The U.S. Department of Homeland Security’s Office of Intelligence and Analysis has released a new Intelligence Report detailing the risk ransomware poses to U.S. civilian and critical infrastructure networks. According to the report:
I&A assesses ransomware campaigns are spreading rapidly as a result of widely available access to ransomware or its source code in underground markets and media reports on ransomware profits, increasingly threatening US government and civilian systems, especially those that enable critical services and key resources, by denying legitimate users access to their data.
New ransomware variants display increasingly advanced functions and capabilities, such as targeted delivery techniques, obfuscation mechanisms, persistence capabilities, and backup system deletion tools that constitute a high threat to US networks.
Cybercriminals since at least the spring of 2016 have been using a variety of increasingly sophisticated mechanisms to distribute ransomware more effectively than they had in the past, such as advanced phishing campaigns using spoofed e-mail addresses and content, water-holing techniques, system vulnerability exploitation, and well-established botnet infrastructures.
Non-traditional ransomware users, such as criminal hackers or state-sponsored cyber actors, may use ransomware variants as a means to obtain and maintain persistent illicit access to targeted networks not only to facilitate denial and destruction of data, but also as a distraction to obfuscate other types of fraudulent activity and cyber espionage.
Ransomware Growth and Maturity Brings New Threats
The overall use of ransomware campaigns is spreading rapidly as a result of widely available access to ransomware in underground markets and media reports on ransomware profits, increasingly threatening US government and civilian systems, especially those that enable critical services and key resources, by denying legitimate users access to their data. Cyber actors since at least 2013 have deployed data-encrypting ransomware indiscriminately against US businesses, universities, maritime vessels, healthcare providers, emergency services providers, and SLTT governments to deny access to data until ransom demands have been met. These schemes in 2015 generated more than $24 million in illicit revenue, typically in bitcoin, according to a news article citing the FBI. Ransomware campaigns experienced significant growth and increasing maturity in the past year as a result of the release of multiple ransomware variants in underground cyber markets, increased media coverage of ransomware campaign profits, and strong supply and demand in underground cyber markets.
- The number of ransomware variants released on underground markets nearly doubled in mid-2015, according to open source reports and other data received by the National Computer Emergency Response Team in the United Kingdom, also known as CERT-UK.3 The surge in ransomware variants coincided with increased media coverage of ransomware profits, according to a CERT-UK assessment.
- Additionally, ransomware source code was released in the underground cyber market between late 2015 and early 2016, enabling the development of customization features and allowing cyber actors to modify and make improvements to the malware. For example, a cyber actor using the nickname “RADAMANT” in January 2016 advertised the sale of RADAMANT ransomware malware source code in the Russian underground criminal forum exploit.in, according to a collaborative FBI source with excellent access, some of whose reporting has been corroborated in the past year. The same actor initially advertised the RADAMANT kit for rent in December 2015 in the same forum, offered technical support, and secured hosting services, according to the same source.
New Variants Display Increasingly Advanced Functions and Capabilities
New ransomware variants display increasingly advanced functions and capabilities—such as targeted delivery techniques, obfuscation mechanisms, persistence capabilities, and backup system deletion tools—that constitute a high threat to US networks. For example, the ransomware Locky is deployed in a multi-stage, targeted fashion against vulnerable systems and can locate and delete backup systems, according to reports from DoD and DHS officials that we deem reliable based on their direct access and ability to analyze malware samples.6 These capabilities could enable some cyber actors to improve their targeting techniques to identify and compromise systems lacking data backups and redundancy measures.
- Cyber actors in March 2016 targeted DoD and US federal civilian government webmail users with a ransomware campaign that used spoofed e-mail addresses to deliver the Locky variant, indicating a more focused targeting pattern than earlier versions of the malware, according to DHS and DoD technical reporting.7,8 The malware employed a multi-stage payload delivery system that loads itself into a computer’s memory before establishing an illicit and persistent access and encrypting files and documents, renaming file extensions, and deleting shadow snapshots that can prevent legitimate users’ ability to recover affected files. This campaign distinguishes itself from previous campaigns by displaying an enhanced targeting capability and sophisticated obfuscation and evasion techniques, according to the same source.9,10 Additionally, the malware featured functions that allowed cyber actors to conduct network reconnaissance, identify shared files and network drives, and locate and delete backup systems, indicating a significant progression in overall ransomware capabilities, according to the same source.
- A ransomware attack in March 2016 compromised a US-based hospital using an outdated server vulnerability, according to a state government official with direct access to the information. The cyber actors used administrator-level access to locate and encrypt more than100,000 files on 4,000 systems, including 600 servers. This attack denied hospital personnel access to sensitive files for two days, according to the same reporting.
