Over the last few weeks, Darktrace has confidently identified traces of the resurgence of a stealthy attack targeting Latin American companies. This targeted campaign was first observed between March and June this year. Arbor Networks initially labelled the malware used in the campaign ‘Matrix Banker’. The name used by Proofpoint is ‘Win32/RediModiUpd’. The malware used by the attackers appeared to be still under development when the last report came out in June 2017.
Darktrace has observed an attack wave targeting Mexican companies in August and September 2017. Some of the TTPs (tools, techniques, procedures) observed bear close resemblance to those seen in the ‘Matrix Banker’ attacks earlier this year. The campaign is crafted to be particularly stealthy and to blend into certain networks in Latin America, confirming the suspicion of its targeted nature. Darktrace’s machine learning and AI algorithms were able to identify the infected devices almost instantaneously, despite apparent efforts by the malware author to be covert and stealthy.
Between August and October 2017, Darktrace detected highly anomalous behavior on five seemingly unrelated networks in Mexico. Unlike the original strain of this attack, which was believed to target financial institutions almost exclusively, this latest variant affected customers across a number of industry verticals, suggesting that the threat actors are diversifying their targets. Darktrace has seen the attack hit companies in the healthcare, telecommunications, food and retail sectors.
Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.
Some background on the WannaCry campaign
The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.
In 2016 alone, cyber-criminals launched 638 million ransomware attacks . That’s 20 ransomware attempts every second.
The cyber security industry has tried to stem the tide by stopping ransomware at the network border, which can help detect some known ransomware threats. The problem is that ransomware is constantly evolving and mutating, with new strains popping up every day.
At Darktrace, our technology detects ransomware without prior knowledge, a vital capability since no matter how strong the network border is, these types of threats inevitably find a way inside. Let’s take a look at how Darktrace’s unsupervised machine learning detected and responded to a real ransomware attack at a large financial services organization. As with most ransomware, it all started with a phishing email.
Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent , raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.
But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.
Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.
But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public . This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.
Imagine a middle-aged middle manager at a multinational corporation. Joe is the kind of employee who’s always done just enough to get by, cutting corners when he can and flying under the radar. One day, Joe’s boss decides that enough is enough. She fires Joe.
Furious, Joe storms back to his desk to pack up his belongings. Halfway through cleaning out his filing cabinet, he remembers that he doesn’t have to go quietly into the night. He still has administrative access to edit the company website, he has valuable client information, and he’s on an email thread with compromising photos of his boss at the last holiday party.
Disgruntled employees like Joe may be in the minority, but their potential to do serious damage can’t be ignored. Posting those photos of his boss on the company website would be trivial, causing embarrassment at best and impacting financial performance and market confidence at worst. Another option at Joe’s disposal would be to make some money out of his trauma by selling client intelligence to a competitor.