Categories
Security

This researcher just beat ransomware gangs at their own game

A security researcher has discovered key flaws pertaining to popular ransomware and malware — a state of affairs that could lead to their creators entirely rethinking the approach to infiltrate potential victims.

Currently, among the most active ransomware-based groups are the likes of Conti, REvil, Black Basta, LockBit, and AvosLocker. However, as reported by Bleeping Computer, the malware developed by these cyber gangs has been found to come with crucial security vulnerabilities.

Digital Trends Graphic

These defects could very well prove to be a damaging revelation for the aforementioned groups — ultimately, such security holes can be targeted in order to prevent what the majority of ransomware is created for; the encryption of files contained within a system.

A security researcher, hyp3rlinx, who specializes in malware vulnerability research, examined the malware strains belonging to the leading ransomware groups. Interestingly, he said the samples were exposed to dynamic link library (DLL) hijacking, which is a method traditionally used by attackers themselves that targets programs via malicious code.

“DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need,” Bleeping Computer explains. “A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.”

The exploits associated with the ransomware samples that were inspected by hyp3rlinx — all of which are derived from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker — authorize code that can essentially “control and terminate the malware pre-encryption.”

Due to the discovery of these flaws, hyp3rlinx was able to design exploit code that is assembled into a DLL. From here, that code is assigned a certain name, thereby effectively tricking the malicious code into detecting it as its own. The final process involves loading said code so that it commences the process of encrypting the data.

Conveniently, the security researcher uploaded a video that shows how a DLL hijacking vulnerability is used (by ransomware group REvil) to put an end to the malware attack before it can even begin.

The significance of the discovery of these exploits

As highlighted by Bleeping Computer, a typical area of a computer targeted by ransomware is a network location that can house sensitive data. Therefore, hyp3rlinx asserts that after the DLL exploit is loaded by placing that DLL in certain folders, the ransomware process should theoretically be stopped before it can inflict damage.

Malware is capable of evading security mitigation processes, but hyp3rlinx stresses that malicious code is completely ineffective when it faces DLLs.

That said, whether the researcher’s investigation results in long-lasting changes in preventing or at least reducing the impact of ransomware and malware attacks is another question entirely.

“If the samples are new, it is likely that the exploit will work only for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space,” Bleeping Computer said. “Even if these findings prove to be viable for a while longer, companies targeted by ransomware gangs still run the risk of having important files stolen and leaked, as exfiltration to pressure the victim into paying a ransom is part of this threat actor’s modus operandi.”

Still, the cybersecurity website added that hyp3rlinx’s exploits “could prove useful at least to prevent operational disruption, which can cause significant damage.”

As such, although it’s likely to be patched soon by ransomware groups in the immediate future, finding these exploits is an encouraging first step toward impacting the development and distribution of dangerous code. It may also lead to more advanced mitigation methods to prevent attacks.

Ransomware groups do not consist of your average hackers. Creating and spreading effective malware is a sophisticated task in and of itself, and the financial windfall from a successful attack can generate hundreds of millions of dollars for the perpetrators. A considerable portion of those ill-gotten gains is extracted from innocent individuals.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Ransomware gangs are evolving in new and dangerous ways

With digital technology growing at a rapid pace, ransomware gangs and their methods continue to advance at an aggressive rate as well.

This observation was detailed by cybersecurity and antivirus giant Kaspersky via a new report, highlighting fresh ransomware trends that have materialized throughout 2022.

Andrew Brookes/Getty Images

Although leading cyber gangs have seen operations ceasing due to shutdowns, groups are still finding ways to develop dangerous strains of malware and ransomware. And their efforts are bearing fruits, Kaspersky stresses.

In particular, the company singled out brand new “cross-platform capabilities”, in addition to “updated business processes” and more.

Before we delve into the aforementioned aspects, it’s important to outline what ransomware is exactly. Simply put, it’s a type of code or software that affects files, folders, or the entire operating system of a PC.

Once it has successfully infiltrated its target, ransomware groups will then demand money from the victim if they want to unlock access to their computer.

“If last year we said ransomware is flourishing, this year it’s in full bloom.”

“Ransomware operations have come a long way — from clandestine and amateur beginnings to fully-fledged businesses with distinctive brands and styles that rival each other on the dark web. They find unusual ways to attack their victims or resort to newsjacking to make their attacks more relevant,” Kaspersky said.

The rise of cross-platform programming languages

As for the “prolific use” of cross-platform capabilities, Kaspersky points out that this method is particularly effective in damaging “as many systems as possible with the same malware by writing code that can be executed on several operating systems at once.”

Cross-platform programming languages, Rust and Golang, started picking up steam among the ransomware community during the latter stages of 2021.

For example, a leading group that is an ever-present name in the ransomware space, Conti, has managed to design a variant that is spread via certain affiliates in order to target Linux-based systems.

BlackCat, labeled as a “next-generation” malware gang, was mentioned as another group — one that has apparently attacked more than 60 organizations since December 2021. Rust was its language of choice for developing malware strains.

Elsewhere, a group known as DeadBolt relied on Golang instead for its ransomware endeavors. This cyber gang is notorious for its attacks on QNAP (network-based storage devices from a Taiwanese company).

Ransomeware groups are starting to evolve

Another trend that Kaspersky detailed is the fact that ransomware groups have not only been relying on more advanced tactics for their overall operations, but throughout late 2021 and the opening stages of 2022, they’ve also “continued activities to facilitate their business processes, including regular rebranding to divert the attention of the authorities, as well as updating exfiltration tools.”

Certain groups have developed and started to use entire toolkits that “resembled ones from benign software companies.”

“Lockbit stands out as a remarkable example of a ransomware gang’s evolution. The organization boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It also first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever – a sign of the group’s hard work put towards malware acceleration processes.”

Dmitry Galov, a senior security researcher at Kaspersky’s Global Research and Analysis Team, commented on the state of affairs with a summary:

“If last year we said ransomware is flourishing, this year it’s in full bloom. Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques. Nevertheless, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us to better detect and defend against them.”

Google, meanwhile, somewhat mirrored the same remark when it analyzed the record number of zero-day hacks in 2021.

“Zero-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the zero-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research.”

Still, that’s not to say that malware and ransomware don’t pose a dangerous threat in today’s digitally-driven world. In fact, ransomware in particular is an extremely lucrative business for cybercriminals. In 2021 alone, this crime type saw $49.2 million in losses for innocent individuals.

The fact that the rise in malware is more commonplace than ever before is not going unnoticed among the leading technology giants.

Microsoft recently confirmed a new initiative where businesses can use the company’s in-house security services and experts to combat cybercrime and strengthen their digital security measures.

Editors’ Choice




Repost: Original Source and Author Link