In 2021, attacks became highly effective and impactful. At the same time, high-volume indiscriminate ransomware threats remained omnipresent throughout the year.
In this post, the Varonis Threat Labs team shares what they observed in the wild while working on ransomware investigations.
Overall, the team identified these five ransomware trends that shaped 2021:
- Ransomware-as-a-Service became the go-to model for attackers. 2021 saw a shift toward the Ransomware-as-a-Service (RaaS) business model, where groups recruit affiliates or partners to conduct specific parts of their operation.
- Attackers crafted bespoke ransomware. In 2021, threat actors bullied targeted organizations with victim-specific ransomware designed to avoid detection and ensure the efficacy of the attack within the victim's environment.
- Attackers went "big game hunting." Sophisticated 'big game hunter' ransomware groups, both old and new, honed their ability to access victims' networks worldwide. Cybercriminal groups adopted the now widespread 'double extortion' tactic to steal—and threaten to leak—sensitive data.
- Ransomware sent shockwaves through the software supply chain. Numerous high-profile incidents targeting high-worth organizations via software supply chains during 2021 demonstrate the impact that ransomware can have on an organization—and, in some cases, led to 'real-world' outcomes sending shockwaves across the broader economy.
- Attackers bought and sold off-the-shelf commodity malware. Commodity malware continued to be widely adopted by threat actors of varying sophistication—from organized cybercriminal gangs delivering payloads to gain initial access to high-value targets to script kiddies using simple off-the-shelf threats to steal credentials for resale on the dark web.
Ransomware-as-a-Service
The entry barrier for many would-be attackers has been lowered thanks to a myriad of ransomware-as-a-service (RaaS) offerings—which offer access to impactful malware and malicious toolkits. RaaS provides an opportunity for less-sophisticated threat actors to get involved in this lucrative form of cybercrime.
And money talks. Cryptocurrencies such as Bitcoin and Monero appear to remain the favored illicit payment methods for those trading on the underground economy and for receiving payments from victims. And crypto is a desirable target for theft, too.
Some RaaS offerings utilize a subscription model and charge for access to encrypting malware. Others appear to favor profit-sharing arrangements that effectively support a broader underground market for both individual affiliates and sub-groups specializing in specific areas of attack.
One example is the rise in 'initial access brokers' (IAB), which, while not a new phenomenon, typically utilize mass-scanning techniques to identify and exploit vulnerable hosts to gain initial access.
Traditionally, IABs sell access to victim networks via underground forums and marketplaces. Prices are commensurate with the perceived value. For example, gaining access to a large well-known enterprise would carry a higher price than a small business.
The IAB approach allows ransomware groups to cherry-pick and purchase access to potentially lucrative victims. Many IABs are becoming affiliates or partnering with ransomware groups, becoming subcontractors. They gain a share of the ransom in exchange, which is likely a far greater reward than their old sales model.
As expected, offering an increased share of the profits also carries increased risk. Specifically, as these affiliates and partners conduct much of the 'hands-on' work, they are likely subject to more scrutiny by defenders and investigators. Any operational security (OPSEC) failure could easily leads back to them.
Those 'at the top' of the RaaS organization are far less exposed, especially if all dealings with affiliates and partners are conducted via secure means. As such, these operators can 'skim the cream' off the top of any ransom payment and—should too much law enforcement interest come their way—shut down operations and/or rebrand.
Meanwhile, those 'at the top' of the RaaS organization are far less exposed, especially if all dealings with affiliates and partners are conducted via secure means. As such, these operators can 'skim the cream' off the top of any ransom payment and—should too much law enforcement interest come their way—shut down operations and/or rebrand.
From a defender's perspective, while it is easy to identify ransomware during the encryption phase, attacks thwarted before this phase would appear consistent with any other attack, regardless of motivation.
Additionally, the job of law enforcement becomes complicated as ransomware groups compartmentalize their operations and maintain high levels of OPSEC. Some may go so far as to hide their identities from affiliates. As such, those caught may be lower-level operators and affiliates with little knowledge of the group’s leadership or overall structure.
Bespoke Ransomware
Many groups will build victim-specific ransomware to avoid detection based on previously observed samples and to ensure that the threat is effective within the environment where it will be deployed.
Most ransomware threats are executable files targeting Windows and in many cases are delivered by other threats such as botnets. An increased understanding of today's enterprise environment has also led to some groups introducing threats that can target Linux-based hosts, including those used for file storage and virtualization (such as VMware ESX).
Typically, those responsible for initial access to a network will have some preferred vulnerability, often identified through mass-scanning activity, with observed incidents suggesting that those affecting RDP and VPN hosts are still favored.
Further, as new high-profile vulnerabilities are reported, specifically those that can be exploited remotely and allow code execution and/or privilege escalation, threat actors are often quick to re-tool and add these exploits to their arsenal.Many groups are consistent in using common attack tools, such as Cobalt Strike and Mimikatz, alongside PowerShell automation and the installation of other malicious payloads, including remote access trojans (RAT), to maintain access.
