When the ransomware was first tested, it deleted every file in a folder except for one. As this ransomware was still being developed, it was assumed that this was just a bug in the encryption routine. However, it has been confirmed that this deletion of files was intentional as the ransomware was deleting duplicate files. This was the first ransomware that the researchers have seen that performed this behaviour.
Experts Comments Below:
Colin Little, Senior Threat Analyst at Centripetal:
“Ransomware is a perfect example of how an unskilled operator can cause massive amounts of damage to an organization, all in an effort to monetize their criminal efforts. The good news is that since ransomware is an established malware family, there’s a lot of threat intelligence available to identify and combat it. The files involved, the locations on the endpoint those files are written to, the email or website used to deliver the malicious payload, the server it uses for command and control, all are typically re-used infrastructure. This means that if an organization is proactively using threat intelligence, they can stop an attack like this before it starts even if their conventional security tools miss it. “
Pravin Kothari, CEO at CipherCloud:
“Malware continues to grow in sophistication and the newer forms of ransomware are particularly deadly to most business.
SamSam, a custom infection ransomware, has been used in targeted attacks going back to 2016, and has wrecked havoc on city networks from Georgia, Indiana and Colorado. It has been increasing the cost of their ransom as well. It spreads using a range of exploits or brute-force tactics. In 2018, SamSam was enhanced to exploit vulnerabilities in remote desktop protocols (RDP), Java web servers, or FTP servers to gain access to victims’ network. Ability to perform brute force attack against weak passwords was also added.
Given the focus of SamSam on cities, Albany’s ransomware seems to be SamSam or one of its variants.
To better combat malware, enterprise organizations have been improving their awareness training and security processes with real-time monitoring, backups, cloud security brokers, email security, strong passwords, and rights management to protect their data. This ensures that ransomware can be tackled in real-time or near real-time, so that the data cannot be stolen during a cyber attack or an attempt to compromise data by ransomware- wielding cyber thieves. Encryption and rights management are necessary to be certain that a ransomware attack has not compromised regulated data as required by regulatory requirements of HIPAA,PCI, GDPR, etc.
Progress to address these threats has been OK but the attackers still move faster than the defenders in this cat-and-mouse game. Enterprise security operations centers (SOC) now usually budget for specific ransomware detection and remediation software. This software protects against the most common ransomware attack vectors, but of course, won’t immediately meet the rapid evolution of ransomware advancements, especially with AI. Once again, small and medium organizations are more vulnerable and poorly equipped to deal with nation-state sponsored or organized crime sponsored ransomware attacks.”
Roy Rashti, Cybersecurity Expert at BitDam:
“Decryption can take time when it comes to large quantities of data. By encrypting solely unique files, the vxCrypter ransomware can speed up this process. In addition, the prospect of losing files that hold valuable information could intimidate the affected end user into paying the ransom.
To prevent this from happening, users should stay alert and make sure they have proper security solutions in place. Keeping a backup of any important files in a trusted location is also a good habit to get into.
Ransomware is a major source of income for cybercriminals. This means they are constantly innovating and investing in new attack methods to overcome target organisations’ security solutions. Rather than reacting once an attack has taken place, organisations must always be on guard and be prepared for any possible scenario.”