In a world where everything is an “as-a-service,” it’s no surprise that ransomware-as-a-service (RaaS) is a hot ticket on the Dark Web. FortiGuard Labs has observed at least two significant ransomware families – Sodinokibi and Nemty – now being deployed as RaaS solutions.
Meanwhile, cybercriminals are also refining existing malware to evade detection and deliver increasingly sophisticated and malicious payloads, such as we’ve seen in the evolution of the Emotet malware, a popular and successful banking trojan.
Let’s explore the recent discoveries made by the Fortiguard Lab teams on the transformation of these malware families and ways to safeguard networks.
With significant financial incentives to spur them on, cybercriminals continually invent more sophisticated forms of ransomware – and ways of distributing it. For instance, the cybercriminals behind the prolific GandCrab ransomware strain reportedly made more than $2 billion in less than two years before saying that they were “retiring” recently (a claim that some researchers refute). Many of those illegitimate gains came from their use of a RaaS model to distribute the malware. By establishing a network of affiliate partners, GandCrab’s authors were able to spread their ransomware widely and scale earnings dramatically in the process.
We noticed last quarter that Sodinokibi and Nemty, two other significant ransomware families, were being deployed in a similar manner, suggesting the RaaS model is gaining ground. Sodinokibi (a.k.a. Sodin, REvil) surfaced shortly before GandCrab’s authors supposedly retired; it quickly became one of the biggest ransomware threats in Q3. It was used in multiple targeted attacks on major organizations, including nearly two dozen local governments in one state.
Cybercriminals distributed Sodinokibi in a number of ways, including exploit kits, phishing and the exploitation of software vulnerabilities. We believe it is unique among ransomware strains in exploiting a remote code-execution vulnerability to infect systems.
These examples demonstrate that ransomware continues to be a clear and present danger to enterprise organizations. Many threat actors have eschewed mass-volume spray-and-pray consumer attacks for more carefully planned, targeted ones aimed at maximizing disruption for companies. By using an RaaS model, the authors of malware such as Sodinokibi and Nemty are significantly lowering the bar for launching such attacks. That lowered bar makes this particular form of cybercrime accessible and profitable for a larger pool of bad actors.
How can you protect your organization from increasingly sophisticated ransomware? Here are 10 practical steps to implement now.
As cybercriminals continue launching new malware services to expand their earning potential, enterprises have to stay on their toes. The latest threat data reveals that bad actors are focusing their attacks for maximum impact and profit using increasingly stealthy and unexpected methods. Use the steps listed above to protect your organization from the new crop of ransomware threats.
Derek Manky is chief of security insights and global threat alliances, Fortinet.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.