3 things you might not know about modern ransomware and how Nefilim makes money

Trend Micro case study explains how the new business model works and how the multistep attacks unfold.

Abstract Malware Ransomware virus encrypted files with keypad on binary bit red background. Vector illustration cybercrime and cyber security concept.

Image: iStockphoto/nicescene

Ransomware attacks are now a team effort that include professional pen testers with malicious intent, access-as-a-service brokers and the ransomware owners who do the negotiation. Bad actors have modernized the business model to design attacks based on a specific company and a ransom fee based on how successful the target is, according to new research from Trend Micro.

More about cybersecurity

The company’s new report, “Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them,” explains the modern ransomware attack and Nefilim, a type of malware that illustrates this evolution. Nefilim attacks multibillion-dollar companies and leaked 1,752 gigabytes of data in January, according to the report. Trend Micro Research published the report, which was written by Mayra Fuentes, Feike Hacquebord, Stephen Hilt, Ian Kenefick, Vladimir Kropotov, Robert McArdle, Fernando Mercês and David Sancho.

SEE: Identity theft protection policy (TechRepublic Premium)

According to the report, ransomware monetization schemes have changed for two reasons. First, organizations are getting better at cyber defense, which lowers the number of easy targets and requires attackers to use a more targeted approach. Second, criminals are using new technologies to create more powerful and sophisticated attacks, including:

  • The increased computing power of machines, which provides cybercriminals the ability to deeply automate processing and collect additional information about victims.
  • The availability of public and private databases and automation tools that help perform precise categorization of victims based on their location, industry, company name, size and revenue.
  • The capability to initiate anonymized high-volume cross-border money transfers using cryptocurrencies and cryptocurrency mixers.
  • The extensive use of communication platforms that allow secure, interactive, and anonymized interactions and increased collaboration between various cybercriminal groups.

Here are three characteristics of modern ransomware attacks from the report as well as a recap of Trend Micro’s analysis of Nefilim, a malware family that has all of those characteristics. 

It’s all about personalization now

Now that the “spraying and praying” tactic is less useful, bad actors are personalizing attacks. This means deep victim profiling and victim-specific ransom pricing. Criminals now have the ability to infiltrate a network and spend as much time as necessary to search for and identify the highest value assets. The attacker now knows much more about the target, including the number of employees, revenue numbers and the industry. This personalization also allows the attackers to estimate possible ransom amounts for each victim.

The modern ransomware process has several additional steps that allow for these personalized attacks. The process starts with an asset takeover and proceeds to asset categorization and then infrastructure takeover. According to Trend Micro’s research, ransomware gangs use these steps to personalize the attack:

  1. Organize alternative access to the network
  2. Determine the most valuable assets and processes
  3. Take control of valuable assets, recovery procedures and backups
  4. Exfiltrate data

“Pre-modern ransomware” attacks, as the report describes them, would then encrypt the data and extort companies based on the encryption. The modern ransomware process adds two new steps: Extorting companies based on exposing the data and then actually exposing the data.

The negotiator gets a smaller cut than the infiltrator

Trend Micro researchers found that modern ransomware attacks are not a job for one hacker group alone; collaboration is the new trend. The whole attack chain often involves two or more groups that are responsible for the different attack stages.  

According to the report, one group owns the ransomware and another controls the compromised infrastructure and distributes the malware. The two groups usually agree to a 20/80 or 30/70 split of the profit:

“…..the smaller cut goes to the group that provides the ransomware and negotiates with a victim while the majority of the profit goes to the group that handles network access and implements the active phase of the attack. Most of the profits go to the affiliate actor responsible for obtaining network access and deploying the ransomware payload.”

Sometimes there are even sub-contractors involved in the process who specialize in “privilege escalation, lateral movement, and complete takeover of the victim infrastructure.” These access specialists charge fees based on how much access an attacker wants ranging from “tens of dollars for a random victim asset, to several hundreds or even thousands of dollars for a categorized asset; access to the infrastructure of a large organization can cost five to six figures.”

The report authors also note that the affiliate groups are not investigated as meticulously as their ransomware partners, which helps these collaborations survive.

The ransom is one of many monetization opportunities

Another element of this team approach to cybercrime is that there are often “parallel monetization life cycles” in a single attack, according to Trend Micro. This makes it even harder to spot the trouble and recover from an attack. It’s another reason to understand criminal business models clearly to be able to “attribute TTPs to separate simultaneous attacks or a signal attack performed with close collaboration between actors who share access and join forces.” 

Before closing a ticket on an attack, Trend Micro researchers recommend that security teams consider the entire kill chain to make sure all malware is gone. Varonis describes the eight steps in the cyber kill chain:

  1. Reconnaissance
  2. Intrusion
  3. Exploitation
  4. Privilege escalation
  5. Lateral movement
  6. Obfuscation/anti-forensics
  7. Denial of service
  8. Exfiltration

Trend Micro recommends that security teams read security research to see where a particular piece of malware fits in the kill chain. If it is often used early in the chain, defenders should assume that later stages may have been deployed and must be investigated.

How Nefilim ransomware attacks unfold

The Trend Micro report describes this ransomware family as an example of modern ransomware. Attackers first establish a foothold in the network, then identify the most valuable data and then trigger the ransomware payload. Trend Micro first identified Nefilim in March 2020. 

Nefilim has attacked companies in North and South America, Europe, Asia and Oceania, according to Trend Micro’s research, and appears to target multibillion-dollar companies more often than other ransomware groups.

The group seems to have better control over its website and is “particularly vicious” about leaking sensitive data over long periods of time. Trend Micro researchers found that Nefilim uses exposed RDP services and a vulnerability in the Cigrix Application Delivery Controller to gain initial access. At that point, the attackers use a variety of tools to establish a presence in the compromised network, including:

  • A Cobalt Strike beacon
  • The Process hacker tool
  • Mimikatz
  • PsExec
  • Windows PowerShell
  • BloodHound

Once the attackers have found the data they want, they use three kinds of bulletproof hosting services and fast flux hosting to upload and leak stolen information, according to the report.

Also see