Once attackers gain initial access to a victim network, APT-style tactics, such as a 'low and slow' or 'drop feed' approach to data theft, are often deployed. These tactics allow them to remain undiscovered during the exfiltration phase.
Additionally, many ransomware groups carefully review a victim's financial records, sometimes going so far as to seek out details of any cyber insurance policy so that ransom demands can be pitched at a price that the threat actor knows the victim can pay.
Big-game Hunters Extort Victims
The success and widespread adoption of the double extortion tactic poses an interesting question: does a ransomware group need to encrypt any data to succeed?
In many cases, the answer is 'no'—assuming suitably confidential or sensitive data is stolen and sufficient pressure can be applied to convince the victim that non-disclosure will be less costly or damaging than publicly leaked data.
Putting this into context, the theft and exposure of personal identifiable information (PII) can result in both regulatory penalties and reputational loss. The theft and exposure of intellectual property (IP) could result in losing competitive advantage by allowing others to benefit from the victim's costly research and development.From the threat actor's perspective, dropping the encryption phase from an attack brings many advantages. Namely, it negates the need to develop and maintain the ransomware threat itself—and potentially being able to maintain persistent access to the victim network after making an extortion demand as the encryption phase alerts defenders to their presence.
Ransomware groups continue to evolve their extortion methods, from the early days of a simple ransom note to the 'steal, encrypt and leak tactics' to contacting customers, employees, and the press to alert them to the compromise. Further applying pressure, many groups refuse to work with third-party negotiators, advising victims to pay up without involving cybersecurity vendors and law enforcement or risk having an increased ransom demand, data leaked, or worse.
Some have gone so far as to utilize a ‘triple’ extortion tactic, threatening victims with distributed denial of service (DDoS) attacks alongside the release of stolen data.
While some law enforcement successes offer glimmers of hope, ransomware groups will continue to grow and evolve in 2022. The lucrative nature of these attacks means that when one threat actor falls, many are waiting to take their place—from newcomers to a 'competitor' learning from their mistakes to expand their criminal enterprise to some affiliate looking to get a bigger slice of the pie.
For every known victim, others have capitulated to ransom demands in an attempt to minimize the impact of an attack. Some victims will pay to regain access to their data to avoid damaging their reputation should confidential data be leaked.Software Supply Chain Attacks
One notable and highly effective tactic—typically used by nation-state threat actors—rose to prominence during 2021: ransomware groups attacking the software supply chain.
Unlike the traditional nation-state tactic of compromising a weaker supply chain entity as an entry point to a specific target network, ransomware groups have actively sought to compromise software suppliers to compromise all of their customers. Software supply chain attacks allow a single intrusion to blossom into a widespread problem that cascades to multiple victims.Commodity Malware
Commodity malware threats continue to be widely adopted by threat actors of varying sophistication—from organized cybercriminal gangs delivering payloads to gain initial access to high-value targets to 'script kiddies' using simple off-the-shelf threats to steal credentials for resale on the underground economy.
While these threats are numerous and varied, threat hunters observed the following popular malware families throughout 2021.
njRAT
First observed in late 2012 or early 2013, njRAT is a widely available remote access trojan (RAT) initially created by a cybercriminal threat actor named 'Sparclyheason.'
The source code for this RAT was reportedly leaked in May 2013, no doubt leading to its adoption among low-sophistication threat actors. Numerous guides and tutorials detailing its use became available on underground forums and YouTube.
Remaining widespread throughout 2021, njRAT targets Windows hosts and is typically delivered via indiscriminate malicious unsolicited email (malspam) campaigns> It is also found within trojanized versions of legitimate applications downloaded from suspicious sources and file-sharing websites.
Consistent with other popular RAT threats, njRAT provides typical remote control and viewing capabilities and the ability to transfer and execute files, manipulate the registry and access a remote shell. Further, the RAT can allow remote audio and video recording using connected microphones and webcams and keylogging and password-stealing features.
Formbook
First observed in early 2016 and later succeeded by the XLoader variant in 2020, Formbook is an information-stealing threat available for purchase on underground forums via a malware-as-a-service (MaaS) offering.
Widely used by low sophistication threat actors to steal credentials or other data from victims, the usage of Formbook continued to grow throughout 2021, likely due to its availability, low cost, and ease of use. Initially only targeting Windows, with XLoader introducing support for Apple macOS, Formbook includes some RAT-like features in addition to its credential-stealing capabilities, like the ability to transfer and execute payloads and forcing a reboot or system shutdown.
As such, this threat could easily be used as an initial entry point to deliver additional malicious payloads and fulfill an objective other than data theft.
While Formbook is no longer directly advertised on underground forums due to the introduction of XLoader, it remains a prevalent threat. It was observed in numerous campaigns throughout 2021 utilizing fake invoices and order-themed lures.
NanoCore
First observed in 2013, NanoCore was previously available for purchase for around $25—although 'cracked' versions are widely circulated on the cybercrime underground.
