Targeted ransomware attacks surging

A growing number of cybercriminals are adopting attack techniques involving targeted ransomware, with the number of organisations falling victim to the attacks having surged over the past two years according to Symantec.

New research from the security company indicates that the number of organisations being attacked by targeted ransomware grew from less than five per month before 2018 to more than 50 per month by May 2019.

Cybercrime groups have taken note of the success of the SamSam group, which has been attacking a string of mostly US-based organisations, the research shows.

Since the start of the year the number of dedicated targeted ransomware groups has been multiplying. A number of ransomware groups have also been embracing targeted attacks in addition to their typical indiscriminate attacks.

Attackers developing targeted ransomware are typically skilled and knowledgeable enough to penetrate an organisation’s network, deploy a range of tools to move across it while avoiding detection and simultaneously encrypt as many machines as possible.

One example highlighted by Symantec is GoGalocker, which makes use of many of the tools and techniques used by espionage groups, including publicly available hacking tools and “living off the land” tactics.

These tactics involve making use of tools already installed on targeted computers or directly running simple scripts and shellcode in memory to create fewer if any new files on the hard disk.

Once inside a victim’s network, the attackers run PowerShell commands to run shellcode that enables them to connect to the attacker’s command and control server.

The attackers then use a variety of tools to traverse the network and steal credentials, including tools capable of changing system privileges and recovering Windows passwords in plaintext.

GoGalocker also uses a number of detection evasion techniques, such as digitally signing the ransomware with legitimate certificates and attempting to use stolen administrative passwords to disable any security software before the ransomware is installed.

Symantec’s research also found indications of a connection between GoGalocker and and another targeted ransomware gang, MegaCortex, including similar processes for encrypting files and the mutual use of Cobalt Strike malware in their attacks.

“While it may be possible that both MegaCortex and GoGalocker are operated by the same group, the activity during the pre-infection process points towards distinct groups,” Symantec said in a post detailing the research.

“A more likely explanation for the link is that both ransomware families were developed by the same third-party developer for two separate groups of attackers.”

Image credit: ©stock.adobe.com/au/Brian Jackson