Threats 101
Ryan Berg
Sep 2016

Multi-stage Ransomware Attacks: A Barkly Malware Research Chat

In this week’s chat, the malware research team looks at the emergence of multi-stage ransomware attacks that seek to steal information in addition to simply encrypting it.

The Team:

  • ryan (Chief Scientist)
  • jack (Co-Founder and Chief Technology Officer) 
  • rick (Principal Malware Researcher)
  • matt (Malware Research Co-Op)


What are multi-stage ransomware attacks and why are we seeing more of them?

ryan: It’s been awhile since we have had one of our fireside chats. Of course, lots has changed. And then again, not much has. Ransomware is still the big problem that isn’t going away anytime soon. But one thing that has changed is now we’re seeing ransomware becoming a one-size-fits-all combo tool with a little bit of everything thrown in.

Let's start by talking about what we're referring to when we say multi-stage or combo attacks, specially ones that leverage ransonware as a primary vehicle.

Example of a Multi-Stage Ransomware Attack

Step 1: User gets infected by opening a Word doc attachment in a phishing email. 

Step 2: In the first stage of the attack, a downloaded credential stealer like Pony grabs the user's passwords and other sensitive information and sends them back to the malware author. 

Step 3: The user's email password grants access to their email account and address book, which also gets sent back to the malware author.

Step 4: In the second stage of the attack, the ransomware payload is executed, encrypting the user's files and demanding payment in exchange for the decryption key.

Step 5: The malware author may or may not collect a ransom payment, but at the very least they have passwords and a contacts list they can either sell or utilize in subsequent campaigns. 

Basically, there are some variants of ransomware that are being packaged with other forms of malware in addition to their ransomware selves. For example, some versions of the ransomware RAA have also been seen dropping Pony (a credential stealer) in addition to its ransomware package. 

What that means for victims is that in addition to having your files encypted, you also have your information stolen and sent back to the attacker who launched the malware. That can include passwords, so not only do the criminals get Bitcoin, they also get access to all your accounts. 

ryan: Pony is also a full fledged downloader, so not only will it try and steal credentials, it also has the ability to remotely download more stuff. It's the kind of gift that keeps on giving.

So why are we seeing these multi-stage ransomware packages now? Is it just the natural next step in ransomware evolution, or are there specific factors driving the change?

rick: As we’ve seen, ransomware authors have a really low hit rate on who actually pays up (in the recent survey we ran with IT pros, only 5% of victims paid the ransom). 

So it would make sense that malware authors are finding more creative avenues to extract value from targets, regardless of whether they choose to pay the ransom or not. CryptXXX is another example of ransomware that's evolved to also steal passwords, which they can either try to sell or use directly.

Ex: Once malware has access to your email account it's common for it to steal your address book. In addition to your individual password, criminals can also either sell that or use it to send out more phishing emails with ransomware payloads to your contacts. 

ryan: It often does come down to economics. I mean, if you get someone to actually click your link or open your attachment it then really does become all about maximizing the earning potential of your now-claimed asset, right?


To encrypt then steal, or steal then encrypt?


"Attackers are conciously trying to get value before asking for the ransom."

jack: Heimdal did some interesting research showing a campaign that used Pony first (to harvest passwords), then infected users with CryptoWall by pushing them to a variety of Angler infection sites, afterwards. The attackers are conciously trying to get value before asking for the ransom. That way, even if the victims were able to recover from CryptoWall they would still be infected with the other payloads.

Diversify, diversify, diversify, I guess.

rick: Totally! Another interesting trend I’ve seen is how some ransomware will actually encrypt unmapped network sharesImagine going to Starbucks with your laptop sharing your mp3 collection. Someone next to you gets hit with Locky, now your mp3 files are encrypted.

There's also the case of "Shade" — malware that checks to see if you're involved with accounting or banking before it tries encrypting your files. If you are, it drops remote control tools, instead.

matt: What’s interesting about this trend, however, is that ransomware alerts the user/IT that the machine is compromised. Once that happens, there is a good chance the machine will be restored from a prior backup without the downloader, credential stealer, banking malware, etc. (assuming they don’t just pay the ransom, of course).

