You are here

Home

Threat Awareness – Ransomware Compendium

Threat Awareness – Ransomware Compendium

Created: Tuesday, November 10, 2020 - 13:43
Categories:
Cybersecurity

It has been a bit of a whirlwind in ransomware this past week. Bits have been circulating about Ryuk reaping the rewards from its wreckage, a new strain detonating within an hour after gaining access to the network, and an indiscriminate sample with a version to infect Linux. BleepingComputer has those details and much more in its recent “The Week in Ransomware” series for November 6, 2020.

Ryuk Rakes in $34 Million from One Victim

Ryuk’s recent rash of high-revenue attacks seems to be resulting in a respectable return. It is no doubt that Ryuk is a reckoning – or a wreck-ing – in the ransomware world. Going after high-value victims with open source and widely used system tools, Ryuk boldy demands ransom payments around $750,000. According to Vitali Kremez of Advanced Intelligence, this Russian-speaking threat actor is tough during the negotiations and rarely shows any leniency. The largest confirmed payment they have received was 2,200 bitcoins, which is currently close to $34 million. However, according to Vitali, Ryuk seems to be using more ordinary tactics lately, including phishing lures tuned to current events or common themes that lend to any time of the year, like payroll and employment notifications.

Pay2Key Encrypts within One Hour

While many ransomware families delay detonation after infection, it appears a new strain is executing within one hour of obtaining access to victim networks, potentially through publicly exposed RDP (remote desktop protocol). According to CheckPoint, the newly observed Pay2Key ransomware has only been detected targeting organizations in Israel and Brazil, but it does have some noteworthy behavior to be mindful for future targeting campaigns.

It’s not Fancy, but it’s Effective – RansomExx has Linux-impacting Version

RansomExx is another reminder that no operating system is beyond the ability to be compromised, including Linux. According to Kaspersky, the RansomExx operators have created a no-frills Linux version of the malware. Unlike the Windows version, RansomExx does not terminate processes, wipe free space, contain anti-analysis functionality, or communicate with command and control servers. Given RansomExx has a penchant for targeting large organizations which presumably maintain mixed environments of Windows and Linux, this is another strain to keep an eye on. RansomExx was previously reported on in the Security & Resilience Update for September 29, 2020 after reportedly impacting managed services provider Tyler Technologies.