Some cybercriminals have been observed becoming increasingly more professionalized and organized in their activity – but some aren’t. Here, we discuss adversary activity that is more disorganized in nature.
Not all gangs are run like a business.
Yesterday, the CyberWire discussed recent developments in ransomware, highlighting the increasing professionalization of ransomware gangs. However, not all threat actors are moving toward businesslike functions, and may be disorganized. Poor quality control causes the hoods as many problems as it would a legitimate business.
KmsdBot’s downfall: a typo.
Cryptomining botnet KmsdBot, which could also be used for DDoS attacks, has been described as a “complex malware with no easy fix,” according to Ars Technica. Akamai researchers, however, witnessed the controller of the botnet accidentally send a malformed command; they didn’t put a space between an IP address and a port in a command, and it caused a panic crash and an error that read “index out of range.” Ars Technica says, “Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions.” Akamai principal security intelligence response engineer Larry Cashdollar says that almost all of the KmsdBot activity being tracked by the company has stopped. Akamai describes the situation as "a strong example of the fickle nature of technology."
Accidental wiper malware, born from ransomware.
A sample of open-source ransomware toolkit Cryptonite has been found to act as a wiper, Fortinet reports. Researchers say that the sample never offers the decryption window, causing it to act as a wiper, and say that they believe this was unintentional:
“[T]he ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes—or is even closed—there is no way to recover the encrypted files.
“This sample demonstrates how a ransomware's weak architecture and programming can quickly turn it into a wiper that does not allow data recovery. Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems. On the positive side, however, this simplicity, combined with a lack of self-protection features, allows every anti-virus program to easily spot this malware.”
Thus, a wiper, malgré lui, and another reason not to pay the ransom: the extortionists may not be able to give the files back even if they want to.