Office Time: Mon - Fri (1:00 am to 4:00)

Ransom Ware

Are WannaCry and BadRabbit the faces of ransom in 2017? “Yes” and “no.” In 2016 ransom was the number- one driver for cyber-attacks. That year brought an astonishing array of ransomware types and variants as well as a high number of extortion letters threatening DDoS attacks (Ransom Denial-of-Service, or RDoS). The success of ransom attacks in 2016 spawned opportunistic copycats—most of whom don’t follow through on their threats. Those that do follow through typically launch multi-vector attacks that could leave networks offline for days.

WannaCry and BadRabbit were global ransomware 50% that grabbed worldwide headlines thanks to their quick distribution and efficient infection rate. They hit 40% organizations of all types in different countries where the attackers contaminated all sorts of machines to ask 30% for their ransom. In both campaigns, the ransomers combined a ransomware variant with worming capabilities 20% revealed by the Shadow Brokers’ leak. WannaCry ransomware spread by leveraging recently disclosed 10% vulnerabilities in Microsoft’s network file-sharing SMB protocol.

CVE-2017-0144 – MS17-010i, a Microsoft security update issued on March 14, 2017, addressed these issues and patched these remote code execution vulnerabilities. The WannaCry ransomware campaign has targeted computers that were not updated. Logo How WannaCry Works Evading IPS leveraging the customized 0-day exploit to establish a communication channel Transferring the payload to the infected machine to encrypt files Once encryption ended, sending the keys to its C&C servers using ab embedded TOR client Leveraging the EternalBlue vulnerability to abuse the SMB protocol Figure 3. WannaCry in action

1. Propagation. WannaCry ransomware scans computers for port 445 and leverages EternalBlue to gain access. It then deploys the WannaCrypt malware on to the machine using the DOUBLEPULSAR malware loader. From that moment, the worm scans nearby machines that it can target in the same way and begins to move laterally within the network—transferring the malicious payload to more endpoints.

2. Encryption. Like other known ransomwares (e.g., Locky and Cryptowall), the encryption phase is executed at the first stage before any outbound communication.

3. Communication. TOR communication is not necessarily done over http and is embedded within the ransomware. (In other words, there is no need to execute outbound communication for downloading.) It is only used to share the encryption keys with the C2 server.

BadRabbit is a cousin of WannaCry that spread widely in October. BadRabbit resembles the Nyetya campaign in that it uses the original Petya ransomware variant to hold machines hostage. As many organizations update and patch their security solutions following the previous attacks, BadRabbit authors created a variant that does not include Nyetya’s memory-wiping component. BadRabbit leverages the EternalRomance exploit to propagate laterally across a network.

The Other Face of Ransom: Targeting Intellectual Property

Following the 2016 wave of ransomware everyone wondered what the next evolution would be. The logical evolution would be targeting critical systems, but 2017 showed that ransomers have other creative ideas. The Dark Overlord—a new cyber extortion group with strictly monetary goals—emerged with the announcement of three breaches affecting major healthcare organizations. The group’s typical tactics, techniques and procedure are to hack and infiltrate the victim’s data and demand a ransom payment in exchange for not publicly releasing the stolen data. When it does not work, the group approaches the media in hopes the coverage will exert more pressure on the victim. In the case of the targeted healthcare providers in 2017, The Dark Overlord ended. up releasing more than a million patient records.

They listed the records for sale on a now offline Darknet marketplace known as TheRealDeal. After several failed attempts to extort healthcare organizations, The Dark Overlord began targeting military contractors, corporations, production studios and schools. Earlier in the year The Dark Overlord had targeted educational data, sending death threats to the students in hopes the school district would pay a ransom of $150,000. As a result of The Dark Overlord’s messages, 30 private and public schools in Montana’s Flathead Valley closed for several days while law enforcement investigated the threats. The Dark Overlord also attacked the entertainment industry, executing major breaches against HBO and Netflix that resulted in the release of TV shows ahead of schedule. They are suspected in the notorious attacks leaking the new season of Orange is the New Black, chapters of Game of Thrones and Taylor Swift’s sixth album. Their tactics represent a popular new method to get businesses to pay ransom to keep their intellectual property under wraps.