Initially developed by an individual who was later arrested, NanoCore provides typical remote access trojan (RAT) capabilities supplemented by a modular architecture that allows the creation and use of plugins to extend functionality.
NanoCore continues to be widely used by typically low-sophistication threat actors today, thanks to the availability of cracked or leaked versions. Purchase order and payment receipt lures are common among trojanized versions of suspicious or copyright-infringing files.
Lokibot
Lokibot, also known as Loki and LokiPWS, is an information stealer first seen in mid-2015 that was initially sold for as much as $400 on cybercrime forums before its source code was subsequently leaked.
Lokibot is commonly used by low-sophistication threat actors and is now a widespread threat. It supports modules that provide additional functionality, including a keylogger and cryptocurrency wallet stealer.
As expected, attackers typically use Lokibot in indiscriminate campaigns and, in addition to previously using COVID-19 themed lures, recent campaigns masquerade as invoices and shipping notices.
Remcos
Marketed as a 'legitimate' commercial remote access tool, Remcos was first identified in 2016 and is regularly updated by its developers.
As one of the most prevalent remote access trojan (RAT) threats, Remcos, like other off-the-shelf tools, is an easily accessible threat for low-sophistication actors featured in numerous YouTube tutorials and guides.
Additionally, high-sophistication threat actors sometimes favor tools like Remcos, which negates the need to develop their own and allows them to refocus efforts on other phases of their attack.
In addition to standard RAT features, Remcos provides a 'remote scripting' capability, which allows code to be executed simultaneously across multiple hosts.
Further, would-be users of Remcos can purchase supplementary services from its developers, such as a mass mailer used for sending email lures and a dynamic DNS service. The latter would provide a single hostname that facilitates access to the command and control (C2) host while allowing the threat actor to update their IP address without updating the Remcos binary.
Remcos has been delivered in phishing emails disguised as invoices, shipping notifications, and tax lures, in addition to trojanized files related to copyright-infringing software.
AZORult
First identified in early 2016, AZORult is an information stealer often delivered via malspam campaigns utilizing topical themes or masquerading as legitimate business communications.
Typical AZORult malspam campaigns deliver a weaponized Microsoft Office document that utilizes a macro to exploit common vulnerabilities. It then downloads the malicious payload from the threat actor's command and control (C2) infrastructure.
Subsequently, AZORult is launched to steal confidential data, including credentials, payment card details, browsing data, and cryptocurrency wallets, before sending it to the C2 and terminating.
Likely in support of additional objectives, AZORult is often accompanied by other threats. In addition to masquerading as business communications, numerous samples have included trojanized 'cracks' or other questionable content frequently associated with copyright infringement.
Netwire
First discovered in 2012 and widely utilized by cybercriminals, Netwire is a remote access trojan (RAT) readily available for purchase from cybercrime forums. IT is often delivered in campaigns using common purchase orders and tracking notification lures.
In addition to standard RAT functionality, attackers updated Netwire in 2016 with a payment card scraper feature that targeted devices connected to Point-of-Sale (PoS) systems.
While used in widespread mass campaigns, NetWire has also been used in targeted campaigns, likely in an attempt to acquire payment card data from PoS hosts in bulk. Netwire uses custom encryption for its command and control (C2) traffic to evade detection and complicate investigations. It encrypts stolen data before transmission.
Danabot
First observed in 2018, Danabot is a modular banking trojan initially used by a single threat actor and subsequently sold to others as a malware-as-a-service (MaaS) offering.
Danabot's modular architecture has made it far more versatile. It initially focused on credential theft, cryptocurrency wallets, and banking credentials through web injects. For example, it can include remote access trojan (RAT) capabilities and a ransomware encryption capability.
Danabot is typically delivered through malspam campaigns. In October 2021, an NPM package was compromised for the popular JavaScript library 'UAParser.js,' and reportedly modified to download and execute Danabot alongside a cryptocurrency miner.
Since this legitimate package—used to read information from user-agent strings—has a reported weekly download volume between six and seven million, the potential reach of this incident could have led to a massive number of compromised hosts. This was detailed in an alert published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Emotet
First observed in 2014, Emotet started as a banking trojan. It was the target of an internationally coordinated takedown in January 2021.
Although it retained some core information-stealing capabilities, Emotet evolved over the years to act as a downloader for other malicious payloads. Threat actors offered their botnet 'as-a-service' to the cybercriminal community. They became a leading distributor of other common threats—including ransomware linked to the big-game hunter group 'Ryuk.'
While understandably quiet throughout much of 2021, Emotet has recently seen a resurgence in activity, albeit without their botnet, which was reportedly dismantled following law enforcement action.
Although the details of recent Emotet campaigns remain limited, 2022 could likely see its resurrection—especially if the same threat actor is behind this recent activity.
What's Ahead
As 2021 drew to a close, Varonis Threat Labs observed RaaS provider ALPHV (aka BlackCat ransomware) actively recruiting new affiliates and targeting organizations across multiple sectors worldwide.
The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater. Read our full write-up.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
