New Entrants to Ransomware Unleash Frankenstein MalwareOpportunistic, Less Sophisticated Hackers Test Limits of the Concept of Code Reuse
Ransomware hackers are stretching the concept of code reuse to the limit as they confront the specter of diminishing returns for extortionate malware.
Users are more reluctant to pay even as opportunistic entrants, perhaps less sophisticated than their predecessors, join the market and show less willingness to abide by the ransomware trade-off: money for system restoration.
At the beginning of the year, experts who work with victims and track the cybercrime ecosystem, including via cryptocurrency flows, reported seeing fewer ransoms being paid and less being paid on average when victims did pay.
Cyber insurer Corvus reported that the percentage of its policyholders who paid a ransom dropped from 33% in 2021 to 28% in 2022. Ransomware incident response firm Coveware reported that for victims it assisted, 41% shelled out in 2022 versus 79% in 2019.
That constricting market - the result of hardening attitudes toward mainly Russian extortion groups and cyber defender activity - isn't deterring new actors from attempting to cash in on the shrinking bonanza. In their haste to make money, some new players are picking over the discarded remnants of previous ransomware groups, cobbling together ransomware rather than going through the trouble of coding bespoke crypto-locking software.
Call it Frankenstein ransomware, said Allan Liska, principal intelligence analyst at Recorded Future. Victims are getting hit by malware built by attackers using bits of stolen or leaked code. Liska said that technically speaking, it should be Frankenstein's monster - he of the grave-robbed bits jelled together - but you get the drift.
The ESXiArgs malware being used to target VMware systems starting in February is one such monster, borrowing a "ransom note from one ransomware, the encryption scheme from another ransomware, kind of put together to make a new ransomware," Liska told me at the recent RSA Conference in San Francisco.
"A lot of what we're seeing in terms of new ransomware variants are really just stolen code that's being repurposed by another ransomware guy," he said.
Other newcomers embracing this approach include Rapture, which appears to have adapted Paradise crypto-locker source code that leaked in 2021. GazProm, named for the Russian gas giant and with a ransom note featuring ASCII art of Russia's president, uses leaked Conti source code. Newcomers RA Group, Rorschach and RTM Locker also use source code from Babuk that leaked in September 2021.
Unfortunately for attackers and their victims, mileage varies - not least based on criminals' technical chops.
Malware research site vx-underground has called on criminals to stop wielding the leaked Babuk source code unless they patch the many code-level problems - including an inability to decrypt large file types - that helped precipitate the group's implosion (see: Gouda Hacker: Charges Tie to Ransomware Hit Affecting Cheese).
"If you're going to be a criminal group, do it correctly. Your victims won't be able to recover files," vx-underground said to users of Babuk.
Big Risks: Bad Bugs, Old Code
As ransomware continues, is there anything defenders should be doing more of, to better blunt attacks? Verizon's latest annual data breach report includes a call from Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, to employ multifactor authentication much more widely. This will often block outright the use of credentials, which can be easily stolen.
"In particular, it's critical that 'high-value targets' like system administrators and software-as-a-service staff use phishing-resistant MFA," Easterly wrote.