Emerging Trends in Malware

Charlene O’Hanlon and Thomas Brittain from Kroll discuss emerging trends in the malware space in light of the recent surge of reported attacks, including threats to watch out for, predictions for how the government will focus on cybersecurity going forward and how companies can mitigate risk. The video is below, followed by a transcript of the conversation.

Announcer: This is Digital Anarchist.

Charlene O’Hanlon: Everybody, welcome back to Tech Strong TV. I’m Charlene O’Hanlon, and I’m here now with Thomas Brittain, who is the Associate Managing Director at Kroll. Thomas, thank you so much for being here—we really appreciate it.

Thomas Brittain: Yeah, absolutely. Glad to be here. I think we’ll have a big discussion.

Charlene O’Hanlon: Alright. Well, I know I’ve had some of your cohorts from Kroll on Tech Strong TV before, talking about some cyber security issues. And thank you for being on the broadcast today to talk about what’s happening in the malware space. I mean, everybody knows that it’s happening, that there’s a ton of stuff going on, but there seems to have been just a surge of attacks lately.

And while I’m sure that these attacks have been going on for a very long time, I think the increase in press and the level of intensity at which these attacks are happening and the fact that there are so many now, especially in the ransomware sector, that are really kind of crippling organizations and hitting everyday consumers, if you will, really in the pocketbooks. I think that’s what’s getting a lot of people’s attention.

So, let’s kinda talk about the malware space in general. What are you guys kinda seeing as far as some malware trends that are out there right now?

Thomas Brittain: Yeah, absolutely. I think one of the biggest things that we’re still seeing trending is phishing e-mails being one of the top vectors. Unfortunately, it continues to be successful to be able to not only get access to user credentials through business e-mail compromises, but to also then potentially drop a Trojan on an end user system and then gain access into that network. And that ultimately ends up leading to ransomware in their environment. And ransomware actually ends up being the number one trend that we’re seeing in about 93 percent of our investigations on the incident response side, and it’s leading the charge, unfortunately.

Charlene O’Hanlon: Yeah, yeah. So, ransomware is—God, it’s such a nefarious malware right now, and I know that there are a lot of different ways, besides phishing, that organizations can actually get hit by ransomware. But obviously, there are certain strands or certain variants of ransomware that are becoming more prevalent than others. So, are there particular ones that you guys are seeing in this space right now that seem to be leading the charge? What makes then—what kinda sets them apart from the other ones that are out there?

Thomas Brittain: Yeah, absolutely. I think the number one variant that we’re seeing in about 28 percent of our investigations is konski. They’re loosely tied to the Riot threat actor group, but they do focus on data exfiltration, taking a page from the likes of Maze and Sodinokibi. We’re seeing them followed closely by Sodinokibi at 19 percent, and you know, when you think about data exfiltration, the old adage of, you know, if you have backups, it doesn’t matter if you get impacted by ransomware, you can recover.

Charlene O’Hanlon: Mm-hmm.

Thomas Brittain: How do you recover data that’s now been exfiltrated from your network? That becomes a more difficult proposition when you think about the risks to the business, the clientele, and maybe even their users.

Charlene O’Hanlon: Alright, so, you know, another thing—I know I keep hearing about different strands or different variants of malware out there. But they all seem to, or at least the majority of them, kinda seem to follow the same methodology, if you will, of infiltrating data networks. But I kinda feel like maybe there’s other stuff out there, maybe, that aren’t getting the same amount of attention in the way that they’re being, actually, the way that they’re getting into networks, if you will, beyond the phishing.

So, I don’t know if you heard, but we actually, MediaOps, our organization, actually got hit with a DDoS attack last week, and it almost took us down. We were kinda hobbling along for a couple days and finally got it right. But one of the things we were talking about as we’re getting through this is the possibility that this could’ve actually been a ransomware incident, that DDoS attacks are now kinda being used to foment ransomware. And I’m wondering if that’s something you guys know about and are there other kind of maybe different methodologies, if you will, that cyber attackers are now using to insert ransomware?

Thomas Brittain: Yeah, so, I don’t typically see a DDoS attack as a method for inserting ransomware, only because that actually degrades the network capability and can potentially prevent or inhibit the actor’s ability to get access to the network.

Charlene O’Hanlon: Mm-hmm.

Thomas Brittain: However, we are seeing them in conjunction with the threat actor negotiations after the fact, after a client’s been ransomed. So, the—I shouldn’t say client, really, it’s a victim. The victim is impacted by ransomware, and they don’t negotiate, or the negotiations stall the threat actor, they may then attempt to get them to move the DDoS attack to try and essentially introduce further impact to the business while they’re still trying to recover. And really, the biggest goal there is to get them back to the table and hopefully drive a ransom payment, you know, through subsequently getting the DDoS attack to stop, and then potentially getting a decrypter, or prevent subsequent release of the data itself.

I think, from a business perspective, one of the things they can do is contact their ISP if they’re getting hit with a DDoS attack and see if there are any mitigations their ISP can put in place, at least temporarily to try and block that traffic.

