Skip to content

Key Takeaways from VirusTotal’s Ransomware Activity Report with Actionable Suggestions!

VirusTotal, the cybersecurity arm of Google, released a comprehensive report on Ransomware activity. The report collected and analyzed 80 million potential ransomware-related samples submitted over the last year and a half from 140 different countries. With ransomware attackers threatening to publicize a company’s business secrets, patents, and IP rights, the stakes are rising. This report’s visibility on how ransomware attacks spread and evolve will be vital to building our cyber defenses. As such, let’s take a look at a few key takeaways from VirusTotal’s Ransomware Activity Report and what they mean to your business.

Challenges, Actions, and Key Takeaways from VirusTotal’s Ransomware Activity Report

The reports relied on crowd-sourced, vendor-independent data to give a comprehensive perspective on how various Ransomware attacks spread and evolved. Below we have mentioned three challenges from the report and a few possible plans of action.

Challenge 1:

Cyclical Nature

The study identified about 130 ransomware families, and the activity of each ransomware family occurs in cycles. Due to this, there seems to spike in overall ransomware activity when a new family of RaaS turns out to be effective. For example, the Gandcrab ransomware family was the most prevalent, with about 78.5% ransomware varieties, in Q1 of 2020. A sharp decline followed it.

That being said, there is also linear and constant activity by about 100 RaaS families as well. These Ransomware keep re-inventing the vectors they use to deliver the malware program, making them harder to detect.

Our team thinks there are two main reasons for this:

  1. Once Ransomware becomes effective, either the group behind the Ransomware is compromised, or the Remote Access Trojans or RATs (which are the reason for exfiltration of the data before the actual encryption happened) are detected using the Manage Detect and Respond (MDR) and User Behaviour (UBA) / Process behavior (PBA) tools. Both will lead to the decreased activity of that RaaS group.
  2. Ransomware was created to exploit one or more vulnerabilities in a given system. Once a security patch fixes those vulnerabilities, the activity slows down (potentially until another vulnerability or a new Zero-Day Vulnerability is found).

Possible Actions

The cyber team or Managed Security Service Provider (MSSP) should be vigilant in spotting or becoming aware of the trends in ransomware cycles. The Manage, Detect, and Respond tools should be updated regularly, keeping in mind newer generations of Ransomware. The more informed and aware the team is, the better the chance to prevent attacks. For example, MDR tools have a Yet Another Recursive/Ridiculous Acronym (YARA) tool that identifies and classifies malware samples. The YARA tools should be updated immediately whenever such threats are found.

Also, the IT department should monitor and prioritize security updates, especially those that fix Microsoft’s privilege escalations vulnerabilities. These are vulnerabilities that give a local system administrator privileges to make registry-level changes to a system.

Challenge 2:

Ransomware Distribution and Remote Access Trojans (RATs)

The report also states that attackers don’t just rely on one method to launch their piece of malicious software. Their vector arsenal includes, but is not limited to, well-known botnet malware and other RATs.

Understanding RATs

Remote access Trojan (RAT), to put it simply, is a vector program that delivers the Ransomware for infection. The following are a few traits inherent to RATs:

  1. A RAT creates a back door for administrative control over the target computer, i.e., it exploits the OS / installed application vulnerabilities such that it receives administrative privileges.
  2. RAT downloads are usually invisible to the users and happen with user-requested software. Drive-by downloads occur when a user unknowingly visits an infected website or sends an email attachment in a phishing attempt.
  3. RATs are hard to detect with simple anti-virus programs and need intrusion detection systems for identification. Additionally, RATs, when targeted at a corporate network, do not infect the initial host computer. Ransomware uses RAT’s administrative privileges to spread among other systems in a network.

 Possible Actions

MDR tools should be constantly updated to detect all well-known distribution malware, RATs, and other botnets. Intrusion detection tools should strengthen internal monitoring. They must look for indicators of RAT ingression, including the following:

  1. Detecting lateral movements (techniques that provide remote access and control of systems on a network to an attacker); and
  2. Looking for the presence of scripting languages that can make registry level changes in a windows system.

Challenge 3:

Infection Spread

Once ingression happens, Ransomware primarily uses various privilege escalation and lateral movement techniques to spread across the network to various systems. Remote Server Administration Tools are commonly used by IT teams to fix IT issues in employee systems remotely. These tools remotely give IT teams administrative privileges for a system. This facility saves time and resources for an organization and allows Manage Service Providers (MSPs) to manage software resources remotely. However, the malware infection programs exploit this facility to gain and offer administrative privileges to the attackers. It enables attackers to identify critical assets and data using lateral movement.

Possible Actions

The IT team should limit third-party Remote Server Administration Tools that may leave a system vulnerable.

In the long run, moving the current infrastructure to Zero Trust security architecture will address this challenge. As the name suggests, Zero Trust does not give access to any entity (user, system, or software) even if it is from the same network. The system provides access only after identifying and authenticating the entity.

Conclusion

The VirusTotal’s Ransomware Activity Report shares several actionable insights, especially if you use the Windows operating system (about 75% of users worldwide). Many show that businesses need to have a well-informed, proactive, and experienced security team or MSSP with threat detection and validation capabilities. An IT team or a standard MSP does not typically have these capabilities.

The report also reveals the limitations of standard tools to detect and prevent a cyberattack. It is clear that having a proactive approach to prevent cyberattacks goes a long way in defending your network. Book a free demonstration of Alliant Cybersecurity’s Blue Sentinel platform that offers your dedicated SoC, MDR tools, intrusion-detection tools, and more.

A side note

The report also reveals some remarkable data on the geographical distribution of ransomware-related submissions (that indirectly shows the amount of Ransomware directed towards that particular nation). With nearly a 600 percent increase in the number of submissions compared to its baseline, Israel tops the list, followed by South Korea with around 180 percent submissions. It can be concluded that a country’s geopolitical presence has a lot to do with such attacks and that rival governments also weaponize cyber attacks. The world of Cybercrime runs far more profound than our general knowledge, hidden behind the screens.