In a detailed blog post about two ransomware families — Ragnar Locker, whom the company described as a veteran operation, and the more recent entrant Egregor — researchers Dmitry Bestuzhev and Fedor Sinitsyn said the data loss was not the main item either, with the publication of stolen data on the Internet being the culmination of an attack.
The duo said there were several main initial vectors: commercial VPN software, RDP-enabled machines which were exposed to the Internet, and also vulnerable router firmware.
"Sometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by other cyber-criminal groups," Bestuzhev and Sinitsyn said.
They said Ragnar Locker was highly targeted, to the extent that each sample was tailored for the organisation that was being attacked.
Screenshot of the Wall of Shame where stolen data is exposed. Courtesy Kaspersky
The group had three .onion domains and one Internet domain, with the latter registered on 16 June; if victims refused to pay, then their stolen data was published on a so-called Wall of Shame section on the websites.
However, Ragnar Locker did not see itself as an extortionist. "Curiously, this group is positioning itself as a bug bounty hunting group," the researchers wrote.
"They claim the payment is their bounty for discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for the victim; and, finally, for not publishing the stolen data.
"Of course, if the victim refuses to pay, the data goes public. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is exposed along with the stolen data."
Bestuzhev and Sinitsyn provided a detailed breakdown of a sample of the Ragnar Locker malware that they had discovered, pointing out that it avoided infecting systems within certain locales – Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russian, Uzbekistan, Ukraine and Georgia.
On any systems outside these locales, the malware stopped certain services on a system that it had gained access to and then proceeded to do it job.
Example of a chat negotiating to pay the ransom. Courtesy Kaspersky
The Kaspersky duo said Egregor had been discovered only in September and its code had many similarities with another strain known as Sekhmet and also Maze, which recently shut down its operations.
Egregor had one .onion domain and two Internet domains, the two researchers said. The two surface Web domains appeared to be constantly under attack and hence the Egregor actors had a disclaimer posted on the main page of the .onion domain.
When Egregor gained access to a system, a check was done to see what languages had been installed. If any of Armenian (Armenia) Azerbaijani (Cyrillic, Azerbaijan), Azerbaijani (Latin, Azerbaijan), Belarusian (Belarus), Georgian (Georgia), Kazakh (Kazakhstan), Kyrgyz (Kyrgyzstan), Romanian (Moldova), Russian (Moldova), Russian (Russia), Tajik (Cyrillic, Tajikistan), Tatar (Russia)
Turkmen (Turkmenistan), Ukrainian (Ukraine) or Uzbek (Latin, Uzbekistan) were present, then the attack went no further.
If other languages were used on the system, then the process of halting running services, exfiltration of data and encryption proceeded.
"Unfortunately, Ransomware 2.0 is here to stay," Bestuzhev and Sinitsyn said. "When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the Internet and only then about decryption.
"Why is it so important for the victims that their data is not published? Because possible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational damage and potential bankruptcy.
"As long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about just endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the end."