As Europol celebrated the fifth anniversary of its anti-ransomware initiative this week, menacing new ransomware threats made it clear that the fight against cyber threats is never-ending.
The EU law enforcement cooperation agency said its No More Ransom website has saved ransomware victims almost a billion Euros with free ransomware decryption tools.
Europol has launched a new, more user-friendly website. Site visitors are greeted with a simple yes/no question: “Need help unlocking your digital life without paying your attackers?” Users who click “Yes” are directed to Crypto Sheriff, a tool that matches available decryptors to the user’s encrypted files. The site also provides guidance on preventing ransomware attacks. The key advice, however, is straightforward: “Paying the ransom is never recommended.”
No More Ransom was founded in 2016 by the Dutch National Police, Europol, Intel Security and Kaspersky Lab. The project now boasts 16 associate partners, including Emsisoft, Trend Micro, Bitdefender, Avast, Bleeping Computer, Cisco, Check Point, Tesorion, McAfee, ESET, CERT_PL, Eleven Paths, KISA, the French Police, and F-Secure.
In total, 170 public and private sector partners have made 121 tools available for free on the site to decrypt 151 ransomware families. Over the past five years, according to Europol, those decryptors have enabled over six million people to recover their files, blocking criminals from earning as much as a billion euros.
“Digitalization … provides us with the space to store hundreds of thousands of different files: pictures of our kids and pets, electronic tickets, projects, important matrixes we have worked on for weeks, archives filled with decades of knowledge and memories,” Europol said in a statement. “Ransomware enables criminals to steal all this in an instant. That is why it is crucial to beware, be aware and protect your digital world.”
Despite Europol’s efforts, ransomware continues to thrive, with several new threats launching in the past few weeks alone.
Haron and Grief: Rebrands or Copycats?
Zscaler researchers recently examined the newly launched Grief malware, also known as Pay. Grief appears to be a rebranding of DoppelPaymer, which hasn’t targeted any new victims since early May. The first Grief sample, the researchers note, was found just 10 days after DoppelPaymer hit its last victim – and in that early sample, the Grief ransom note linked to the DoppelPaymer ransom portal.
The two threats share very similar malware code, and their leak sites are almost identical, though Grief demands ransom payment in Monero (XMR) instead of Bitcoin (BTC). “This switch in cryptocurrencies may be in response to the FBI recovering part of the Colonial Pipeline ransom payment,” the researchers suggest.
The researchers conclude that Grief appears to be the latest version of DoppelPaymer ransomware, with minor changes to the code. “The threat group has been very active since the release of Grief in the middle of May 2021,” they write. “However, they have been successful in maintaining a low profile so far.”
Separately, S2W Labs researchers published an analysis of the new Haron ransomware, which was first discovered earlier this month. Haron’s ransom note and negotiation site bear striking similarities to Avaddon ransomware, the key difference being that Haron requires an ID and password to log into the negotiation site.
Logos, icons and sample data of victims used by Avaddon appear on Haron’s server, and the last modified date of the files is the exact date (June 11) when Avaddon disappeared. To infect victims, Haron uses Thanos ransomware, a ransomware-as-a-service (RaaS) first launched in 2019.
Still, the researchers suggest Haron is more likely to be a copycat than a relaunch of Avaddon. “The Web interface of Haron’s leak site is almost identical to that of Avaddon ransomware, assuming that Haron mimicked Avaddon’s UI,” they write. “When ransomware gangs rebrand, they usually change many things such as the design of the leak site.”
Introducing BlackMatter
Researchers at Recorded Future’s threat research arm Inskit Group this week warned of a new RaaS, BlackMatter, which claims on its public blog to offer “the best features of DarkSide, REvil, and LockBit.”
Notably, the service promises not to attack hospitals, critical infrastructure (including nuclear power plants, power plants, or water treatment facilities), the oil and gas industry (pipelines or oil refineries), the defense industry, non-profit companies, or the government sector. “If your company is on that list, you can ask us for free decryption,” the hackers state. [Even with decryption tools, ransomware attacks can cause irreversible damage, McAfee researchers noted in a post on the Babuk ransomware gang this week.]
On the Exploit forum, BlackMatter is offering $3,000 to $100,000 for network access to companies in the U.S., U.K., Canada, or Australia with revenue of $100 million or more and 500 to 15,000 hosts. BlackMatter has a deposit of 4 BTC, currently valued at more than $150,000, on the forum.
Flashpoint analysts note that the timing of the BlackMatter announcement is striking, occurring two months after leading forums blocked the DarkSide ransomware group due to the Colonial Pipeline attack, and just days after the REvil ransomware gang shut down its blog following its attack on Kaseya.
Both REvil and BlackMatter, the analysts observe, use similar tactics and rules about targeting, and REvil’s Windows Registry key was previously labeled “BlackLivesMatter.” At the same time, the design of BlackMatter’s site is similar to DarkSide’s former site, and BlackMatter’s explicit promise not to target the oil and gas industry could reflect the fact that DarkSide’s demise followed the Colonial Pipeline attack.
Still, as Flashpoint observes, “two posts and a large escrow account do not make a ransomware group. It is possible that copycats are intentionally mimicking the behavior of REvil to gain immediate credibility for allegedly being the reincarnation of REvil.”
Lasting Damage from Attacks
Across every vertical, ransomware attacks continue to surge. Despite BlackMatter’s promises to the contrary, a recent Positive Technologies report found that the number of industrial malware attacks increased by 91 percent from 2019 to 2020, and in most cases, the attackers leveraged ransomware. Attacks against critical infrastructure led to power outages as well as attempts to disrupt water supply systems.
Medical institutions faced the most ransomware attacks in 2020, with some resulting in the disabling of medical systems and denial of emergency care to patients. The first known death of a patient linked to ransomware occurred in Germany in September 2020, when a woman had to be rerouted to a hospital more than 30 kilometers away after a closer hospital was disabled by a ransomware attack.
Regardless of the industry, ransomware attacks are often incapacitating. A recent Keeper Security survey of 2,000 U.S. employees found that 83 percent of companies performed major tech updates after an attack, and 71 percent said those updates made it harder to carry out daily tasks. Another 64 percent permanently lost login credentials or important documents following an attack.
And despite No More Ransom’s guidance, attackers are often successful in claiming a ransom. Forty-nine percent of companies targeted by a ransomware attack paid the ransom, and an additional 22 percent wouldn’t disclose whether or not they had done so. Ninety-three percent of organizations that paid ransoms had to tighten budgets as a result.
“Though highly controversial, paying the ransom is extremely common, and many of us can empathize with leadership teams who are doing their best to put out the fire,” Keeper Security CEO and co-founder Darren Guccione said in a statement. “But the aftereffects of this approach can be detrimental and long lasting.”
