Thursday, July 20, 2017

The purpose of ransomware


Ransomware, a phenomenon now very well known, serves one ultimate and obvious purpose:

  • Monetary gain for the cybercriminal(s).

However, multiple scenarios are, in fact, possible. Consider any and all of the following:

  • Deployed as ransomware, extortion;
  • Deployed to showcase skills, for fun or for testing purposes;
  • Deployed as smokescreen;
  • Deployed to cause frustration;
  • Deployed out of frustration;
  • Deployed as a cover-up;
  • Deployed as a penetration test or user awareness training;
  • Deployed as a means of disruption and/or destruction.


Let's go over all of these briefly:


Deployed as ransomware, extortion

This has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s).

In fact, ransomware is simple extortion, but via digital means.

I could give 100s, if not 1000s of links as example, but this search query should suffice and show the current boom or trend in the cybercriminal landscape:
https://www.bleepingcomputer.com/search/?q=ransomware

Note that while most ransomware attacks will go for the classic extortion scheme - holding the data for ransom, and that's that - some criminals may take it a step further by also threatening to publish this data online (whether the victim pays or not), as a follow-up extortion attempt. It may also be the criminal's original intent, with the ransomware being deployed as smokescreen (see also below).


Deployed to showcase skills, for fun or for testing purposes

Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more particularly to showcase their coding skills: "Ransomware? I/We can do that too!", or just "because".

An example of this may well be the nRansomware (or "Nude Ransomware"), in which the author demanded nudes, rather than a monetary arrangement:
https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin

Another example may be to send ransomware 'as a joke' or for fun to your friends, and giving them a bad time. Please don't.

Some cybercriminals may be testing the waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own programming skills, or the lack thereof.



Deployed as smokescreen

A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself.

This may happen more than you think and begs the question - what is the real purpose here?

Ransomware is obvious: files are encrypted, warning or extortion messages are scattered, and users as well as companies are unable to proceed working for days, depending on backup and recovery strategy.

Once you're hit by ransomware, more than 1 alarm bell should start ringing - you are royally compromised and, as such, should take appropriate measures immediately. There may be more than meets the eye.

There's an article on Carnal0wnage, describing one of these events:
http://carnal0wnage.attackresearch.com/2016/03/apt-ransomware.html



Deployed to cause frustration

Another possible angle that goes hand in hand with the classic extortion scheme - deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose.

A notorious example of this is the Jigsaw ransomware:
https://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/

In a related example; a victim of a tech support scam tricked the scammer into installing ransomware:
https://nakedsecurity.sophos.com/2016/08/15/tech-support-scammer-tricked-into-installing-ransomware/



Deployed out of frustration

Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled.

Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware.

Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company.

Darryl from Kahu Security has written an excellent article on the former occurrence:



Deployed as a cover-up

This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation.

The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost. This could be in an attempt to mislead auditors, perform insurance fraud, ... 

Another possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.

Again, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'.

There are some statistics referring to this as well, in a report by SentinelOne:



Deployed as a penetration test or user awareness training

Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose.

An example is given by Malwarehunterteam, where KBC Group employed a phishing test, and consequently 'ransomware', meant as user awareness training:

This is a very good idea for any organisation or business in general. Are your users aware of the dangers that lie in, and beyond, ransomware?



Deployed as a means of disruption and/or destruction

Last but not least -  while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.

Again, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale.

A recent and notorious example of such an attack is the latest Petya variant, also referred to as EternalPetya, or NotPetya. A blog post from Kaspersky suggests the main purpose is a wiper:

In a way, this also falls back to the frustration, and cover-up scenario's.



Closing thoughts

As we've seen, ransomware can serve a plethora of purposes; whether it is deployed by a nation-state actor, the more common cybercriminal, or your neighbor disgruntled at your tree hanging over their wall, one thing is for sure: you are, and have been compromised!

In more recent years, targeted ransomware has become a common phenomenon, this means ransomware either tailored to your environment, or manually installed - the latter often via hacked RDP or VNC services.

The most famous example is no doubt Samas, also known as SamSam:

Other examples include: CrySiS and derivatives, RSAutil and PetrWrap. 

While targeted ransomware attacks are occurring as early as 2013, in most recent years, they have become more fearful, due to the ransomware also encrypting files.

Conclusion: ransomware is and will always be ransomware - but it may have a twist and an additional purpose.

For further reading, I gladly introduce a shameless plug by referring you to 2 of my blog posts:
Ransomware prevention

This list is also included in MISP's ransomware taxonomy:
https://github.com/MISP/misp-taxonomies/blob/master/ransomware/machinetag.json

This blog post also exists as a dedicated page here: the purpose of ransomware.

If you can think of any other targeted ransomware, or purposes for ransomware, do not hesitate to leave some feedback in the comment section, or contact me on Twitter.