A ransomware threat called GandCrab has emerged during the last week of January, which itself not that newsworthy. However, it's distribution method and ransom currency choice could be pointers to how ransomware will evolve during 2018.
GandCrab is distributed using two exploit kits, namely RIG EK and GrandSoft EK. Researchers at Malwarebytes Labs call this out as surprising, as other than the MAgnitude EK kit which is known to push one particular ransomware attack (Magniber) the typical kit payload has been anything but ransomware of late. Then there's the fact that GandCrab has opted not to ask for a ransom paid in Bitcoin, instead looking for payment using the Dash cryptocurrency.
So, just how unusual is it for an exploit kit, let alone two, to be distributing ransomware in 2018? Paolo Passeri, a solutions architect at Netskope, reckons the last examples of exploit kits pushing ransomware date back to the end of last year with Matrix and Princess. "It's interesting to notice that RIG is involved for both of these" he says "whereas GrandSoft is a blast from the past, first appearing in 2012 and it was thought that it had disappeared."
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that while some exploit kits such as Terror or Magnitude are still being occasionally used to deliver ransomware, these campaigns are usually highly targeted at specific regions. "Booby-trapped email attachments and macros within documents have become the new norm in disseminating ransomware" Arsene concludes "as they can affect a significantly larger pool of victims." John Shier, senior security advisor at Sophos, agrees that while most of the more prolific exploit kits either disappeared or went private during the last 18 months, hence their less frequent usage in such attacks, is interesting. However, Shier reminds us that "regardless of the distribution method we should always be prepared to protect our systems from ransomware and any other payload." While Alex Hinchliffe, threat intelligence analyst with Unit 42 at Palo Alto Networks, told SC Media UK that he is seeing attackers turning to using exploit kits "to get cryptocurrency directly through coin mining malware" rather than ransomware.
Azeem Aleem, director of the advanced cyber defence practice EMEA at RSA Security, argues that seeing as exploit kits tend to be modular we should expect them to change and include previously unseen tactics. "Ransomware-as-a-Service has also been around for almost a year, and isn't showing signs of decreasing" warns Aleem "it makes an attractive earner for criminals to finance more development and more advanced malware." Aleem also reminds us that there is an increase in older malware and exploit kit code being sold on the Darknet "as newer more advanced code is developed to be sold for higher gain outside of the affordability of the larger masses."
And what of the fact that GandCrab asks for a ransom using Dash (formerly known as Darkcoin), does this herald the end of Bitcoin ransoms? Maybe so, although Bitcoin got popular really fast, the network wasn't ready to handle quite so many users and the network has become overwhelmed. This has led to "increased transaction fees and longer confirmation times" says Caleb Fenton, threat team lead at SentinelOne who continues "both of these increase the cost of using Bitcoin, and that's certainly pushing malware authors to adopt alternatives."
However, Fenton also thinks that a more important factor is the lack of proper anonymity. Something that Joseph Carson, chief security scientist at Thycotic, confirms when he points out that many law enforcement and security researchers are "spending tons of resources into analysing malicious activity so it seems clear that cybercriminals want to stay anonymous so moving to another lesser known cryptocurrency will increase the ability to get away with a cyber-crime."
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that Dash has recently "added anti money laundering checks and 'know your customer' controls to check for a criminal transaction history" so whether it becomes the cryptocurrency of choice for ransomware actors is highly debatable. Dr Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University, points out that GandCrab is also unusual in that it uses the Namecoin powered .BIT top level domain. "Namecoin is an experimental open-source technology" Dr Curran explains "which improves decentralisation, security, censorship resistance, privacy, and speed of certain components of the Internet infrastructure such as DNS and identities."