Jump to content

Ransomware: Difference between revisions

From ICANNWiki
Jessica (talk | contribs)
Jessica (talk | contribs)
No edit summary
Line 30: Line 30:
===Microsoft Disrupts Trickbot===
===Microsoft Disrupts Trickbot===
On October 12, 2020, [[Microsoft]] announced that it had disrupted Trickbot following a court order from the United States District Court for the Eastern District of Virginia, which granted Microsoft's request to halt Trickbot’s operations. Microsoft identified and disabled the infrastructure Trickbot used to communicate with and control victim computers, how infected computers talked with each other, and how Trickbot evaded detection and disruption previously. The corporation also identified the servers' IP addresses of servers.<ref>[https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/ New action to combat ransomware ahead of U.S. elections, Microsoft]</ref>
On October 12, 2020, [[Microsoft]] announced that it had disrupted Trickbot following a court order from the United States District Court for the Eastern District of Virginia, which granted Microsoft's request to halt Trickbot’s operations. Microsoft identified and disabled the infrastructure Trickbot used to communicate with and control victim computers, how infected computers talked with each other, and how Trickbot evaded detection and disruption previously. The corporation also identified the servers' IP addresses of servers.<ref>[https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/ New action to combat ransomware ahead of U.S. elections, Microsoft]</ref>
==Ryuk==
From 2018 to 2020, Ryuk spread via malicious ([[phishing]]) emails with links and attachments, notoriously attacking EMCOR Group and Epiq Global.
==SamSam==
From 20-15 to 2018, SamSam infected the municipal/state services of Atlanta, Colorado, and San Diego and 200 public institutions/organizations.<ref>[https://gatefy.com/blog/real-and-famous-cases-ransomware-attacks/ Real and Famous Ransomware Cases, Gatefy]</ref> 


==References==
==References==

Revision as of 21:23, 2 August 2021

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

Darkside

Darkside is a group of hackers that carried out a significant ransomware attack in May 2021. In August 2020, Darkside introduced its Ransomware-as-a-Service (RaaS) in a press release. The group provides web chat support to victims, builds intricate data leak storage systems with redundancy, and performs financial analysis of victims prior to attacking. The group is suspected to be former IT security professionals and is known to have a code of conduct that includes not attacking hospitals, schools, non-profits, or governments, but rather big organizations. After the May 2021 Colonial Pipeline attack, Varonis’s reverse engineering revealed that Darkside’s malware checked device language settings to ensure that they don’t attack Russia-based organizations.[1] Darkside has Windows and Linux toolsets, is similar to NetWalker and REvil in that it has an affiliate program that offers anyone who helps spread their malware 10-25% of the payout.

Darkside

  • runs command and control over TOR,
  • avoids nodes where EDR is running,
  • uses waiting periods,
  • saves noisier actions for later stages,
  • customizes code and connection hosts for each victim,
  • obfuscates with encoding and dynamic library loading, and
  • performs anti-forensics techniques, such as deleting log files.

TrickBot

TrickBot is ransomware that was first identified in 2016. It is a trojan developed and operated by a group of hackers who initially made it as a banking trojan to steal financial data. TrickBot has become a highly modular, multi-stage suite of tools to conduct myriad illegal cyber activities.[2] TrickBot has been used

  • To exfiltrate data (email, credentials, point-of-sale info);
  • For crypto-mining; and
  • For host enumeration (reconnaissance of Unified Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS) firmware)

Operators include:

Relies on:

  • Emotet and Bokbot
  • Spearphishing, spam campaigns, malvertising, and network vulnerabilities, such as Server Message Block, to gain initial access

Microsoft Disrupts Trickbot

On October 12, 2020, Microsoft announced that it had disrupted Trickbot following a court order from the United States District Court for the Eastern District of Virginia, which granted Microsoft's request to halt Trickbot’s operations. Microsoft identified and disabled the infrastructure Trickbot used to communicate with and control victim computers, how infected computers talked with each other, and how Trickbot evaded detection and disruption previously. The corporation also identified the servers' IP addresses of servers.[7]

Ryuk

From 2018 to 2020, Ryuk spread via malicious (phishing) emails with links and attachments, notoriously attacking EMCOR Group and Epiq Global.

SamSam

From 20-15 to 2018, SamSam infected the municipal/state services of Atlanta, Colorado, and San Diego and 200 public institutions/organizations.[8]

References