The vexing immortality of the world’s top malware

Worlds top Malware

Malware is here to stay. As soon as one malware gang is taken down, it seems like many more are on standby, ready to take its place. If we’re going to win the war against malware, especially in the midst of both real-world and cyber warfare between Russia and Ukraine, we need to know what we’re up against.

REvil – The king of ransomware

In mid-2021, US President Joe Biden personally called on his Russian counterpart Vladimir Putin to crack down on ransomware gangs after a series of large-scale cyber fiascos like the Colonial Pipeline and Kaseya VSA attacks.

It seemed like the request may have been heeded as news broke in January of Federal Security Services of the Russian Federation (FSB) arrests of suspected REvil (a.k.a. Sodinokibi, Ransomware Evil – inspired by the Resident Evil movie/game series) ransomware gang members. This concludes the yearlong joint chase of what was dubbed as Operation GoldDust, which involved law enforcement agencies in as many as 17 countries.

Prior to its takedown, REvil reigned at the throne of Ransomware-as-a-Service (RaaS) operations due to its double extortion tactics on several successful targets, including JBS (8.4 million GBP paid in BTC) and Kaseya. The group has steadily gained infamy since its GandCrab days.

Meanwhile, a spinoff ransom cartel debuted a couple of weeks after GoldDust, apparently mirroring digital signatures of that of Sodinokibi, including mimicked tools, techniques, and processes. Whether former REvil members are part of the ransom cartel, or was it a decisive move to regroup after the retribution, remains unknown.

With REvil’s high profile big game hunts on both government and private institutions, it’s just a matter of time before we witness who goes down next – and we’re obliged to make sure this won’t be us.

Emotet – Revenge of the fallen

In an action-packed, multi-government effort which included Europol, FBI, and the UK’s National Crime Agency, among others, Emotet (a.k.a. Geodo) was “taken down” in January 2021. The simultaneous seizure of valuable equipment, as well as arrest of key Ukrainian members, was meant to disarm the most prolific threat of the decade.

Captured command and control (C&C) servers were then reconfigured to deploy a decoy update to infected devices, which forced Emotet uninstallations by 25 April 2021.

Since its inception, Emotet has caused an estimated £2 billion in damage. It usually arrives via an invoice, shipping, or COVID-19 information clickbait email and has evolved from being a dropper to a pretext tool, ultimately paving the way for more credential stealing malware.

Compromised machines with the polymorphic trojan become zombies of the Emotet botnet and backdoors for secondary waves of cyber attacks, ranging from ransomware such as Ryuk, DoppelPaymer, Egregor, and Conti, to banking trojans TrickBot and Qakbot. No wonder clean-up costs start at $1 million USD per incident (for example Microsoft®’s incident response to an Emotet attack in Allentown City, Pennsylvania, USA).

Meanwhile, just few months after the apparent take down, in November of 2021 new sightings were observed and confirmed by both security companies and independent researchers, which evidently proved the resurgence of Emotet.

What took authorities years to plan was short lived; the disruption of the dangerous malware botnet and Operation LadyBug needs to be revisited.

As Emotet regains the top spot in the ‘Most Wanted Malware of 2022’ (according to Check Point), our tenacity cannot be deterred – let’s stick with the basics and continue to review our security policies.

Trickbot – The sophisticated malware that resurrected Emotet

Two years ago, and after infecting millions of computers, Trickbot C&C servers and domains were seized. However, days after the orchestrated takedown from a coalition of security companies, the infrastructure has been replaced, and the havoc has continued.

Based on Microsoft®’s Office 365 Advanced Threat Protection (ATP) data, Trickbot is the most prolific malware operation using COVID-19 themed lures. Formerly, it was for Black Lives Matter.

Aside from phishing emails, Trickbot has often been deployed via secondary payload of other malware like Emotet. Once launched, reconnaissance tools like Metasploit and Cobalt Strike are then installed.