PDoS attacks are fast-moving bot attacks designed to stop device hardware from functioning. This form of cyber-attack is becoming increasingly popular. PDoS—also known as “phlashing” in some circles—attacks systems so severely that the hardware must be reinstalled or replaced. By exploiting security flaws or misconfigurations, PDoS attacks can destroy the firmware and/or basic functions of the system. That stands in contrast to PDoS’s well-known cousin, DDoS, which overloads systems with requests meant to saturate resources through unintended usage.

Shortly after WannaCry the world was hit with another campaign known as “NotPetya” or “Nyetya.” The campaign is so named because it relies on a component from the Petya ransomware that disables the machine from booting. This campaign has targeted several countries around the world, including Ukraine, Russia, Denmark, Spain, India, Germany, United Kingdom, United States and France. Victims ranged from individuals to large corporations such as financial institutions, utility companies, an airport, media outlets and transportation providers, among others. Despite the extortion demand, NotPetya appears to be designed to wipe out data on infected computers/networks, leaving them useless and inoperable.

How Petya Works

Petya targets the Master File Tree (MFT) table and Master Boot Record (MBR) with a custom bootloader. The bootloader displays a ransom note and prevents the system from ultimately booting. This variant is being used to control the reboot and the files for ransom purposes.

To propagate, NotPetya leverages a spreading mechanism similar to WannaCry. NotPetya has three ways of propagating and moving laterally across networks once a machine is infected. The malware scans for vulnerable machines in the LAN and uses the EternalBlue exploit as well as Windows administration components, such as Psexec and WMI, to infect other devices in the network. NotPetya shares code with Mimikatz1 and features a password-harvesting tool that gathers credentials from infected machines. It then hands off the credentials to Psexec and WMI and attempts to infect other machines in the network. For efficient propagation NotPetya also leverages EternalBlue. Unlike WannaCry, NotPetya does not appear to have an external scanning element.

One method PDoS leverages to accomplish its damage is via remote or physical administration on the management interface of the victim’s hardware, such as routers, printers or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt or defective firmware image—a process that when done legitimately is known as flashing. This “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Seven percent of organizations suffered a PDoS attack in 2017 and 15% anticipate being hit by one in 2018.


2017 also brought Radware’s discovery of BrickerBot, an IoT botnet that effects PDoS. BrickerBot is allegedly distributed by a vigilante who purports to be “protecting” insecure IoT devices through PDoS—at least until officials and hardware vendors take definitive action to improve the state of IoT security.2 Rather than simply kicking out other bots and commandeering devices, BrickerBot “bricks” them. It eliminates the risk that they’ll be drafted into an IoT zombie army. Of course, it also means they can no longer function as anything other than paperweights.

Compromise devices.

BrickerBot’s PDoS attacks use Telnet brute force—the same exploit vector used by Mirai—to breach users’ devices.

Corrupt devices.

Once it successfully accesses a device, BrickerBot performs a series of Linux commands that ultimately lead to corrupted storage. It then issues commands to disrupt Internet connectivity and device performance, wiping all files on the device.

Radware used one of the more recently discovered BrickerBot source IP addresses to perform a TCP connection test on port TCP/23. The connection was established and then immediately closed by the server. Within seconds the honeypot deployed on the same Internet connection started revealing BrickerBot sequences from the same BrickerBot source IP just dialed. The same BrickerBot kept attacking until it reached exactly 90 attempts—and then left. Further testing of several BrickerBot-infected devices from previous attack waves showed that more ports are open. Telnet to port 7547 and 19058 consistently triggered the BrickerBot attacks, suggesting the bot is listening on most of the known ports used by IoT bot exploits. Radware noticed a slightly different sequence in subsequent BrickerBot attempts.

The use of the “Busybox” command combined with the MTD and MMC special devices means this attack is targeted specifically at Linux/BusyBox-based IoT devices that have their Telnet port open and exposed publicly on the Internet. These are matching the devices targeted by Mirai, Hajime or related IoT botnets. The PDoS attempts originated from a limited number of IP addresses spread around the world. All devices are exposing port 22 (SSH) and running an older version of the Dropbear SSH server and outdated firmware. Most of the devices were identified by Shodan as Wireless CPE devices, Wireless Access Points and Wireless Bridges with beam directivity.