Home » Articles » An overview of bitcoin ransomware attack campaigns
Click Here To Hide Tor

An overview of bitcoin ransomware attack campaigns

According to a research study conducted by Cybersecurity Ventures in 2017, a business is compromised by a ransomware attack every 40 seconds, and this rate is estimated to increase up to an attack every 14 seconds in 2019. Businesses have been forced to pay cybercriminals up to $1 million within a single ransomware attack, whereas others suffered losses that summed tens of millions of USD. Obviously, ransomware attacks have become a cyberthreat which can no longer be overlooked.

A recently published paper presents a thorough analysis of the ransomware epidemic, detailing its technical and economic effects. The paper developed an attack model that can be applied to network infrastructures commonly found in current business systems, highlighting potential ransomware entry portals. Authors of the paper evaluated how the integration of symmetric and asymmetric encryption within modern hybrid cryptographic systems, with worm-like features in advanced ransomware forms, has facilitated devastating ransomware attack campaigns including Erebus, WannaCry, and SamSam. Throughout this article, we will overview this paper which is the most detailed academic work discussing ransomware attacks to date.

Ransomware attack process on enterprise information systems (EISs):

The traditional network framework in an EIS features several entry points for ransomware infection vectors, unlike individual internet users who are usually infected via spam emails. Figure (1) illustrates the potential entry points for ransomware within an EIS.

Figure (1): Ransomware entry points in an EIS

Most current network frameworks utilize the Purdue Model, throughout which the enterprise’s network is isolated from the physical and control network via means of a cascaded design. Enterprise networks have three main entry points that lead to the EIS. The first and most vulnerable entry point is the organization’s network which is connected directly to the internet via a router or a firewall. Any vulnerability or bug within the internet facing interface will serve as a potential entry point for the ransomware or other forms of malware. This is a vulnerability which has been exploited by the SamSam ransomware. The same thing applies to any internet facing interface within the physical subsystem or the control network, which represent the other two entry points. These vulnerabilities can be found via internet devices’ search engine, e.g. Shodan.

Whenever the organization outsources one form or another of ICT solutions, such trust relationships with vendors or third parties can facilitate ransomware infection, as the third party will serve as a conduit via which the ransomware will penetrate the network. Third parties could be cloud service providers or technical service providers who are granted access to the three segments of the network’s framework. In addition to all the aforementioned possible infection vectors, there exists another infection vector which exploits the inexperience of non-tech savvy users via phishing, spam emails, and watering hole attacks.

Once the attacker pinpoints a potential infection vector, they deliver the ransomware to its destined target which triggers a denial of resource (DOR) that represents a special form of a DOS attack. The ransomware will interact with its command and control server (C2) at one point or another throughout the attack process. Figure (2) illustrates the process of a typical ransomware attack.

Figure (2): The typical process of a ransomware attack

Depending on the family of the ransomware, it will communicate with the C2 to record a successful ransomware attack, or if the payload is programmed not to come with encryption keys, it will establish a connection with the C2 server to download them during the beaconing stage, similarly to what occurred with the CryptoWall ransomware. In other forms, where the ransomware is delivered in association with its encryption keys, the ransomware starts encrypting the victim’s user files and sends a ransomware demand message. Nevertheless, this attack scenario is uncommon today, as it was rather simple to crack due to similarity between the attacker’s deployment of the encryption process and the view of the security analyst.

Most recent forms of ransomware, such as WannaCry, are delivered with an RSA public key (Kp) which is used to encrypt a unique on-host generated symmetric key (KSecret). In such case, the ransomware creates a symmetric key (KSecret) via robust encryption, e.g. AES of the CryptoAPI function of the victim’s operating system. A second attack form relies on generating an RSA public pair of subkeys (KS and KP) before generation of the symmetric key pair (KSecret). The private key of the subkey pair is then encrypted via the ransomware’s implanted public key, whereas the matching public key is used to encrypt the AES key KSecret,, following encryption of the victim’s files. At such point, a ransom demand message will be sent to show on the victim’s screen.

New ransomware forms not only attack a single host on a network, but also scan the whole network to identify potential vulnerable hosts. This worm-like feature was identified in the WannaCry ransomware family which propagates all through the network via port 445 which runs SMBV1 services for file sharing. As such, all online backups would be also encrypted. Also, this ransomware will scan neighboring networks to identify vulnerable hosts.

