiment with ransomware as a wiper attack tool; but will be very careful where, and even if, such tools will be used.

This makes WannaCry interesting. The WannaCry outbreak is believed -- Liska has no doubt of it -- to be the work of the North Korean Lazarus group. Lazarus, he suggests, is really the collective name for multiple North Korean government hacking groups. WannaCry appears to be contrary to his belief that nation-states will be careful in their use of destructive malware. "I suspect," he told SecurityWeek, "that it was effectively a proof of concept that got away from its developers." This would explain the existence of the kill switch, and the poor coding of the ransom collection part of the initial WannaCry. It does, however, show the potential of ransomware used as a destructive weapon.

Despite sanctions against Iran, Liska does not believe that SamSam has any connection to the Iranian government. Notably, there has been no SamSam incidents since the U.S. government indicted two Iranian citizens. The indictment does not link the two to the Iranian state. Perhaps more tellingly, an earlier investigation by Recorded Future into Iranian hacker forums -- the Iranian government's recruiting ground for its own hackers -- showed no trace of this pair. "I don't believe SamSam or its developers were attached to the Iranian state apparatus," Liska told SecurityWeek; "but I think the two people concerned may well be in the future."

The second development is the growing use of targeted and blended ransomware attacks. Here ransomware is added to the mix of malware installed on a compromised network. Its primary purpose is not the ransom, but to create a distraction and possibly destroy forensic evidence on discovery. Liska expects to see this use of ransomware to grow. Where the attacker is a nation-state group, he expects the developers to borrow code from the criminal world. "Nation-state actors may very well use cybercriminal code to build their ransomware variants," he writes.

The primary purpose will be to obfuscate the source of the attack -- and he cites the confusion over the source of Ryuk attacks as an example. Ryuk shares code with Hermes, which has been used by Lazarus. Many people immediately assumed that Ryuk must also be linked to Lazarus. "However," writes Liska, "further research determined that the Ryuk actors are most likely located in Russia and they had built Ryuk ransomware using (most likely stolen) Hermes code."

The key takeaway from Recorded Future's analysis of ransomware trends is that any appearance that the ransomware threat may be diminishing because of reducing effectiveness against consumers would be a dangerous assumption for business. Ransomware is migrating from consumers to business. This isn't a new observation; but Liska points out that it is not merely migrating, it is becoming more sophisticated and is attracting the attention of elite nation-state actors.

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: The Evolution of Ransomware: Part 1 

Related: The Evolution of Ransomware: Part 2 

Related: The Rapid Evolution of Ransomware in the Enterprise 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.