The most prolific ransomware strain these days is Troldesh, aka Crysis, which claims hundreds of sub-variants, according to analysis from Bitdefender.
In its latest report, based on trends in its global network of more than 500 million sensors and honeypots, Bitdefender found that during 2017 alone, the number of new major ransomware families surpassed 160, with dozens or even hundreds of variations per family.
GlobeImposter, another extremely prolific ransomware family, competes head-to-head with Troldesh in the number of released sub-variants.
“The commercial malware ecosystem is intensely focused on developing and planting ransomware,” Bitdefender said. “Our stats show that one in six spam email messages comes bundled with some form of ransomware (link to drive-by download sites, attachments rigged with ransomware or even JavaScript/VBS downloaders for ransomware).”
Ransomware specifically aimed at companies has also emerged.
“Since the re-emergence this March of the Troldesh ransomware family, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers,” the report noted. “Ransomware like Troldesh and GlobeImposter have lateral movement tools (such as Mimikatz) to infect the organization and log clean-up mechanisms to cover their tracks.”
There’s also a new wrinkle in the threat landscape: In the past few months, traditional threats, such as generic trojans, ransomware and spambots, have been massively complemented by data destructors. According to Bitdefender, this amounts to a “dramatic reshaping” of the scene.
The firm noted that much of this shift has been powered by military-grade code allegedly leaked from the NSA.
“Both WannaCry and GoldenEye wrought havoc throughout Q2 and Q3, shutting down businesses and causing unprecedented operating losses,” the report noted. “Novel lateral movement vectors have complemented zero-day exploits such as EternalBlue and EternalRomance to take over the enterprise space. Other significant trends in 2017 are the increased focus on freeware or open-source tools, stitched together by custom-built code to weaponize them to support the attacker’s agenda.”
Meanwhile, the firm’s APT and targeted attack investigations in 2017 revealed that free tools such as password recovery utilities from Nirsoft and legitimate encryption utilities such as DiskCryptor are making detection and remediation increasingly difficult.
“These targeted attacks are reshaping the corporate and government security landscape, and causing fallout in the consumer space, as commercial cybercriminals rush to adopt leaked exploits and advanced lateral movement technologies into their own payloads,” Bitdefender said.
Another spectacular development in the 2017 threat landscape is the re-emergence of Qbot (also known as Brresmon or Emotet), a multi-purpose, network-aware worm with backdoor capabilities that has been around for years. It has largely re-emerged with a significant redesign of the command and control infrastructure and, more importantly, with a cloud-based polymorphic engine that allows it to take a virtually unlimited number of forms to avoid AV detection.
And finally, crypto-currency miners have taken multiple shapes and approaches in 2017. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, to infect computers in organizations and increase mining efforts. Bitdefender pointed out that representative of this category is the Monero miner Adylkuzz, which appeared in early May, roughly at the same time as WannaCry. Another notable development is attackers’ move to integrate mining code in compromised web sites to reach a broader audience and increase the mining yield.