What one ransomware-as-a-service (RaaS) can tell us about the increasingly commoditized state of malware.
Today marks the one-year anniversary of the NotPetya outbreak. Even more so than WannaCry (which hit just one month prior), it was a seminal event that signaled a major shift in attacks. Rather than relying on a heavy volume of spam email campaigns to indiscriminately infect otherwise unconnected individuals, NotPetya instead introduced a blueprint for infiltrating larger networks with malware designed to land and expand.
That shift in focus to lateral movement was possible thanks to the adoption of two self-spreading mechanisms in particular:
At the time, seeing these two mechanisms included in an attack was unprecedented, and the combination was unfortunately devastatingly effective in catching organizations unprepared. One year later, the damaging ripple effects of the attack are still being felt, particularly for companies like shipping giants FedEx and Maersk as they continue to pull themselves out of $400 million and $300 million-dollar holes, respectively.
But the real legacy of NotPetya extends far beyond the direct damage it caused. Both it and WannaCry are now considered sophisticated but isolated attacks, likely the work of shadowy nation-state-sponsored threat actors. Just one year later, however, attacks with similar capabilities are launched every day.
The key to the proliferation? Tools for creating and distributing malware like NotPetya and WannaCry have circulated downstream into the hands of common criminals, allowing them to launch their own attack campaigns regardless of technical skill or expertise.
Case in point: The Satan ransomware-as-a-service (RaaS) toolkit, which recently rebranded as "DBGer" and added a version of Mimikatz as one of its new "features." As a result, any would-be criminal can launch an attack that threatens to spread itself throughout compromised organizations just as NotPetya did.
In this post, we'll take a closer look at Satan (now DBGer) and explain how several key changes made to it in the past year are indicative of just how influential NotPetya's focus on lateral movement has been on the world of cyber crime and malware.
But before we dive in, a quick primer...
For those who haven't come across the term before or need a refresher, here's a quick primer on how ransomware-as-a-service works:
Satan ransomware was launched in January 2017. Visitors to the RaaS portal (accessible on the dark web) were invited to use the service to create their own custom ransomware "in less than a minute." Unlike other RaaS platforms that charged an initial access or registration fee, Satan was free to try, with the authors behind the ransomware collecting a 30% fee on any profits generated.
Customization options included the ability to set the ransom demand price and payment conditions, such as raising the price after a certain amount of days pass without payment. The RaaS portal also provided code for creating PowerShell and Python scripts that encrypt ransomware samples and help them avoid detection.
Customers were walked through steps to help them create "droppers" like malicious Microsoft Word docs and other installers for use in distributing the ransomware. As part of its service, Satan handled the collection of the ransom and distribution of payments (via Bitcoin), as well as the decryption process for victims who paid up. It even provided an account dashboard that tracked number of victims infected, amount of ransoms paid, etc.
With its intuitive user interface, Satan stood out and quickly gained traction. But with more and more RaaS portals appearing, competition increased. At the same time, during the latter half of the year, the ransomware boom finally started to go bust. Awareness of the threat reached a tipping point, with many organizations officially declaring it their top IT security priority. That focus resulted in new investments in endpoint security and backup solutions, which have helped to reduce the profitability of ransomware campaigns. As a result, many criminal groups have switched to deploying cryptomining malware over ransomware, thanks to its promise as a stealthier, more effective revenue generator.
For the group behind Satan, this was a big problem. To stay relevant and keep customers interested they needed to offer more features. For inspiration, they turned to the attacks that were responsible for generating all this awareness and creating their problem to begin with — WannaCry and NotPetya.
In order to maximize the return on Satan campaigns, the authors behind the ransomware began to evolve their product to keep up with broader attack trends. Rather than designing the ransomware to infect individual victims, the group added capabilities to help it land and expand in corporate networks, maximizing its impact and raising the likelihood victims would pay.
First on the list was a version of the EternalBlue exploit that had powered the WannaCry and NotPetya outbreaks, which security researcher @bartblaze spotted being incorporated into Satan ransomware samples as early as November 2017.
Six months later, in May 2018, researchers at AlienVault discovered new versions of Satan that had added to their lateral movement repertoire with exploits targeting the following:
In each case, the authors appear to have used publicly-available implementations of the exploits, simply plugging the work of others into the RaaS offering.
Satan ransomware is now DBGer ransomware: https://t.co/BUg4btEhip— MalwareHunterTeam (@malwrhunterteam) June 14, 2018
See on 2nd screenshots how files are renamed.
It still uses EternalBlue, but now Mimikatz too...@BleepinComputer @demonslay335
cc @bartblaze pic.twitter.com/WfZCeac0lc
On June 14, 2018, MalwareHunterTeam discovered Satan had been rebranded as "DBGer," and relaunched with new features that were once again focused on increasing the ransomware's lateral movement capabilities.
As @bartblaze pointed out, in addition to Mimikatz, the authors had also added:
Besides adding Mimikatz to its arsenal, the latest iteration of Satan ransomware (partly re-branded as DBGer) has also added curl and leverages netcat.— Bart (@bartblaze) June 17, 2018
Netcat from 101.99.84[.]136:https://t.co/aTCK2swQkM
Because there are no patches to prevent the abuse of these components, their addition is arguably even more concerning than the previous addition of EternalBlue (although, even a year later, many systems remain unpatched).
The Satan/DBGer group hasn't been the only operation adding lateral movement capabilities. This is a growing trend, and, as a result, the types of attacks that we considered to be black swan events one year ago can now be launched every day. As Bleeping Computer's Catalin Cimpanu argues, "The development path we see taken by the Satan/DBGer crew is what we can expect in the coming months from most ransomware strains."
Thankfully, many organizations have already headed the warning call and applied Microsoft's patch for addressing EternalBlue. In addition, Microsoft researcher Jessica Payne offers some extremely helpful and pragmatic tips for how you can reduce the effectiveness of many of the most commonly abused lateral movement techniques with free and built-in tools:
At least once a week we encounter a case of lateral movement using off the shelf tools like psexec, command line utilities, or eternal blue. You can stop all of them from moving laterally by blocking SMB and RPC between endpoints using the Windows Firewall https://t.co/XtMh5toRmM— Jessica Payne (@jepayneMSFT) June 26, 2018
Every week we encounter at least one case of a domain admin level account being available on a web facing/easily compromised server because of doubt about where the account is used and what it might break to remove it. You can figure that out with https://t.co/vwkTaHPZCi— Jessica Payne (@jepayneMSFT) June 26, 2018
Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with https://t.co/OyH5aKAHsH— Jessica Payne (@jepayneMSFT) June 26, 2018
And of course, whenever talking about ransomware, a reliable backup strategy is always an important part of the conversation, too.
In addition, the emergence of RaaS platforms has put considerable stress on traditional antivirus solutions, which have difficulty keeping up with new and modified ransomware samples. For that reason, more and more organizations are moving away from traditional AVs in favor of security products like Barkly.
Thanks to its machine-learning powered file analysis, Barkly's Endpoint Protection Platform has blocked Satan ransomware variants from the very beginning, and it blocks DBGer samples, now.
And thanks to its real-time behavior analysis, Barkly also blocks malicious attempts to steal credentials and conduct lateral movement, as well. As a result, Barkly provides organizations with defense-in-depth against threats like Satan/DBGer, and gives IT departments confidence knowing they're protected against the underlying techniques today's modern attacks rely on.
Learn more about how Barkly works and see what a customer has to say here.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.