CTI Roundup: Ransomware Profits Drop as Attacks Remain High
Reporting revealed declining ransomware profits in 2022, a new backdoor based on the CIA’s Hive malware is discovered, and a new wave of BackdoorDiplomacy attacks are targeting Iranian government entities
Up first in this week’s roundup is a breakdown of the latest ransomware-related insights from 2022, gathered by blockchain analytics firm Chainalysis. Next, CTI takes a deep dive into a new backdoor that borrows features from the Central Intelligence Agency’s (CIA) Hive project. Finally, we wrap things up with a look into a recent wave of attacks by the Chinese threat actor BackdoorDiplomacy, and a report from Unit42, which claims to have observed systems belonging to Iranian government domains attempting to connect to malware infrastructure previously identified as associated with the threat actor.
1. Ransomware profits drop 40% in 2022 as victims refuse to pay
Year-end reporting from blockchain analytics company Chainalysis reveals that ransomware gangs successfully extorted roughly $456.8 million from victims in 2022 — a drop of about 40% compared to the record-setting $756 million pilfered from ransomware victims in the previous two years.
Before we break out the champaign, Chainalysis reminds us that the true totals are likely to be much higher, as there will always be cryptocurrency addresses controlled by ransomware gangs that have yet to be identified and incorporated into the firm’s data.
According to Chainalysis, the downward trend in profits is not due to a decrease in the frequency of ransomware attacks, but rather an increase in the number of victims refusing to submit to their extortionists’ demands.
General ransomware trends in 2022
Ransomware remains highly active
Despite the drop in ransomware profits, 2022 was reportedly one of the most active years in terms of overall ransomware activity. Thousands of different file-encrypting malware strains targeted organizations of all sizes across nearly all verticals, and 2022 saw several top-tier extortion syndicates retire, splinter into new operations, or simply rebrand, making way for the emergence of a wide range of new ransomware operations.
Explosion in unique ransomware strains
2022 saw a huge increase in the number of unique ransomware variants in operation. Cybersecurity firm Fortinet reports that over 10,000 unique strains were active in the first half of 2022 alone. Chainalysis confirms this assessment, stating that the number of active strains has grown dramatically in recent years.
However, the bulk of ransomware revenue appears to be consistently gobbled up by a small group of highly effective ransomware operations. However, this is not to say that this group of “industry leaders” remains comprised of the same operations year in and year out; Chainalysis reportedly observed a significant amount of turnover throughout the year among the top-grossing strains.
Little change in money laundering tactics
Chainalysis’ data suggests that most ransomware actors continue to send their illicit profits to mainstream, centralized exchanges – a trend that, aside from a few outliers, appears to have changed little since at least 2018. With regards to the money laundering methods of choice for ransomware actors in 2022, extortionist gangs relied upon the following resources and tactics:
- Less high-risk exchanges: Ransomware profits sent to high-risk exchanges fell from 10.9% to 6.7% in 2022.
- Less illicit services: Profits laundered through illicit services such as darknet markets also decreased by a few percentage points in 2022.
- More mainstream exchanges: 2022 saw ransomware gangs increase reliance upon mainstream exchanges for purposes of money laundering, from 39.3% in 2021 to 48.3% last year.
- More diversification: Last year also saw an increase in the number of profits being sent to a combination of services to be cleaned. This, along with the fact that more profits are being sent to reliable, mainstream exchanges, would seem to indicate that ransomware operations are maturing and handling finances in a manner reminiscent of legitimate corporate entities. Few are placing all their eggs in one basket, and fewer are relying upon illicit services (which are known for their volatility, are run by criminals, and are subject to law enforcement action at any time).
Victims aren’t paying
It may have taken many hard lessons, billions of dollars in losses, and countless warnings from law enforcement and cybersecurity agencies worldwide for ransomware best practices to start sticking, but it looks like in 2023, we may be turning a corner when it comes to the way organizations prevent, prepare for, and respond to ransomware/extortion attacks.
