Insights | Integrity360

Noteworthy Ransomware and Malware in 2020

Written by The Integrity360 Team | 18 January 2021 09:37:30 Z

According to Wired, ransomware is one of the fastest growing threats in cybersecurity, with global damages predicted to reach £15 billion by 2021.

One-third of all cyber attacks in 2020 can be attributed to three main ransomware groups, Ryuk, Maze and Sodinokibi. Other key trends for 2020 ransomware include threats of data exfiltration and publication.

We've outlined some of the most common ransomware and malware threats during 2020 so you can keep up to date on this continuously evolving threat:

Maze
Maze—by its own reports—came to a close in 2020, but whether or not that is true remains to be seen. Maze worked differently from other ransomware groups that infect victims with file-encrypting malware and then hold files for ransom. Maze captured headlines by being the first ransomware group to exfiltrate data and threaten to publish the data unless their ransom was paid. This became a popular tactic among other ransomware groups.

Maze started by using exploit kits and spam campaigns to gain access to enterprise networks, but then shifted to using vulnerable VPNs and remote desktop servers (RDSs) to launch targeted attacks. They demanded $6 million USD from one Georgia-based wire and cable manufacturer and $15 million from another unnamed organisation.

Ryuk
According to Check Point, the Ryuk ransomware variant was first discovered “in the wild” in August 2018. Since then, it has grown in visibility to become one of the bestknown and costliest ransomware variants in existence.

Unlike early ransomware variants such as WannaCry, Ryuk is designed to be extremely targeted. The design of the malware means that each victim must receive the individual attention of the cybercriminals operating the malware. As a result, Ryuk is used in targeted campaigns with highly tailored infection vectors and high ransom demands.

Download our Guide to 2021: What's Next in Cyber Security


REvil (a.k.a. Sodin and Sodinokibi)
In 2020, the criminal group behind the REvil ransomware attacks started auctioning off sensitive data they stole from companies that were infected by their software. This was a marked escalation in their attempts to get victims to pay a ransom, all while publicly shaming the companies that didn’t pay up.

This was also a very ominous moment in ransom malware, with ransomware purveyors finding new ways to profit from their attacks even as businesses struggled during the COVID-19 economic slowdown.

The first victim of REvil’s data auction was a Canadian agricultural production company that declined to meet REvil’s extortion demands. The starting price for this data? $50,000.

DoppelPaymer
The first victims of DoppelPaymer were targeted in June of 2019, with earlier testing or potential attacks that can be traced back to April of 2019. With eight distinct malware builds and three confirmed victims, DoppelPaymer asked for payment in Bitcoin, with ransom amounts for each victim varying between $25,000 and $1,200,000 USD.


The ransom note left by DoppelPaymer is very similar in nature to the BitPaymer ransomware seen in 2018, with a nearly identical payment portal as well. The payment portal offers a ransom amount, plus a countdown clock, and a Bitcoin address.

Dridex “2.0”
Early versions of Dridex were simple, using an old infection tactic of attaching a Word document that utilised a macro to install malware. In a newer version of Microsoft Office, however, this threat subsided because it was no longer effective. Now, a newer version of the Dridex ransomware uses a new code injection technique called AtomBombing to infect systems. This technique injects malicious code into most versions of Windows, taking advantage of errors to inject and execute malicious code in legitimate applications and processes. This is the first known ransomware to use this AtomBombing process.

PureLocker
PureLocker ransomware showed up in late 2019 and continued into the new year. Written in PureBasic programming language, the ransomware proved to be unique and challenging to uncover because it’s hard to spot detection signatures for PureBasic binaries.

Antivirus checks struggle to see PureLocker, and the ransom note generated by the virus is not like other ransom notes; it doesn’t ask for direct payment but instead asks the victim to contact the attacker via an anonymous and encrypted email service. It’s a rethinking of ransomware that uses Malware-as-a-Service and rests in waiting, looking for its chance to strike.

Download our Guide to 2021: What's Next in Cyber Security


MegaCortex
We first saw MegaCortex ransomware in January of 2019, and it quickly became notable because of its reference to the film The Matrix and its MetaCortex. The malware author not only included a signed executable in the payload but also offered security consulting services from the author of the malware.

This ransomware used automated and manual components to infect as many vulnerable victims as possible, targeting corporations and leveraging previously compromised networks. With MegaCortex, victims are chosen in advance because of existing and known security holes, and with already-acquired passwords—which means it's vital to keep passwords and other data protected from misconfigurations that can leave this information open to attackers.

MegaCortex is capable of:
  • Information theft
  • File encryption
  • Disabling usage capability 

GandCrab
GandCrab is a type of malware that uses a Ransomware-as-a-Service business model to encrypt victims’ files and demand ransom payment to regain access, specifically targeting businesses and consumers with PCs that run Microsoft Windows.

Since GandCrab does not infect machines in Russia or the former Soviet Union, there’s an indication that the authors are based there, making it possible that GandCrab could even be a potential ploy to gain information about other nations.

Zeppelin
Zeppelin ransomware was prevalent in 2019 and made a comeback in August of this year. Like the initial attacks of late 2019, these attacks began with phishing emails that included Microsoft Word attachments—usually posing as
“invoices”—that introduce malicious macros that started the infection process, which parse and extract scripts, then download ransomware onto the victim’s machine.

Like the first attack, this ransomware attack went after IT and healthcare organisations in Europe and the U.S., targeting poorly-secured, internet-facing remote desktop protocol (RDP) servers—so it’s no wonder the ransomware was able to make a resurgence in 2020.

LockBit
LockBit ransomware is aptly named—it locks users out of their network until they pay a demanded ransom. The ransomware group first showed up in 2019, and through the use of third parties, LockBit gives threat actors the ability to breach a corporate network and affect hundreds
of devices in only a few hours, exfiltrate the data, then they threaten to leak the data to coerce payment from the victims.

The ransomware also includes some chilling advancements, including a technique to work around Windows User Account Control. These files pose as being from Microsoft in origin and seem to be safe and legitimate. LockBit uses automation to select targets that have vulnerabilities that enable the spread of malware and crypto-locking technology throughout the enterprise.

If you have concerns around protecting your organisation from evolving malware and ransomware please contact us to arrange a meeting with some of our expert team to discuss further.