Criminal developers have created a new evil way to monetise their operations by adding a DDoS component to ransomware payloads.
The malicious new double-barrelled ransomware was discovered by security firm Invincea. Instead of 'just' encrypting data files on a workstation (plus any network drive it can find) and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs.
This is the first time DDoS malware has been bundled within a ransomware infection. It means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim: two attacks for the price of one (and two ways cybercriminals can make money off victims).
Many people get infected with ransomware but some are able to restore from backup. By adding a DDoS bot to the ransomware payload, these cybercriminals create a two-for-one and can squeeze network traffic out of non-paying victims and use it as another criminal revenue stream.
'Adding DDoS capabilities to ransomware is one of those 'evil genius' ideas,' said Stu Sjouwerman, CEO of security awareness firm KnowBe4. 'Renting out DDoS botnets on the dark web is a very lucrative business, even if prices have gone down in recent years. It looks like this is the first case where a cybermafia has bundled ransomware with a DDoS bot, but you can expect it to become a fast-growing trend.'
The attackers use Visual Basic to launch a file-less attack which most antivirus products are completely unable to spot. Visual Basic is one of the most commonly used programming languages on the Windows platform, and Visual Basic files are often embedded in text documents to allow users to generate reports and conduct other legitimate business related tasks.
This same tactic, however, is also used by the black hats to craft weaponised documents that can drop and run malicious executables on the host. Scanners can often only pick it up when it's been dropped on the disk, by which time it's too late.
As Invincea explains in its blog post, the ransomware is executied first, which encrypts the user's data and then blocks their access to the computer by locking the screen. After this sequence, a second attack starts sending a large amount of network traffic out of the infected computer.
The attachment relies on social engineering the employee to activate the Macro feature in Office, which then executes a malicious VBScript that downloads and runs the malware.
KnowBe4 offers up some ways to address this kind of attack, in addition to weapons-grade backup, a complete wipe and re-imaging from bare metal should you be infected.
If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly, says the company.
Make sure your endpoints are patched 'religiously,' and ensure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
On the policy side, it's important to dentify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA), and review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud.
To combat the initial phishing attack that could result in an infection, deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.
Since phishing has risen to become the number in malware infection vector, and attacks are getting through company filters too often, getting users effective security awareness training which includes frequent simulated phishing attacks is a must.