While the tactics, techniques, and procedures (TTPs) employed by top-tier ransomware actors have never been more advanced than they are right now, a growing number of defiant victims are refusing to give in to their demands. Cyber threat intelligence firm Coveware states that this first emerged as an identifiable trend in its statistical data in 2019, and that the rates of paying victims have been steadily dropping since.
In Coveware’s case, the firm largely attributes the decreasing number of payments to the use of what Coveware characterizes as “amateur” tactics by ransomware actors. Such tactics include one of our favorites – repeated attacks on a victim over a period of days or weeks by the same actor, many of which often leverage different malware strains in a futile attempt to disguise their methodology.
Low barrier to entry leads to explosion of amateur ransomware gangs
Coveware states that ransomware victims who’ve opted to pay a ransom have increasingly been observing a “decline in quality and reliability” when it comes to quickly restoring affected systems by following their attackers’ instructions and deploying their decryptors.
This is undoubtedly linked to a surge in the number of ransomware groups; popping up like weeds with little or no experience and leveraging sloppy, amateur tactics — a situation resulting from the combination of various factors, such as leaked source code from top ransomware-as-a-service (RaaS) operations, contracted ransomware employees leaving more professional RaaS operations in droves to strike out on their own in search of higher profits, and last but certainly not least, the proliferation of extremely cheap ransomware offerings which are typically accompanied by non-functioning decryptors providing affiliates with no technical support to speak of. Hey, you get what you pay for, right?
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“As CTI has mentioned previously, 2023 looks to be a turning point for the ransomware ecosystem for a variety of reasons. First and foremost, 2022 was the first year when the number of ransomware victims that decided not to pay was higher than those that decided to submit to their extortionists’ demands. As stated by BleepingComputer, this shift in behavior ‘highlights a change in the perception and approach toward handling ransomware attacks.’”
“This shift appears to owe a bit of debt to the same ransomware best practices CTI and other security professionals have always trotted out when covering ransomware-related issues. Victims have finally started to realize that paying a ransom in no way guarantees a recovery of their data — nor does it mean that the attackers will delete any stolen files. In some cases, it may even lead to legal repercussions – particularly in the event a payment is made to a group that happens to have been placed under sanctions by the US federal government.”
“Furthermore, the public seems to have altered the way it views ransomware attacks. This shift in thinking is likely the outcome of ransomware victims becoming increasingly forthcoming and honest in their dealings with the public in the wake of a ransomware incident. As such, customers, clients, partners, and the industry as a whole seems to have matured in the way they respond to the news. There is less judgment, less stone-throwing, and this has all resulted in a noticable reduction in the negative impacts on brand reputation and erosion of consumer trust that used to be the foregone conclusion of high-profile ransomware attacks.”
“It also helps that organizations across the board have implemented better backup strategies (partly due to the more stringent requirements put in place by cyber/ransomware insurers), making independent infrastructure recovery a truly viable option in the face of an attack.”
“Of course, while the statistics and cultural evolutions discussed above are certainly encouraging, ransomware attacks remain a global threat to every industry and the organizations that comprise them, no matter how big or small. Small-to-medium-sized businesses remain at higher risk, as do organizations in possession of data that can aid in facilitating further attacks, and organizations which produce products that make up popular parts of the software supply chain.”
2. New backdoor created using leaked CIAs Hive malware discovered in the wild
In November 2017, source code and development logs belonging to Hive — a major tool used by the CIA to control its malware — were published and made accessible. Hive provides “a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.” Hive can support multiple operations simultaneously, by drawing information from – and sending information to – several implants on target computers.
In the saga’s latest worrying development, researchers at security firm 360Netlab have discovered a new backdoor that borrows features from the CIA’s Hive project.
About the Hive backdoor
360Netlab discovered a suspicious ELF file toward the end of 2022. The file spread via an F5 vulnerability and communicated via SSL with forged Kaspersky certificates.