The Heimdal example and Shade make sense. “Hey, look at this, I’m in a bank. I can do way more damage with a remote access trojan than with ransomware. I shouldn’t alert the user I compromised them."

rick: Right. Being silent does have it’s advantages. Stealing credentials on a system you’ve compromised, on the other hand, is more likely to cause the user to change their credentials, making the ones you stole worthless. Silently stealing them doesn't raise the alarm. 

matt: It seems like the best thing to do would be to launch the ransomware as a second stage after a certain amount of time. That way you can attempt to steal as many credentials, etc. as possible, before the machine gets wiped or restored once the ransomware launches.


Are multi-stage attacks the next step in ransomware evolution?


"The recent economics of malware have shifted towards ransomware, but it makes sense for malware authors to leverage other techniques to squeeze as much as possible out of their victims. Clickfraud, spamming, DDoS bot, credential theft, you name it."

ryan: This all makes me wonder — is this the new botnet? Establish a foothold and sell the access? Or is this the same threat actor just making as much of a land grab as possible?

rick: Different example, but it’s widely believed the same people behind Dridex are also behind Locky. Dridex is a credential stealer. Locky is ransomware. There’s some clear value in combining both sets of functionality.

ryan: But is it really that ransomware authors are conciously including Pony or is it a resurgence of Pony downloading ransomware? Or is it something in between?

(Sidenote: It certainly seems like everything that was old is new again. Pony is several years old — you would think this wouldn’t still be an issue.)

To put it another way: Is this really an evolution of ransomware or is this just another form of distribution where more middle men are getting into the game?

rick: Well, in some cases we're seeing ransomware evolving to do new things. In other cases, we see them just bring a group of old friends with them.

Recently we were playing around with the Nemucod downloader. We ran it a few times and every time we ran it, we received a different payload.

Running it on one machine yielded Locky, which proceeded to encrypt our filesystem.

Running it again yielded a spam bot that proceeded to send pharmacutical advertisement emails all over the place. 

The recent economics of malware have shifted towards ransomware, but it makes sense for malware authors to leverage other techniques to squeeze as much as possible out of their victims. Clickfraud, spamming, DDoS bot, credential theft, you name it.

Distributing malware isn’t free. Just like their legitimate software counterparts, malware authors need to find ways to maximize their revenue potential. 


Competition is driving ransomware changes


"Ransomware authors are becoming more brazen..."

 And just like their legitimate software counterparts, malware authors also have competitors to deal with. A
dding features is one way to differentiate yourself from the competition (at least until the competition gets caught).

matt: Right. If you’re the author of ransomware, advertising that your ransomware also steals credentials or drops a downloader, etc. is a good way to get more customers.

rick: Speaking of, ransomware authors are becoming more brazen about advertising their services, as well. In the recent case of Mischa, the ransomware authors freely advertised their new RAAS service. 

ryan: Ah, great. Ransomware as a multilevel marketing scheme — is that next?

rick: They even took it a step further and threw their Chimera ransomware counterparts under the bus by releasing some of the keys the ransomware used. 

ryan: Disparage and profit. One thing adding features and functionality to ransomware indicates is that, on the whole, detection of ransomware still isn’t all that great. If you're a criminal you're going to ride that pony before its legs get tired.

The fact that it's 2016 and ransomware is including Pony from several years ago — that's a scarlet letter. As an industry, we need to do better. That's certainly something that motivates me every day.

rick: Shameless vendor plug: Since Barkly stops malware at the first indication of malicious behavior, we render multi-stage attacks moot. Case in point, when we recently stopped macro-based malware Hancitor from launching an attack on one of our customer's machines we prevented it from downloading additional payloads. 

Other researchers had seen Hancitor dropping Pony and Vawtrack (another credential stealer), but we stopped it before it could even get those involved. 

ryan: Alright, it's been another great chat, but we need to get back to work. Until next time, Barkly out.

Note: As always, we take requests! If you have a topic you want to see us cover let us know in the comments below.


Catch Up with Our Previous Malware Chats

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.