De ataque con Malware a incidente de Ransomware 👺

El Ransomware hoy en día, es una de las ciberamenazas más importantes a nivel mundial ya que no solo compromete los activos digitales sino que también la información sensible y privada de las empresas que son víctima, sin embargo, el Ransomware es el payload final y muchos de estos ataques provienen de una infección previa con Malware de distinto tipo como por ejemplo loaders, RAT o troyanos bancarios.

La imagen a continuación, reúne las distintas familias de Malware que podrían derivar a un incidente de Ransomware, comprometiendo la red y la información corporativa.

A continuación, dejamos links de referencia que permiten relacionar cada una de estas amenazas e involucran además información como la descripción, IoCs, investigaciones, reportes, recursos, reglas de detección (Yara) y análisis de incidentes entre otros.

1.- Buer -> Ryuk

• https://news.sophos.com/nl-nl/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service-2 (28-10-2020)

• https://twitter.com/SophosLabs/status/1321844306970251265

• https://malpedia.caad.fkie.fraunhofer.de/details/win.buer

2.- Emotet -> Trickbot -> Ryuk

• https://intel471.com/blog/understanding-the-relationship-between-emotet-ryuk-and-trickbot/ (14-04-2020)

• https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware (02-04-2019)

• https://twitter.com/VK_Intel/status/1250468638634717184

• https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

3.- Trickbot -> Ryuk

• https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/ (22-06-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

• https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk

4.- Trickbot -> Conti

• https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/

• https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-08-31-crime-ransom-conti-vk.yar

• https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

5.- Vatet -> PyXie -> Defray777 / RansomEXX

• https://unit42.paloaltonetworks.com/vatet-pyxie-defray777 (06-11-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie

6.- IcedID -> Vatet -> PyXie -> Defray777 / RansomEXX

• https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html (06-01-2021)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

7.- IcedID -> Egregor

• https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html (25-02-2021)

8.- Qakbot -> Egregor

• https://www.bleepingcomputer.com/news/security/qbot-partners-with-egregor-ransomware-in-bot-fueled-attacks/ (20-11-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

• https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor

9.- Qakbot -> ProLock

• https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/ (14-05-2020)

• https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf

• https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker

10.- Qakbot -> MegaCortex

• https://success.trendmicro.com/solution/1122802-megacortex-ransomware-information (30-12-2019)

• https://cyware.com/news/qbot-trojan-a-quick-analysis-of-a-decade-old-banking-trojan-bd6d0efd (02-09-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex

11.- Zloader -> Egregor

• https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader

• https://twitter.com/likethecoins/status/1327309590736883712

• https://twitter.com/VK_Intel/status/1324377307109347329

• https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor

12.- Zloader -> Ryuk

• https://lifars.com/wp-content/uploads/2020/10/The-Assassin-Squad-Zbot-and-RYUK-1.pdf (10-2020)

• https://twitter.com/ffforward/status/1324281530026524672

• https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader

13.- SDBBot -> Clop

• https://www.zdnet.com/article/australian-government-warns-of-possible-ransomware-attacks-on-health-sector/ (13-11-2020)

• https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time (16-11-2020)

• https://www.cronup.com/post/threat-alert-grupo-ta505-reinicia-ataques-en-latinoam%C3%A9rica

• https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector

• https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot

• https://malpedia.caad.fkie.fraunhofer.de/details/win.clop

14.- Dridex -> DoppelPaymer

• https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html (05-01-2021)

• https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ (12-07-2019)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer

15.- Dridex -> BitPaymer

• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf (17-07-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex

16.- Gootkit -> REvil / Sodinokibi

• https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/ (30-11-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit

• https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

17.- Phorpiex -> Avaddon

• https://blog.checkpoint.com/2020/12/09/november-2020s-most-wanted-malware-notorious-phorpiex-botnet-returns-as-most-impactful-infection/ (09-12-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

• https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon

18.- Phorpiex -> Nemty

• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet (04-11-2019)

• https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/ (18-02-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty

19.- BazarLoader / BazarBackdoor -> Ryuk

• https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ (18-10-2020)

• https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf

• https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor

20.- BazarLoader / BazarBackdoor -> Conti

• https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware (12-01-2021)

• https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ (16-09-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

21.- DanaBot -> NonRansomware

• https://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/ (20-06-2019)

• https://www.zdnet.com/article/danabot-banking-trojan-jumps-from-australia-to-german-targets/ (15-08-2019)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

22.- SmokeLoader -> Crysis / Dharma

• https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/ (16-04-2020)

• https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma

• https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

BONUS

A continuación, dos de los frameworks más utilizados por los actores de amenaza y grupos afiliados de Ransomware para la comunicación con los C&C (servidores de comando y control) y el movimiento lateral en la red víctima.

Estos frameworks corresponden a herramientas para ejercicios de tests de penetración, sin embargo, son muy utilizadas en el flujo de ataques a objetivos de alto valor.

1.- Cobalt Strike -> Multiple Ransomware Families

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ (18-09-2020)

https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/ (31-08-2020)

https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

2.- Empire -> Multiple Ransomware Families

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ (23-11-2020)

https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader

NOTA: Un reporte similar a este se puede encontrar en https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ donde se confirman algunas de las amenazas aquí señaladas.

La información de este artículo se ira actualizando en la medida que se tengan nuevos antecedentes.

Conoce al enemígo, mantente seguro.

Threat Intelligence Team,

CronUp Ciberseguridad