- Cybersecurity officials in April discovered two Massachusetts government desktop computers infected with Locky ransomware, which encrypted three agency shared drives, according to DHS information obtained from a public sector cybersecurity official with direct and indirect access to the information through official duties.14 Officials suggest this was a targeted campaign, as the commonwealth received 71 e-mails containing Locky-associated attachments over the course of a few hours, according to the same DHS information.15 Unlike previous ransomware attacks that sporadically and indiscriminately targeted victims, this attack was deployed against users within the same organization in a short period of time, indicating a more focused targeting campaign.
Diversification of Distribution Mechanisms Increases Effective Deliveries
Cybercriminals since at least the spring of 2016 have been using a variety of increasingly sophisticated mechanisms to distribute ransomware more effectively than they had in the past, such as advanced phishing campaigns using spoofed e-mail addresses and content, water-holing techniques, system vulnerability exploitation, and well established botnet infrastructures. Cyber actors traditionally leveraged e-mail spamming services and social engineering techniques to distribute ransomware sporadically and indiscriminately against an array of targets. Although these techniques are still being used, during the past two years we have observed a trend of more focused, refined campaigns that are likely to increase the successful infection and deployment against organizations that rely on computer systems to deliver critical services and key resources.
- Unknown cyber actors continue to use traditional social engineering tactics and phishing campaigns to deliver malicious attachments with embedded ransomware, although since spring 2016 we have observed increasingly focused, targeted campaigns. Once users clicked on the malicious attachment, the ransomware downloaded and executed, often along with legitimate processes, to compromise the targeted network. This technique was used to target private sector organizations as well as DoD and other US government e-mail users. For example, state and federal government employees in March 2016 received phishing e-mails that were spoofed to appear to originate from the user’s network and contained malicious attachments with embedded first-stage malware that communicated with command-and-control infrastructure to obtain second-stage malware, likely ransomware, according to defense reporting.
- Unknown cyber actors since at least July 2015 used this technique to infect several New Mexico city government systems with Cryptowall 3.0 malware. The attackers planted a JavaScript exploit on a US website to deliver Cryptowall to users visiting a watering hole, targeting only those that were running Internet Explorer web browsers, according to a government official with firsthand access to the information through the course of normal duties. Cryptolocker malware embedded on a legitimate site in April 2016 also was used to infect a computer server belonging to a US healthcare provider in Texas that resulted in the encryption of patient information, including medical history and insurance records, after a receptionist accessed the website for a nearby school district, according to an FBI source with excellent access.
- Unknown cyber actors since 2014 have used access to well-established botnets to propagate ransomware, enhancing the overall success of malware delivery through automation and scalability. For example, communication infrastructure analysis indicates unknown cyber actors have used malware to distribute Locky and Crytpowall variants, respectively, according to analysis by a well-known cybersecurity firm. Furthermore, Locky ransomware phishing e-mails strongly resembled those used in other campaigns, according to the same cybersecurity firm analysis.
- Unknown cyber actors in 2016 also exploited unpatched system vulnerabilities to deliver ransomware and gain access to targeted networks. For example, unknown cyber actors in April 2016 conducted a ransomware attack against a US utility company by exploiting an outdated JBoss server that was running as a domain administrator, resulting in the encryption of the company’s corporate file systems, according to FBI reporting obtained from an officer of another law enforcement agency. The same server vulnerability was exploited to compromise the aforementioned US-based hospital network in March 2016, according to DHS officials with excellent access.
Outlook and Implications
Non-traditional ransomware users, such as state-sponsored cyber actors or criminal hackers, may use ransomware variants to obtain and maintain persistent illicit access to targeted networks not only as a means to facilitate denial and destruction of data, but also as a distraction to obfuscate other types of fraudulent activity as well. We expect ransomware attacks against US government and private sector networks to continue and likely increase as ransomware variants become even more stealthy, customizable, and accessible. Furthermore, recent advancements in ransomware functions and capabilities may provide an opportunity for non-traditional ransomware users to use in future computer network operations.
- Criminal hacker organizations such as the Syrian Electronic Army and Al-Qassam Cyber Fighters targeted Internet service providers and US financial sector entities in September 2012 and August 2013, respectively, with distributed denial-of-service attacks and website defacements in protests to political developments, according to open source reporting.24 Although we have not seen these groups use ransomware to conduct attacks, we assess that currently available ransomware has the capability to deny the use of data and achieve the same objectives.
- Additionally, we assess that financially motivated, organized cybercriminal syndicates may use ransomware as a diversion tactic to facilitate other malware activity, such as data deletion and cyber espionage. Financially motivated cyber actors since at least 2012 have used DDoS attacks to distract some US banks from identifying and preventing fraudulent cash transfers, according to analysis by a well-known cybersecurity firm.25 This technique was also used against other global targets. For example, the Blackenergy DDoS botnet in November 2012 was used to target a Brazilian bank to distract bank employees from identifying fraudulent activities, according to the same company.26 To date, we have not seen evidence of cyber actors using ransomware as a distraction mechanism to facilitate other types of activity; however, new ransomware variants display the functionality and capability that could be used to generate the same effect.