Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:00 PM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The Big E-Crime Pivot

Criminals have begun to recognize that enterprise ransomware offers tremendous financial advantage over the more traditional tactics of wire fraud and account takeover.

The concept of "the pivot" is well-understood by entrepreneurs, who often set out to build a business or technology and realize they need to shift their strategies. Visually, one foot remains firmly in place while the other turns to reorient the rest of the body. Typically, they don't throw everything out the window and start over. Rather, they reimagine the way they can use the tools at their disposal.

The same can be said about today's sophisticated e-criminals, who are increasingly pivoting and reusing their existing technology for new ways to generate revenue.

For example, malware-as-a-service has been a prominent component of the e-crime ecosystem for the past decade. Criminals built specialized platforms for large-scale credential theft. Malware distributed this way — with names like Dridex, Trickbot, and BokBot — has long been optimized to steal account information using webinjects. That is how it inserts itself into a browser, downloads and installs other malware/tools, captures screens or memory buffers filled with sensitive information, and, in recent years, even steals cryptocurrency wallets.  

The e-criminals behind these malware platforms also built relationships with other e-criminals who specialize in spam, pay-per-install, and exploit kit development to optimize distribution. When your bread and butter is to steal credentials, the name of the game is to get your malware out as far and wide as effectively as possible. Pushdo, Smoke, and Emotet have emerged as some of the malware families/actors that specialize in getting payloads delivered to the would-be victim machines. CrowdStrike has observed the symbiotic relationships between these e-criminals for quite some time, and it has shaped our model of the e-crime ecosystem.

But in recent months, e-criminals have begun to recognize that enterprise ransomware – what we call "big-game hunting" – offers tremendous financial advantage over the more traditional e-crime tactics of wire fraud and account takeover. (We touch on this trend in the "2019 CrowdStrike Global Threat Report.")

This realization is, in part, due to the evolving cat-and-mouse game between the adversary and security practitioner; as new countermeasures are deployed to mitigate wire fraud or account takeover the cost/benefit calculus changes. Another factor is that the competitive landscape for e-criminals conducting these types of attacks has become more crowded. In general, adversaries across the entire spectrum of threat actors prefer to take the path of least resistance, rather than work harder and work smarter.

In short, margins for threat actors conducting wire fraud and account takeover have become tighter. In need of a new way to increase revenue, they are pivoting.

The first indication of the shift to ransomware can be traced back to summer 2017, when INDRIK SPIDER, the adversary CrowdStrike associates with Dridex development, began to deploy BitPaymer in enterprisewide ransomware directed against the healthcare sector. (CrowdStrike Intelligence uses the naming scheme SPIDER to describe e-crime actors.) Approximately one year later, GRIM SPIDER emerged deploying the Ryuk ransomware, a derivative of the Hermes ransomware against a variety of verticals, including financial, government, healthcare, hospitality, legal, and retail.

In March of this year, we reported on a change of tactics by PINCHY SPIDER, the actor behind the GandCrab ransomware that emerged in early 2018 with a partnership program offering a split of the profits to actors who utilized its ransomware to conduct extortion. Also this year, LockerGoga emerged as another enterprise ransomware that was employed against manufacturing and industrial companies, demanding high-dollar ransom amounts.  

Big-game hunting attacks typically begin with deployment of banking Trojans or through a compromise of an external-facing system. Adversaries seeking to deploy ransomware across the enterprise move laterally, escalate privileges, and deploy their payloads. CrowdStrike's 1-10-60 rule is one organizations should strive to achieve: It means aiming to detect an intrusion in under a minute, performing a full investigation in under 10 minutes, and eradicating the adversary from the environment in under an hour.  

The writing is on the wall for e-criminals: There is big money in big-game hunting, and it is disrupting businesses across the globe. Paying the ransom doesn't necessarily resolve the problem either. It is more important than ever that organizations and agencies have the right people, processes, technology, and intelligence to stay ahead of these threats.

Related Articles:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11019
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0.
CVE-2020-11038
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server c...
CVE-2020-11039
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, when using a manipulated server with USB redirection enabled (nearly) arbitrary memory can be read and written due to integer overflows in length checks. This has been patched in 2.1.0.
CVE-2020-11041
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot ...
CVE-2020-1798
PUBLISHED: 2020-05-29
HUAWEI P30 smartphones with versions earlier than 10.1.0.135(C00E135R2P11) have an improper authentication vulnerability. A logic error occurs when handling NFC work, an attacker should establish a NFC connection to the target phone, and then do a series of operations on the target phone. Successful...