Charlene O’Hanlon: Okay. Alright, great, great. So, yeah, luckily, we were able to get everything back online and work, and in some cases, better than ever. [Laughter] Which is, I don’t know if there’s the silver lining there, but yeah, it was kind of interesting to deal with that for more than 24 hours. But I’m glad that’s in the rearview mirror now, but just kind of an interesting situation.

So, what about other variants that you guys are seeing out there? What are the things that, one of the variants that I’ve been hearing a little bit about is the ephemeral lock picker. What do you guys know about that?

Thomas Brittain: Yeah, absolutely. So, in 2021, our investigators here responded to a series of interconnected network intrusions, ransomware events, and cyber incidents. Which, as we dove deeper into it, we realized that they possessed overlapping tactics, techniques, and procedures, and similar indicators of compromise.

The industries that were impacted by it varied across multiple industry sectors, but what we noticed is that there was a novel attack pattern that was occurring with little to now open source reporting. But ultimately, this attack pattern led to LuckyDay ransomware.

So, what we were identifying, there were four distinct features associated with this ephemeral lock picker. The first was novel techniques designed to appear benign. So, essentially, the actor is living off the land, leveraging things like PowerShell to come in and run their tool set. Their tools themselves actually remain resonant in memory, so they’re not dropping files on the disk—which essentially inoculates most anti-virus, because it needs to be able to detect a file on disk, in most cases.

Charlene O’Hanlon: Mm-hmm.

Thomas Brittain: They had customized the data collection utilities. So, essentially, what they were doing is hard coding a tool or a program that they could then put on the system to actually go and exfiltrate data off a shared drive.

Charlene O’Hanlon: Wow.

Thomas Brittain: And then ultimately, they were dropping locker_64.exe, or essentially LuckyDay ransomware to encrypt the victim’s network. Now, but again, the really unique aspect was the way that they leveraged PowerShell, living off the land to maintain persistence, gain access, conduct their network reconnaissance, and then ultimately drop the ransomware payload in itself.

Charlene O’Hanlon: Wow, wow. So, is that something that you’re seeing a lot more of these days, or is it still kind of a lesser known variant that’s out there, or lesser used?

Thomas Brittain: I would say it’s lesser known. We have about a handful of engagements over the last few months that we’ve seen this specific tactic occurring. But usually, you’ll see it a few times and then it proliferates, and I’ll be surprised if we don’t see other threat actors start to leverage something very similar. Because not a lot of tool sets or capabilities are actively blocking PowerShell natively without some additional configuration or tuning. So, it becomes a very easy way to gain access to your recon and then ultimately drop your end game payload, whether that’s ransomware, a coin miner, or some other suspicious or malicious software.

Charlene O’Hanlon: Huh. Okay, alright. Thanks. So, what do you think about the recent Executive Order that President Biden and the White House put forth regarding cyber security and the government’s response and how organizations, especially within the government, organizations need to kind of step up their cyber security efforts?

What do you think about that? I mean, do you think that that has teeth, or do you think that that’s kind of a Band-Aid on a very large wound right now?

Thomas Brittain: Yeah, so, first, I absolutely think that it’s critical and it’s needed. But the biggest key, whenever you drive any type of legislation that’s mandating implementation of tools and services that maybe those government agencies aren’t already procuring—where is the funding gonna come from, right? So, how are these agencies gonna find the funding to pay for the tooling, the infrastructure changes, and potentially the services to implement the changes within that Executive Order?

So, for me, I think that’s the biggest concern is, how will this get funded. But ultimately, I think the needs that are highlighted within that Executive Report, if implemented properly, that will definitely drive significant change. Some of the key things in there they talk about was implementing better end point security, better validation of the security efforts within each network as well.

Charlene O’Hanlon: Well, I certainly, you know, agree with you that it can’t hurt and it can only help. And I think that, in this case, cost is—you know, you kinda have to weigh the risk with the cost, the cost with the risk, and I think at the end of the day, it’s one of those things that we just have to do, regardless of what the cost is. Unfortunately, it’s a sign of the times, it’s what we’re living with today. As is malware in general and ransomware, and businesses just really need to be aware that there are a lot of threats out there that can really impact them negatively.

What you guys are doing over at Kroll is really, really good stuff. So, thank you so much for taking a couple minutes and kinda walking me through the malware landscape as we know it today, and keep up the good work with identifying the variants and letting us know about them. We really do appreciate that.

Thomas Brittain: Absolutely. I really appreciate it, as well.

Charlene O’Hanlon: Alright. Alright, everybody, please stick around. We’ve got lots more Tech Strong TV coming up, so stay tuned.

[End of Audio]
Avatar photo

Charlene O’Hanlon

Charlene O’Hanlon is Chief Operating Officer at Techstrong Group and Editor at Large at Techstrong Media. She is an award-winning journalist serving the technology sector for 20 years as content director, executive editor and managing editor for numerous technology-focused sites including DevOps.com, CRN, The VAR Guy, ACM Queue and Channel Partners. She is also a frequent speaker at industry events and conferences.

charlene has 55 posts and counting.See all posts by charlene