Ransomware Variant Steals User Credentials

3 Mins read

Ransomware is now likely the most famous type of malware in existence. A series of high-profile attacks, including the 2017 WannaCry epidemic and recent ones against cities, have made it a very visible threat in the public eye.

Traditional ransomware variants are designed solely to make money by denying people access to their files. By encrypting user data, they can demand a ransom in exchange for the secret key needed to regain access to this data. However, ransomware has evolved to include new capabilities. One new capability that has appeared recently is the ability to steal credentials from compromised machines. Now, a strong data backup solution is no longer enough to mitigate the effects of ransomware.

Organizations must protect against potential incidents using stolen credentials by deploying Identity and Access Management (IAM) solutions.

Introduction to Ransomware

The theory behind ransomware is simple. People need to have access to their personal and business data in order to function in the modern world. By denying people access to this data, ransomware operators can potentially extract money from victims wanting to restore their data.

Technologically, ransomware is simple as well. Modern encryption algorithms are designed to transform data into gibberish in a way that cannot be reversed without access to the decryption key. Ransomware can use built-in encryption algorithms on victim computers to encrypt their files and only need to send a small amount of data (the decryption key) to their operator in order to deny victims access to their data in a reversible way.

The psychological impacts of ransomware (loss of access to important data) and its relative simplicity to create and operate making it a useful tool for modern cybercriminals. As a result, ransomware is one of the leading types of malware and drivers of cybercrime costs in recent years.

The Evolution of Ransomware

Ransomware has been around for over a decade. However, the recent ransomware craze was kicked off by the WannaCry outbreak of 2017, which took advantage of a recently leaked but widely unpatched NSA-developed vulnerability called EternalBlue to spread itself across the world.

The profit model of WannaCry focused on quantity over quality. The worming capabilities provided to it by EternalBlue ensured that WannaCry could infect a massive number of machines around the world. With such a large pool of victims to draw upon, WannaCry could demand a relatively small ransom amount from each person and still have the expectation of a large payoff. This small ransom demand also increased the probability that the victim would value the data higher than the ransom and pay the attacker.

However, this approach to ransomware has several issues. First, it relies upon the availability of a wide-reaching unpatched vulnerability like EternalBlue, which doesn’t come around every day. Second, ransomware payments are demanded in cryptocurrency like Bitcoin, meaning that cybercriminals often need to perform a lot of “customer service” explaining how cryptocurrency works to their victims in order to get their ransoms. Finally, these wide-scale attacks provide no guarantee that actually sensitive and valuable data will be encrypted.

For these reasons, recent ransomware attacks have evolved to a more targeted model. Instead of wide-scale attacks, ransomware operators choose a specific target, like the hundreds of cities, hospitals, and schools hit by ransomware in 2019. This more targeted technique enables the ransomware operator to personalize their attack (i.e. using a spear-phishing email) to increase the probability of infection and to demand a much higher ransom since they know that the target has the ability to pay it.

Ransomware Now Steals User Credentials

Some ransomware variants have also evolved to include additional capabilities beyond encrypting files and demanding payment. For FTCode, this new functionality includes credential theft. FTCode has been around since 2013, but it has recently made headlines due to new functionality unveiled in late 2019. In addition to encrypting user data, FTCode also steals user credentials from web browsers, including Chrome, Firefox, and Internet Explorer, and email clients, such as Mozilla Thunderbird and Microsoft Outlook. Once user credentials have been extracted from these programs, the malware sends them to its command and control (C2) server using an HTTP request, using Base64 encoding to make them more difficult to detect by network traffic analysis.

The potential impact of this new credential stealing functionality in ransomware is significant. Access to a user’s credentials enables access to online accounts and can enable data theft from organizations’ email and cloud-based resources. Access to user email accounts can also be used to increase the effectiveness of phishing and spear-phishing attacks as checking if an email is from a trusted sender is a major component of many organizations’ anti-phishing training.

Protecting Against Ransomware Attacks

Traditional ransomware attacks can significantly hurt an organization’s ability to operate and its bottom line. Even if an organization decides to pay the ransom in order to restore access to encrypted data, the process can be time-consuming and dramatically impact productivity. In many cases, the refusal to pay a ransom only increases the time and cost associated with remediation.

For this reason, detection and prevention of ransomware attacks early in the cycle is vital. By deploying file monitoring and behavioral detection solutions, an organization can detect and rapidly respond to indicators of ransomware-like activity, including bulk file access and encryption. However, this is no longer enough to protect against the potential impacts of a ransomware attack as an attacker may have access to stolen employee credentials. Reducing the risk associated with credential loss requires deploying IAM to strengthen user authentication and authorization protection across the organization.