Neu Cyber Threats – 11th March 2021
Over the past 12 months incidents of mobile adware nearly tripled as businesses had to implement emergency working from home measures. It found that while mobile threats have dipped slightly over the past year, criminals have focused on the quality of mobile attacks versus mass infections.
2020’s leading mobile threat type was adware, accounting for 57% of attacks. Fortunately, for users, adware is more of a nuisance to the user experience by placing adverts across the user’s screen, as opposed to ransomware, which is able to steal credentials and company data. Risk tools came second, with 21% of attacks, while trojan droppers and mobile trojans each represented 4.5% of attacks and SMS-based trojans saw the least amount of usage, bringing in 4% of actual mobile criminal activity. Risk tools are potentially dangerous or unwanted programmes that are not inherently malicious, but are used to hide files or terminate applications and could be used with malicious intent. Interestingly, though, adware was the only attack that saw a rise in the amount of usage in 2020.
Businesses should not take mobile cyber attacks lightly. Some employees use mobile devices to carry out work duties, and so have access to business hard drives, cloud operations and information that would be of interest to cyber criminals. The Ewind adware is thought to have been the originator of nearly 2 million Ewind.kp Android installer packages issued within legitimate applications, such as icons and resource files. These seemingly safe downloads are readily available at trustworthy third-party Android application sites. This isn’t the case for Apple users, as the platform’s closed hardware and software ecosystem poses unique challenges for criminals.
Even though they weren’t the top attack of choice for cyber criminals, there were over 150,000 installation packages found for mobile banking trojans in 2020. This suggests criminals were placing a larger emphasis on targeting user’s banking information, as more had to switch to online/mobile banking, due to the COVID-19 pandemic restricting in-person banking options. Researchers are concerned at whether there is a link between the large rise in adware and malware. Adware helps in obstructing the removal of malware from a mobile device, as well as allowing access privileges on a device, placing adware in the system area and make the user unable to remove them without outside help.
For mobile device users, they are encouraged to check their devices for any errant applications or programmes. If they are experiencing adware, then it might be an appropriate time to restore their device. This could help aid them in removing the adware, which may have been delivered in the downloading of an application.
Once launched, it will spread itself on every reachable machine through which Windows Remote Procedure Call access is possible. This new version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP and MAC addresses of any network devices that the system communicates with. It then sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers. The ransomware will then attempt to mount possible network shares using Windows function SMB, which allows the sharing, opening or editing of files on remote computers and servers.
Once all of the available network shares have been identified or created, the payload is installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targeted content and delete any copies that would otherwise allow for file recovery. The files are encrypted before they are exfiltrated to the cyber criminals. The malware also interrupts multiple programmes, with a list of 41 processes to be killed (task kill) and a list of 64 services to stop.
Ryuk ransomware is usually deployed through an initial “dropper” malware that acts as the tip of the spear; which includes Emotet, TrickBot, Qakbot and Zloader, as well as others. From there, attackers look to escalate privileges in order to set up for lateral movement.
Businesses should look at preventing ransomware such as Ryuk from breaching their systems. Multi-factor authentication (MFA) works as part of a multi-layered Business Continuity and Disaster Recovery plan to give companies an extra outward level of protection. Once users have signed up for it, they will be prompted to input a code that is generated and sent to their second device, such as a phone or tablet. This proves that the person trying to sign in is who they are claiming to be. MFA when teamed with a strong knowledge of phishing campaigns that are currently thriving is important. By ensuring your entire business is aware of the latest ongoings in the cyber security world, you are protecting your business in the best way possible, as they will be the ones that may have to deal with potential scams the company receives from cyber criminals.
Researchers believe that Ryuk is commonly sold as a tool kit on the Dark Web, but it’s believed that the ransomware has brought in at least $150 million for cyber criminals throughout its lifetime of use – don’t be the next victims!