Interview: Rafe Pilling, Senior Security Researcher, Secureworks

Written by

The death of ransomware may have been prematurely predicted. While various cybersecurity experts have told Infosecurity that detections have dropped, in fact the problem is far from disappeared. 

One noted ransomware was the GandCrab variant, whose operators announced in May 2019 that they were retiring, having collected some $2bn in their almost 18 months of operation.

However, that disappearance was short-lived, as a new variant named REvil was detected in April, and according to detections by Secureworks, it expanded delivery methods such as malicious spam campaigns and RDP attacks.

According to analysis by Secureworks, numerous characteristics indicate that the same developers were involved in producing GandCrab and REvil, with even the earliest identified REvil sample (REvil Beta) including elements that appear to refer to GandCrab.

Its research stated: “Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families.”

A spokesperson for Secureworks told Infosecurity that “REvil has appeared and it is a different type of ransomware.” They said that this “proves that the theory that e-crime actors are organized groups and not huddles of guys,” who are constantly looking for ways to get a better return on investments.

This moved the issue to a new concept, which Secureworks called “post intrusion ransomware.” In this case, the company explained that this was about a much more targeted attack, where attacker accesses your network, spends a few days working out how to deploy malware in your network, and then deploys the malware on the way out, or sells access to the network to the highest bidder.

Speaking to Infosecurity, Rafe Pilling, senior security researcher at Secureworks, said that there were examples of ransomware where a similar code base was used. He said that before NotPetya in July 2017 “there were other ransomware-related attacks using a similar code base, and that a watering hole network was used for Bad Rabbit.” 

Pilling admitted that there are geographical differences between malicious infections, and Secureworks’ focus on western Europe, APAC and USA meant it did not see banking Trojans, “but for us it feels like the heyday of 2010-2014 of banking Trojans and exploit kits has really moved on, and it is much more about post-intrusion ransomware and cryptomining for big money.”

Asked what the company’s message behind post-intrusion ransomware was, Pilling said that this was previously known as “targeted ransomware,” but the reality is that a victim is not targeted directly, and as an intrusion had already occurred, so the term “post intrusion” made more sense.

He added that previously, the person who did the initial intrusion was usually the same person who distributed the ransomware. However, these days, it is more likely that the malware deployment will be by the Emotet or Trickbot Trojans. “Maybe they vet some of the targets, but from an infection you get coverage across the network and later someone may deploy a toolkit,” he said.

Pilling said that the Emotet controller may sell access to someone wanting to do upwards of 10,000 infections, and the ransomware distribution will want hosts in high value environments.

“Anyone could potentially be a victim, but you’re more likely to be a victim if you’re in government, healthcare, service or manufacturing where continuity of operations is a big deal,” he said.

Pilling admitted that attackers are not setting out to hit a particular organization or sector, and more often the infections are on already compromised organizations. “These can be through cracked RDP sessions or via a password, they will sell those on.”

The talk of the death of ransomware seems to have been premature, as it was more about attackers shifting tactics. Can this form of destructive and cash-hungry malware really be so much more dangerous? Maybe it comes back to the problem of controlling network access, and detecting attackers in the network, to better understand who is doing what before everything goes truly bad. Either way, this new variant could prove that attackers just shift tactics and don’t stay away forever.

What’s hot on Infosecurity Magazine?