Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Dethroning Ransomware: Prominent Attacks Stopped by Morphisec

Posted by Jay Kurup on October 15, 2024

Ransomware has become one of the most prevalent and damaging forms of cybercrime in recent years, affecting businesses, governments and individuals worldwide. The 2024 Verizon Data Breach Investigations Report highlights ransomware as one of the most common methods involved in reported breaches.  

Dethroning Ransomware

Research from Onapsis found that 83% of organizations experienced at least one ransomware attack in the last year, while as many as 46% of respondents reported four or more. The velocity of attacks is driving record profits; in its State of Ransomware 2024 report, Sophos notes a 500% ransom payment increase, with the average ransom costing organizations $2 million. 

 

Ransomware attack technique trends 

Several prominent ransomware gangs are behind this year’s attacks, using a mix of old techniques and new attack strategies to successfully drive ransomware campaigns.  

Powered by Automated Moving Target Defense, Morphisec’s Anti-Ransomware Assurance Suite offers capabilities that prevent ransomware attacks at multiple stages. The following graphic shows prominent ransomware attacks globally from the period of July through September 2024. AMTD mechanisms implemented by Morphisec have effectively prevented in-production ransomware attacks from well-known groups like Ransomhub (BlackCat), Cicada, Lockbit etc., thus validating anti-ransomware assurance capabilities.

 Ransomware attacks from 7/1 to 9/30

See the interactive chart here. 

 

Morphisec Threat Labs has observed several popular tactics across these attacks including: 

 

Trends

Rust-based Malware

A notable trend that we have observed is the adoption of Rust programming languages. 

Rust offers several benefits to adversaries. Since it’s a memory safe language it’s prone to less crashes and provides better performance capabilities, which allow it to encrypt large amounts of data quickly. Additionally, Rust-based code is difficult to reverse as it generates complex code requiring more efforts from researchers. Another factor for consideration is incumbent security products mainly rely on static analysis to detect malware - they are optimized to detect codes which are widely used. A new code will need security solutions to recalibrate themselves which improves the chances of evading detection during the static analysis stage.  

Rust offers more evasive capabilities during run-time and thus decreases the likelihood of detection by security products. 

BlackCat and Cicada are some of the prominent EDR-evading groups that we see adopting Rust successfully to evade the leading EDR/NGAV solutions. A repository of Rust-based malware can be found here.

 

Targeted Attacks

Another trend that we see in 2024 is that ransomware operators are focusing on targeted attacks. Attackers first identify victims and spend time and resources to prepare for the attack. Next, coordinated attacks are launched, usually through exploitation of vulnerabilities of security and network devices for initial access or to gain persistence in organization.

This ultimately impacts critical operations, and forces victims to pay ransoms quickly to restore business continuity. Targeted attacks offer a better chance of rewards as can be seen in the recent DarkAngel attacks where it is claimed that they received record-breaking ransom payments from victims. Morphisec’s AMTD based anti-ransomware mechanisms have been successful in preventing prominent Rust-based ransomware. 

 

DLL Hijack  

Adversaries are adopting the DLL Hijack method to gain infiltration into targeted organizations. DLL Hijack is a method of injecting a malicious DLL into applications by exploiting the way Windows applications load DLLs. Execution of this malicious code provides the adversary group backdoor access to the organizations which would allow later stages of ransomware attack to come into effect.  

As the adversary groups are targeting legitimate signed executables, the static analysis of the security solutions is bypassed in most cases. A recent article highlighted Nitrogen malware, which targeted a well-known IP Scanner to side-load a malicious DLL and execute code leading to deployment of Sliver or CobaltStrike backdoors. Ultimately the attack chain led to the deployment of BlackCat ransomware. 

Morphisec AMTD mechanisms prevent this attack in multiple stages - the earliest is during the deployment of malicious backdoors thus disabling the framework of the attack itself. 


Techniques

Ransomware-as-a-Service (RaaS) 

Ransomware-as-a-Service (RaaS) platforms have allowed cybercriminals to rent out ransomware tools and infrastructure to affiliates. The affiliates don’t require sophisticated skillsets, and multiple options are provided for generating revenue both as a provider or an affiliate. This allows less sophisticated groups to carry out destructive attacks and target a wider, less appealing target base. 

This has contributed to a surge in ransomware incidents. RaaS also enhances the resilience of these operators; despite law enforcement's efforts to dismantle their networks, these criminals quickly re-emerge with advanced tactics and new iterations of their attacks — the high volume of Lockbit3 attacks are an example of the success of ransomware reinvention. 

LockBit3.0, also known as “LockBit Black”, is a highly advanced and dangerous variant of the LockBit ransomware family. LockBit has been one of the most active and successful ransomware groups in recent years, and LockBit 3.0 introduced several improvements and new features to increase its effectiveness and evasion tactics, including its RaaS model. 