What is a ransomware attack campaign?

A ransomware attack campaign represents a meticulously planned attack activity initiated by hackers in order to infect and extort cryptocurrency ransoms from victims. A ransomware campaign is characterized by three main features:

– An efficient encryption technique which is pivotal to guarantee holding victim’s files hostage

– An efficient infection vector that guarantees successful delivery of the ransomware payload to the victim

– A resilient C2 framework which is the central server for launching the attack campaign

SamSam ransomware campaign:

SamSam ransomware was first observed in 2015 and since then grew to target healthcare, SMEs, government and education institutions. By the end of 2018, the campaign has reportedly acquired more than $850,000 worth of bitcoin ransoms. Initially, the campaign targeted vulnerabilities within the JBoss servers, but it has now shifted to exploit external access applications including Virtual Network Computing (VNC), Remote Desktop Protocol (RDP), Microsoft IIS, virtual private network (VPN), and FTP platforms.

Due to the great swings in bitcoin price in late 2017, the ransom demanded by the SamSam campaign fluctuated between 0.7 and 1.7 BTC.

WannaCry ransomware campaign:

The WannaCry campaign is by far the most publicized ransomware campaign as it has successfully compromised more than 300,000 victims globally in a matter of three days. The aggressiveness of WannaCry is attributed to its worm-like features which enable it to propagate throughout multiple networks spontaneously.

The main target of WannaCry is the Windows OS, and it exploits a special vulnerability within the SMB file sharing service in order to spread via port 445. The ransomware utilizes multiple encryption levels, combined with persistence presence establishment and context switching, which rendered WannaCry an enormous challenge to deal with. WannaCry affected almost every sector of the global society including the healthcare, transport, telecommunications, education, and financial sectors.

The ransom demand of WannaCry was $300. Three months following the launch of the WannaCry campaign, in August 2017, cybercriminals withdrew around $140,000 from the bitcoin wallets they used for the campaign.

Locky ransomware campaign:

Locky was initially reported in 2016 and was delivered to victims via email in the form of a Word document attachment. The content of the document was gibberish, and the victim was asked to enable Macros to be able to visualize the contents clearly. Once the user activates Macros, the ransomware payload is downloaded. Locky relies on a hybrid encryption system of AES-128 and RSA-2048. In addition to encrypting the victim’s files, Locky encrypts their bitcoin wallets as well.

Locky was reported to successfully compromise healthcare institutions. The Hollywood Presbyterian Medical Center had to pay a bitcoin ransom of $17,000 in order to decrypt patients’ data.

DMA Locker ransomware campaign:

The DMA Locker ransomware campaign was identified in 2015. It was initially based entirely on a symmetric encryption system, but it then evolved to deploy a hybrid encryption system based on RSA-2048 and AES-256.

The ransom amount varied between 1 and 8 BTC. The ransomware used the watering hole attack as an attack vector, as the ransomware was used to be hosted on a compromised server by the attackers. Victims were thereafter redirected to the compromised server through links in spam emails.

CryptoWall ransomware campaign:

CryptoWall has reportedly succeeded in the extortion of over $325 million via its third version, CryptoWall v3.0. This ransomware was first reported in 2014 and was found to utilize multiple infection vectors including phishing, spam emails, malvertising ads, and exploit kits. CryptoWall must maintain communication with its C2 server in order to download its encryption keys, so the ransomware cannot compromise victims in the absence of an active internet connection. The ransom demand varied between $200 and $700 worth of bitcoin.

CryptoLocker ransomware campaign:

CryptoLocker was first reported late in 2013, and its main target was the Windows OS. The ransomware relies on a hybrid encryption system, whereas the asymmetric RSA public key is downloaded directly from the C2 server following successful infection.

Initially, the ransom demand was $300, which equaled around 2 bitcoins in 2013. Nevertheless, with swings in bitcoin price, attackers also modified the bitcoin ransom value to match the changing rate. CryptoLocker campaign accepted other anonymous payment methods such as Ukash and MoneyPak.

Final thoughts:

Ransomware attacks have led to disastrous economic losses during the past few years. Given the fact that spam emails represent the most common attack vector, training users and increasing their awareness can definitely reduce the number of successful ransomware attacks in the future. Moreover, learning to adopt effective backup strategies can reduce the aftermath of successful attacks.



Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *