valerybrozhinsky - stock.adobe.c

Ransomware authors seeking new ways to avoid being spotted

Sector analysis from Sophos has revealed some insight into how malware authors are adapting to thwart cyber security controls

Ransomware authors are changing up their campaigns to evade existing security controls, obfuscating their origins, and some are even adapting to use vulnerabilities in monitoring and management tools against their owners, according to the SophosLabs 2020 threat report.

With ransomware now hitting huge numbers of targets every day, the potential for its authors to get rich quick has never been higher.

However, said Sophos, ransomware has one Achilles heel – encrypting data is a time-consuming process limited by the processing power of the victim’s CPU, and this means ransomware authors must be awake to the importance of optimising their attacks and avoiding detection for as long as possible.

With this in mind, said Sophos, in recent months cyber criminals appear to be taking a keen interest in how network and endpoint security products detect and block malicious activity.

Many have also found it is much easier to change a ransomware strain’s appearance by obfuscating its code, than to change its overall behaviour, as they seek to find ways to elude defences.

Well-observed trends such as compiling ransomware for a specific, targeted victim, protecting it with a unique password, or coding it to run in a defined timeframe, can indicate attempts to hinder both automated sandbox analysis and manual reverse engineering by human analysts.

Other attackers have been seen exploiting stolen credentials or vulnerabilities in remote monitoring and management products such as those from the likes of Kaseya, ScreenConnect or Bomgar.

Such solutions are typically breached through a managed service provider (MSP), and because they often run with elevated privileges, attackers can easily distribute ransomware onto multiple business networks at once once they are compromised.

Others have taken to code-signing their ransomware with an Authenticode certificate, which can throw defences off the scent as they are less likely to analyse the executable as rigorously as they otherwise would.

Sophos CTO Joe Levy said: “Every year, criminals adapt to the best-defences from operators and suppliers in the industry. At the same time, defenders must protect systems and processes with new functionality constantly being introduced, and with an ever-increasing global interdependency on these systems’ operation.

“But you can’t defend against what you can’t understand. It isn’t always easy to visualise complex attack scenarios, especially given that the resultant cat-and-mouse game between attackers and defenders helps shape future threats.

“Our report this year reflects both the broader range of the security domains we now observe and defend, and the wider reach of adversaries into new territory.”

The annual report has this year broadened in scope to explore areas beyond Sophos’ historic purview around malware and spam prevention. Sophos principal researcher Andrew Brandt picked over some other key trends observed by the firm in the past 12 months in a newly published blog post.

Brandt said 2019 had seen a rise in automated active attacks – human-directed compromise of internal networks, followed by the use of Windows network admin tools to distribute malware across an enterprise network very quickly, as happened in the SamSam ransomware attack.

Attacks against Microsoft’s remote desktop (RDP) service and its client application have also been observed climbing, with a mix of brute force login attacks and more targeted campaigns.

In this case, Sophos left honeypot RDP host servers exposed to the public internet and recorded three million attempts to log into them in a 30-day period.

Read more about ransomware

Next Steps

Researchers use PyInstaller to create stealth malware

Read more on Endpoint security