 

Endpoint Detection and Response (EDR) Evasion 

EDR evasion is well documented, and Ransomhub(BlackCat) has been particularly successful at evading EDR systems. Ransomhub is a prolific and highly successful ransomware group that has predominately targeted organizations operating in critical industries including utilities, government services and healthcare. In fact, Ransomhub was identified as the adversary behind this year’s Change Healthcare attack.  

More recently Morphisec Threat Labs observed EDR evasion in a customer environment. Cicada3301 ransomware, written in Rust, was first reported less than two months ago. Despite its recent emergence, Morphisec threat researchers have already identified striking similarities between Cicada3301 and the infamous BlackCat ransomware.   

Like its namesake, the Cicada puzzle, which has long been associated with complex, cyber-related problem-solving, the true identity of the Cicada3301 ransomware developers remains shrouded in mystery.  

However, it's crucial to note that Morphisec's anti-ransomware impact protection has already proven effective against Cicada3301 without requiring any updates, highlighting Morphisec’s robustness and adaptability in the face of emerging threats.  

During Morphisec’s investigation, additional tools were uncovered, such as EDRSandBlast, which is used to tamper with EDR systems. 

Adversaries are increasingly using specialized BYOVD (Bring your own vulnerable drivers) techniques to disable the protection of EDR/NGAV solutions. BYOVD techniques allow adversaries to deploy a legitimately signed driver on the target system, however the drivers have vulnerabilities which allow the attackers to execute malicious code granting them privileged rights. 

This allows them to disable security solutions and execute the malicious payload without any hindrance. Notable tools that we have seen is EDRkillshifter used by Ransomhub and Terminator tools sold as a service by Russian spyboy group. 

 

Double Extortion

Data exfiltration is a common tactic used by all notable ransomware groups today prior to impact stage, which is where the process of data destruction happens. Leakage of PII data can impact brands and introduce legal consequences. Bearing this in mind, adversary groups employ additional pressure tactics of holding companies to ransom by threatening leakage of this data into public domain. This tactic increases the likelihood of ransom payments, hence its growing popularity over the last few years. 

All leading ransomware groups today employ this technique effectively by leveraging deviations from best practices or taking advantage of excessive privileges to exfiltrate data from the organizations. 

 

Triple Extortion

In addition to double extortion tactics, adversaries also try to disrupt the critical services of the victims, pressurizing victims to pay ransoms by carrying out Denial of Service (DDoS) attacks on critical applications while also extorting business affiliates (the affected organization’s supply chain) by threatening to leak PII and confidential data.  

This is a pressure tactic to scare the organization into paying ransom. Ransomware operators have been observed to approach the SEC to report on attacks, thus creating additional pressure on organizations. SEC mandates that organizations must report ransomware attacks; failing to report incidents can have serious consequences if not done proactively. 

 

Pure Data Theft and Extortion

The Meow group and its ransomware first appeared as a strain of the well-known Conti ransomware, which in recent years gained notoriety for its high-profile government targets. In the past year the group operated a Ransomware-as-a-Service (RaaS) model, though more recently it appears that the Meow group has shifted tactics and is instead focused on data theft. Reports suggest that the group assigns two prices to stolen data – one price to access the data, and another larger fee for exclusive access to the data. 

 

Evolving Anti-Ransomware Defense 

Ransomware attacks will continue to increase in frequency. The sophisticated groups behind ransomware attacks are exposing the limitations of the current security solutions. 

Organizations should consider investing in a dedicated Defense-in-Depth approach to combat ransomware and harden their overall security posture. 

A combination of Zero Trust Architecture and Automated Moving Target Defense (AMTD) can offer ideal protection in multiple stages to prevent some of the sophisticated tactics and techniques employed by the adversary groups. Additionally, AMTD can alert the presence of ransomware group activity in an organization’s environment, facilitating quicker containment.  

AMTD works by dynamically altering the attack surface, confusing and hindering attackers by continuously shifting system targets, making it more challenging to compromise. 

Morphisec is leading the charge in ransomware defense as the industry’s first provider to seamlessly integrate crucial elements — ransomware protection, AMTD and Continuous Threat Exposure Management (CTEM) —into a single, powerful solution. 

The Morphisec Anti-Ransomware Assurance Suite with Adaptive Exposure Management is designed to help organizations pre-emptively reduce exposure to cyber risk, proactively prevent advance threats and ensure optimal anti-ransomware defense. Powered by Automated Moving Target Defense (AMTD), this solution helps organizations adapt, protect and defend with a multi-layered guard against ransomware threats.  

Built on Morphisec’s pioneering AMTD technology, the Anti-Ransomware Assurance Suite provides multiple distinct layers of anti-ransomware protection, pre-emptively reducing an organization’s exposure, and proactively preventing attacks at multiple phases. Additionally, it protects critical system resources and data when ransomware attempts to execute, reducing mean time to recovery.  

 

Download the Comprehensive Checklist for Anti-Ransomware Assurance  to learn more and access actionable tips you can apply to further evolve and harden your ransomware defense. 

New call-to-action