Rash of New Ransomware Variants Springs Up in the Wild
Enterprise security teams can add three more ransomware variants to the constantly growing list of ransomware threats for which they need to monitor.
The three variants — Vohuk, ScareCrow, and AESRT — like most ransomware tools, target Windows systems and appear to be proliferating relatively rapidly on systems belonging to users in multiple countries. Security researchers at Fortinet’s FortiGuard Labs who are tracking the threats this week described the ransomware samples as gaining traction within the company’s ransomware database.
Fortinet’s analysis of the three threats showed them to be standard ransomware tools of the sort that nevertheless have been very effective at encrypting data on compromised systems. Fortinet’s alert did not identify how the operators of the new ransomware samples are distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.
“If the growth of ransomware in 2022 indicates what the future holds, security teams everywhere should expect to see this attack vector become even more popular in 2023,” says Fred Gutierrez, senior security engineer, at Fortinet’s FortiGuard Labs.
In just the first half of 2022, the number of new ransomware variants that FortiGuard Labs identified increased by nearly 100% compared with the previous six-month period, he says. The FortiGuard Labs team documented 10,666 new ransomware variants in the first half of 2022 compared with just 5,400 in second half of 2021.
“This growth in new ransomware variants is primarily thanks to more attackers taking advantage of ransomware-as-a-service (RaaS) on the Dark Web,” he says.
He adds: “In addition, perhaps the most disturbing aspect is that we are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023.”
The Vohuk ransomware variant that Fortinet researchers analyzed appeared to be in its third iteration, indicating that its authors are actively developing it.
The malware drops a ransom note, “README.txt,” on compromised systems that asks victims to contact the attacker via email with a unique ID, Fortinet said. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably to reassure victims they would get their data back if they paid the demanded ransom.
Meanwhile, “ScareCrow is another typical ransomware that encrypts files on victims’ machines,” Fortinet said. “Its ransom note, also entitled ‘readme.txt,’ contains three Telegram channels that victims can use to speak with the attacker.”
Though the ransom note does not contain any specific financial demands, it’s safe to assume that victims will need to pay a ransom to recover files that were encrypted, Fortinet said.
The security vendor’s research also showed some overlap between ScareCrow and the infamous Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems.
Submissions to VirusTotal suggest that ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.
And finally, AESRT, the third new ransomware family that Fortinet recently spotted in the wild, has functionality that’s similar to the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker’s email address, and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.
The fresh variants add to the long — and constantly growing — list of ransomware threats that organizations now have to deal with on a daily basis, as ransomware operators keep relentlessly hammering away at enterprise organizations.
Data on ransomware attacks that LookingGlass analyzed earlier this year showed there were some 1,133 confirmed ransomware attacks in the first half of 2022 alone — more than half (52%) of which affected US companies. LookingGlass found the most active ransomware group was that behind the LockBit variant, followed by groups behind Conti, Black Basta, and Alphy ransomware.
However, the rate of activity isn’t steady. Some security vendors reported observing a slight slowdown in ransomware activity during certain parts of the year.
In a midyear report, SecureWorks, for example, said its incident response engagements in May and June suggested the rate at which successful new ransomware attacks were happening had slowed down a bit.
SecureWorks identified the trend as likely having to do, at least in part, with the disruption of the Conti RaaS operation this year and other factors such as the disruptive effect of the war in Ukraine on ransomware gangs.
Another report, from the Identity Theft Resource Center (ITRC), reported a 20% decline in ransomware attacks that resulted in a breach during second quarter of 2022 compared with the first quarter of the year. ITRC, like SecureWorks, identified the decline as having to do with the war in Ukraine and, significantly, with the collapse of cryptocurrencies that ransomware operators favor for payments.
Bryan Ware, CEO of LookingGlass, says he believes the crypto-collapse could hinder ransomware operators in 2023.
“The recent FTX scandal has cryptocurrencies tanking, and this affects the monetization of ransomware and essentially makes it unpredictable,” he says. “This does not bode well for ransomware operators as they are going to have to consider other forms of monetization over the long term.”
Ware says the trends around cryptocurrencies has some ransomware groups considering using their own cryptocurrencies: “We’re unsure that this will materialize, but overall, ransomware groups are worried about how they will monetize and maintain some level of anonymity going forward.”
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.