Commonly attributed to Russian backed Wizard Spider and utilising the Malware-as-a-Service (MaaS) business model, Trickbot was originally a financial trojan and a spinoff of Dyre – another banking malware which disbanded earlier, cognisant of a series of consistent, successful law enforcement actions.

Last year, Trickbot launched Diavol, their own ransomware, which didn’t gain much traction. Despite this, they remained as the top malware throughout Emotet’s hiatus. In late 2021, Trickbots started dropping Emotet samples, which marked its comeback.

Regardless of multiple takedown efforts by authorities, Trickbot survived and remained intact.

However, Trickbot has now formally dismantled its crimeware platform and ceased campaigns in 2022, with its core developers pirated by the Conti Ransomware crew. This marks the end of one of the most persistent malware skirmish series in recent history – or is more likely the calm before a looming, massive storm as Conti just grows stronger.

Russia’s Ukraine invasion, and how it changed the threat landscape

Russia’s continued attacks on Ukraine are not only through sea, air, and land, but also through round-the-clock cyber attacks targeting vital infrastructure. Most of this cyber warfare is operating without direct orders from the Kremlin. To respond to this hybrid warfare, Ukraine has started its counterstrike by building an IT army of its own.

HermeticWiper, a destructive permanent data wiper tool, and Cyclops Blink, an info beacon botnet which blocks firewalls, have been spread throughout the country, which makes it part of the grand plan to fully destabilise Ukraine during the invasion.

A face-off between ransomware operators residing in Russia and Ukraine is something we anticipate, believing that their cyber prowess could further exacerbate each cyber front. We won’t know what they’re thinking and what their principles are as far as real-world war is concerned, or if they will discontinue their current ransomware operations in order to fight for their respective countries, but there must be some sense of patriotism beneath these financially driven actors.

For example, Conti has joined the battlefront. They initially waved the Russian flag, but eventually announced their allegiance for no one, except for the fact they’re anti-Western.

We are yet to see any action from Russian attributed Advanced Persistent Threats (APTs), such as:

  • APT 28 (a.k.a. Tsar Team, Fancy Bear)
  • APT 29 (a.k.a. Nobelium, Cozy Bear)
  • Berserk (a.k.a. Dragonfly, Energetic Bear)
  • Turla (a.k.a. Uroboros, Venomous Bear)
  • Sandworm Team (a.k.a. Unit 74455)
  • APTs with strong Russian ties like Fin7 (a.k.a. Carbon Spider)

Meanwhile, hacktivist collective Anonymous rallied global supporters and launched concentrated attacks on key Russian government websites, sending waves of Distributed Denial of Service (DDoS) to knock down services.

It’s a noble cause to rally behind the oppressed, but let’s keep in mind that there are current cyber crime laws in place in our respective countries. It’s cliché, but the end will never justify the means.

Moreover, the birth of new malware which were blatantly authored for the purpose of weaponisation will find its way outside the portals of battle ground zero.

The cyber world is nothing but a vast, borderless space, and it’s just a matter of time before households, offices, businesses, and government organisations outside the RUS-UKR region will have to deal with the same threat strains.

Disruption to the above-mentioned established syndicate rings is complex as they are deeply interrelated with each other, as well as with other active underground actors, no matter the state.

With these arrays of threats, let alone the range of their features and actions, it’s necessary to have multidimensional detection and response in place. Adversaries come and go, and threat vectors will evolve, but attacks should always be anticipated.

Whilst we put our full trust in the capability and capacity of our endpoint security technologies to detect, we also need to put our trust in the backend security specialists to respond, should matters get worse. We also must make sure that our risk mitigation plans could withstand a state-sponsored grade offensive.

US law enforcement have now warned of an imminent threat from Russian state-backed actors. If you’re worried about how increasing tensions and today’s heightened cyber risk could affect your organisation, our team of Security Advisors are here to help and are happy to schedule a free security consultation with you to answer any questions you may have. Contact us here.

*Office 365 is a trademark of the Microsoft® group of companies.