By The Integrity360 Team on July 25, 2018

3 ransomware and malware attacks you need to know about

Ransomware, Breaches, Alerts & Advisories

If you laid the source code of all the malware strains in the world together, it would probably wrap around the world a few times over.

While no one knows for sure how many times it would cross the Atlantic, the underlying theme is that there are a lot of dangerous files out there. It’s impossible to know exactly how many different versions of trojans, worms and viruses are active at any given time, but that hasn’t stopped the AV-TEST IT Security Institute from trying.

The independent research agency adds around 350,000 new malware strains to its database every day. By the end of 2018, the cumulative total reached 850 million – over 800 million more than were registered in 2009.

Altering the code slightly allows hackers to create a modified attack, which may have more success getting past cyber security defences that run traditional signature-based detection models. Despite that fact, there’s still an overarching digital footprint behind every hacking attempt – here are the three ransomware and malware every business needs to know about. 

1. GandCrab 

GandCrab is a ransomware that has garnered international spotlight since its emergence in early 2018. Its latest version, version 4, operates by using spam disguised as legitimate invoices, or a similar tactic, to get users to download the trojan. The program is then executed from a remote command and control, encrypting everything on the computer and demanding a ransom.

The ransomware campaign has gained notoriety for its creators’ ability to quickly rewrite its source code to get around efforts to patch it. The strategy is a page out of the book of software developers, who use agile development methodologies to overcome bugs and glitches, or add new features in a timely manner.

GandCrab creators see patching in the same vein as an end user reporting a bug, and they hastily rewrite its source code to avoid detection or removal. Its amorphous nature is making it increasingly more difficult to identify until it’s too late – and even tougher to remove without paying the ransom.

Why GandCrab is important: 

Agile software development has been popular since the turn of the century for commercial developers, but its adaptation in the hacking community. If this trend persists, expect ransomware to be vastly more difficult to detect unless a business is using behavioural analytics when evaluating event logs to spot deviations from the norm. With how quickly the code is changing, signature-based detection will be overmatched. 

2. SamSam 

SamSam is a ransomware that has existed since 2016 in various forms. Recent attacks have given greater insight into its creators tactics and strategies, and how hackers have evolved to stay ahead of modern cyber security defences.

The threat campaign is in a league of its own when it comes to methodology and malicious features. First, it preys on public-facing organisations that can’t risk downtime – like healthcare companies or public transport – instead of enterprises that would provide a bigger payday, Dark Reading reported.

Then, rather than rely on one version of the software to launch a sustained attack, its creators release thousands of iterations of it within a digital infrastructure. Doing so allows them to charge businesses in a variety of ways to unencrypt files, and avoid being foiled by a golden key.

Now, Malwarebytes researchers have revealed that SamSam is a five-component attack – and the most important is a final, manual action. Anyone in the world can download the malicious file, but the payload won’t be executed unless its creators enter a password to run it. This suggests that SamSam exists solely for targeted attacks.

Why SamSam is important: 

Most attacks are automated in that they spread like wildfire, and quickly inject malicious code once the program has infiltrated a system. SamSam takes an alternative approach by limiting its scope, requiring manual input to run and then deleting all traces of itself off the system. Campaigns like this will become more common over the years as threat actors manipulate their methodologies to stay ahead of middling cyber security defences. 

3. Roaming Mantis 

Roaming Mantis, also known as MoqHao and XLoader, is a smartphone malware designed primarily for Android, but has recently been reinvented for iOS devices. It’s uncertain exactly when the malicious program originated, but what its creators have accomplished lately is why it’s now setting off alarms. 

The malware leverages compromised routers to attempt DNS hijacking, which sends users to malicious websites disguised as legitimate ones. Targets are then prompted to download a Trojandisguised as a Chrome or Facebook update, which then proceeds to infect a system, ask for security credentials and potentially collect banking information, according to Kaspersky Labs.

Only one month after the cyber security researchers wrote about Roaming Mantis, they discovered that its creators added 22 new languages to its interface capability. This expanded the malware’s reach from Asia to Europe and the Middle East during that time span. Furthermore, Roaming Mantis also added features that allow it to cryptomine from infected laptops and computers

In a similar fashion to GandCrab, the creators of Roaming Mantis are expanding its capabilities quickly. There is no clearly defined target for the campaign at the moment, apart from mobile users in general.

Why Roaming Mantis is important: 

It was only a matter of time until threat actors began to focus on smartphone users. Programs like Chrome and Facebook normally ask for a wide array of permissions, like being able to write to storage or read various files – Roaming Mantis feeds off the idea that users almost always accept, and asks for the privileges itself. These types of malware campaigns could spread like wildfire within enterprises, exposing sensitive data and financial information in the process.

Three threats and the evolving cyber threat landscape 

While malware like GandCrab and SamSam are becoming increasingly difficult to stop, much less detect, it’s still valuable understanding their existence. Knowing how these innovative cyber-attacks operate, which vulnerabilities they exploit and what changes are being made is key to effective threat intelligence gathering and sharing.

Don’t worry about crawling the internet to find the latest threats – we’ve got you covered with our Integrity360 Risk Radar quarterly report. Catch up on all the latest trends and exploits that companies need to make informed decisions about their cyber security strategy.

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.