Further research into the sample confirmed that this sample is adapted from the leaked Hive project server source code from the CIA. Researchers have named this backdoor — or variant — “xdr33.”
The main purpose of this backdoor is to gather information and provide a foothold for future exploitation. Its two main tasks are beacon and trigger.
- Beacon periodically reports information about the device to the hardcoded beacon command and control (C2) and executes commands from it.
- Trigger monitors the traffic for trigger C2, establishes communication with trigger C2, and waits for the execution of commands issued by it.
- 360Netlab researchers believe that xdr33 may have already had several rounds of iterative updates.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“For anyone interested, 360Netlab’s report contains in-depth technical details of xdr33. While the features of xdr33 are not necessarily novel, 360Netlabs does state that this is the first time they have captured a variant of the CIA Hive attack kit in the wild.”
3. Iranian government entities under attack by new wave of BackdoorDiplomacy attacks
A recent report by Palo Alto’s Unit 42 details a new wave of attacks attributed to the Chinese threat actor known as BackdoorDiplomacy.
Unit 42 claims to have observed Iranian government domains attempting to connect to malware infrastructure previously associated with the threat actor.
BackdoorDiplomacy (also known as APT15, Vixen Panda, KeChang, NICKEL, and Playful Taurus) is a Chinese state-backed advanced persistent threat (APT) group that is known to conduct cyberespionage campaigns. The group is believed to have been active since at least 2010, historically targeting government and diplomatic entities of interest to Beijing in North and South America, Africa, and the Middle East.
In mid-2021, ESET dove into BackdoorDiplomacy and the APT’s upgraded toolkit, which at the time included a new backdoor, called Turian. Turian still appears to be under active development and Unit 42 believes it is used exclusively by the BackdoorDiplomacy threat actors. New variants of the backdoor have since been observed in addition to new command and control (C2) infrastructure.
The domain vpnkerio[.]com was previously identified as part of a BackdoorDiplomacy campaign that targeted diplomatic entities and telecommunications companies in Africa and the Middle East. This domain and its associated subdomains have since shifted hosting, adopting various new IP addresses with many of the subdomains resolving to a single IP address.
Analysis of one IP address revealed an expired X.509 certificate associated with Senegal’s Ministry of Foreign Affairs. Even though the certificate expired in April 2021, it is still associated with recent related infrastructure.
Unit 42 dug into all IP addresses associated with the certificate and believes the certificate was originally associated with legitimate Senegal government infrastructure. Following its expiration, the certificate has been associated with nine different (and decidedly non-Senegalese government) IP addresses – eight of which have hosted BackdoorDiplomacy domains at different points in time.
Unit 42 monitored connections to this malicious infrastructure and observed four Iranian organizations attempting to connect to one of the malicious IPs between July and December of 2022.
Inside the wire
Unit 42’s investigation also revealed a hosted IP that appears to be a legitimate domain which belonged to the Foreign Ministry of Iran between May and November of 2019. This domain also resides on a netblock that hosts other Iranian government associated domains, suggesting that it does indeed belong to the Iranian government.
The twist here is that since September 2021, this IP has also hosted the suspicious domain mfaantivirus[.]xyz. Given the legitimate nature of the other government sites hosted on this particular address space, xyz seems like a strange TLD.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“BackdoorDiplomacy is clearly continuing to evolve its tactics and tooling as evidenced by the upgraded Turian backdoor and new C2 infrastructure.”
“As noted by Unit 42, the upgraded tooling and infrastructure may suggest that BackdoorDiplomacy is continuing to see success during its cyberespionage campaigns. Unit 42 also cautioned that although this campaign seems to be targeted against Iranian government entities, BackdoorDiplomacy has historically deployed the same TTPs against entities across North and South America, Africa, and the Middle East.”
Stay up to date on the latest cyber threat intelligence news by checking out our library of roundup reports.