Excuse my French, but Holy S#!+, some ransomware developers have created a new evil way to monetize their operations by adding a DDoS component to their malicious payloads. Security researchers from Invincea reported this a few days ago on a new malware sample they found.
Instead of "just" encrypting data files on the workstation (plus any network drive it can find) and locking the machine, this variant of the Cerber ransomware also started adding a DDoS bot that can quietly blast spoofed network traffic at various IPs. This is the first time DDoS malware is bundled within a ransomware infection.
Invincea said: "The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."
This means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim. Two attacks for the price of one. You don't pay? No problemo, that machine is added to a botnet.
Visual Basic File-less Attack
The attackers use Visual Basic to launch a file-less attack, and most antivirus and “next-gen” antivirus vendors are completely blind to file-less attack methods. What this means is that they are unable to see this thing until it has been dropped on the disk. At that point scanners can find it, and many do, but often that's too late.
Infection Vector: Phishing With Weaponized RTF documents
The current sample that Invincea analyzed is being detected by 37 out of the 57 antivirus engines on VirusTotal, but the next sample will be invisible for a few days so do not count 100% on your endpoint anti-malware layer, that is a false sense of security. The attachment relies on social engineering the employee to activate the Macro feature in Office, which then executes a malicious VBScript that downloads and runs the malware.
The ransomware is executed first, which encrypts the user's data and then blocks their access to the computer by locking the screen. After this sequence, a second binary called 3311.tmp is also launched into execution and starts sending a large amount of network traffic out of the infected computer.
This is likely becoming a trend :-(
Adding DDoS capabilities to ransomware is one of those "evil genius" ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. It looks like this is the first case where a cybermafia bundles ransomware with DDoS bot, but you can expect it to become a fast-growing trend.
A lot of people get infected with ransomware but many of them restore from backup. By adding a DDoS bot to the ransomware payload, these cybercriminals create a two-for-one and can squeeze network traffic out of non-paying victims and use it as another criminal revenue stream.
Here Are 8 Things To Do About It (apart from having weapons-grade backup)
- From here on out with any ransomware infection, wipe the machine and re-image from bare metal
- If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
- Make sure your endpoints are patched religiously, OS and 3rd Party Apps
- Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
- Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
- Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
- Check your firewall configuration and make sure no criminal network traffic is allowed out
- Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email
Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.
KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros!
See it for yourself and get a live, one-on-one demo.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: