Modern crimeware campaigns – two bytes of the cherry

Mark Tibbs | 5 July 2016

To a Columbian drug lord, the most valuable commodity is probably cocaine. To many financially motivated cybercriminals, the most valuable commodity is probably data. They want data that is fresh, good quality and easily monetized. But how do cyber data lords seek to maximize their returns? Attackers are increasingly turning to a more considered blend of threats that provide multiple revenue streams.

Malware that targets sensitive financial data has been around for some time and has netted operators some serious money. Dridex operators were assessed to have been responsible for $100m in losses in October 2015 and the malware has continued to be used in attacks against online banking customers.

Slightly later to the party was ransomware – programs that seek to deny access to users’ files unless they pay a fee for unlocking them. Losses to US victims from ransomware were reported to be $1.6m, although it’s likely this hugely underestimates the full impact due to underreporting. While individual’s family photographs and address books were originally targeted, the bad guys soon realized there were bigger fish to fry; hospitals, local councils, small businesses and enterprises all became viable targets. With the increased prevalence of ransomware attacks, we have also seen wider and more distribution vectors – spam emails, downloaders, exploit kits and even targeted network intrusions to deploy these nasty programs.

Cybercriminals, as we know, can be quite ingenious. One of their most impressive aspects is their ability to innovate, to come up with new ideas, to discover new revenue streams and exploit new niches. Malware is no exception to this. In 2014, a banking Trojan called GameOver Zeus rose in infamy. It was reported that, if the malware could not locate any financial information on a computer, some strains of the malware would install Cryptolocker. Where the attackers could not find value in the data to commit fraud, they would turn to extortion. This kind of reuse of “waste product” demonstrates the sheer determination of the attackers to squeeze any possible profit from their victims.

But GameOver Zeus was just the start. Since 2014, we have observed other malware campaigns seeking to apply this dual revenue stream approach. For example, a recent ransomware variant dubbed “RAA” was identified being delivered with the Pony credential-harvesting malware. Other ransomware variants, such as CryptXXX and “Crysis”, reportedly possessed credential-stealing capabilities. The discoveries of malware like these are becoming more frequent and, if we know anything about cybercriminals, we know that if it makes money, it will continue.

decryption service 

Figure 1 - payment site for CryptXXX ransomware

 

Dual revenue attacks have become more common, allowing innovative cybercriminals two bites at the cherry. By developing greater awareness of the development of these ransomware variants and their delivery methods, you can reduce your uncertainty. Download our whitepaper, Ransomware and Other Extortion, to learn more about these variants and the best practices for preparing for and mitigating their effects.