At a glance.
- Ransomware actors are double-encrypting data.
- DarkSide ransomware operators have received $90 million.
- Releasing exploits before patches gives attackers an advantage.
Ransomware actors are double-encrypting data.
Emsisoft warns that some ransomware actors are now "using multiple strains of ransomware to double-encrypt data, in order to further complicate the recovery process and increase their chances of a payout."
"No longer content with double extortion, some affiliates are now choosing to double encrypt data: in other words, deploy more than one type of ransomware on the same network. For example, we have seen cases of affiliates encrypting data using both REvil and Netwalker, and other cases where MedusaLocker and GlobeImposter have been used in tandem. In some cases, to prove that double encrypted files can be recovered when the demand is paid, affiliates have provided sample decrypted files via one group’s web portal when the encrypted files had been submitted to them via another group’s web portal. Obviously, the affiliates in these cases had a working relationship with both groups – something which is not at all uncommon and was previously discussed by Chainalysis."
The researchers say that the criminals are either encrypting the same data twice with separate strains of ransomware, or encrypting different parts of the network with multiple strains. Emsisoft says there are multiple possible motivations for this. Using multiple strains reduces the likelihood that the victim can recover on their own. It also potentially doubles the payout, if the victim decides to pay the second ransom as well. Additionally, the tactic could allow the attackers to determine the effectiveness of different strains through A/B testing.
DarkSide ransomware operators have received $90 million.
Researchers at blockchain analysis company Elliptic say that the DarkSide ransomware-as-a-service offering has raked in a total of $90 million worth of Bitcoin from 47 victims. DarkSide is most notable for its recent attack on Colonial Pipeline in the US. Elliptic says the proprietors of the malware have made $15.5 million, while their affiliates have received $74.7 million:
"Any ransom payment made by a victim is then split between the affiliate and the developer. In the case of DarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for ransoms greater than $5 million. This split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer. In total, the DarkSide developer has received bitcoins worth $15.5 million (17%), with the remaining $74.7 million (83%) going to the various affiliates."
Intel 471 reports that DarkSide's proprietors announced on May 13th that they were shutting down their operations, stating that some of their infrastructure and cryptocurrency had been seized by law enforcement. The researchers suspect that the criminals are likely trying to lay low after the Colonial Pipeline attack, and they may get back into the game under new names:
"Intel 471 believes that all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week. However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants."
And Fortinet has an overview of another DarkSide variant (one that wasn't used against Colonial) that uses new techniques to find hidden partitions containing backup files. The researchers conclude, "Due to the sophistication of its attacks and code, it is also unlikely the mastermind of one person. The level of detail, effort, planning and time that the group has undertaken, not only creating the ransomware itself, but taking the time to note what data was stolen, the amount of data, what it contained (as well as how much data in GB), and the [effort] taken to organize and shame victims all highlight that this is the work of an organization with considerable resources and time."
Releasing exploits before patches gives attackers an advantage.
Kenna Security has published research suggesting that publishing exploits before patches are released puts defenders at a significant disadvantage:
"The research found that when exploit code precedes a patch, attackers gain a 98-day advantage over defenders - that is, attackers deploy the exploit against more assets than defenders can mitigate for more than three months. The release of exploit code also drives a massive volume of exploits. Just 1.3 percent of vulnerabilities have been exploited in the wild AND have publicly available exploit code. But vulnerabilities that fall into that tiny category are exploited, on average, 15-times more frequently than those that don’t, and they are used against six times as many companies. "