CyberWire Daily - Smaug: Ransomware-as-a-service drag(s)on. [Research Saturday]
Episode Date: October 3, 2020Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available... via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims. Joining us in this week's Research Saturday to discuss the research is Anomali's Joakim Kennedy and Rory Gould. The research can be found here: Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We constantly sort of keep an eye out for emergent threat, and ransomware is something
we see from time to time.
Our guests this week are Rory Gold and Joachim Kennedy.
They're members of the research team at Anomaly.
Today we're discussing their research on the smog ransomware as a service.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
When this one sort of was caught in our collection,
and it was sort of identified to be a somewhat of a new ransomware as a service that we hadn't really seen much of an analysis about it.
We sort of decided to sort of dig deeper into it.
That's Joachim Kennedy.
And what we found first was sort of a quick sort of report around the initial sort of panel that has been found as part of its announcement or advertisement on the dark web.
But we couldn't find anything around sort of the malware,
how it worked and things like that.
So now when we actually had a sample,
we could actually take the time and sort of dig into it and find how it operated, what it did,
and if it did something different compared to others
or the ransomware that's out there.
And then sort of wanted to go ahead and put the whole picture together
and do an analysis based on the threat actor that's behind it
and where it is announced on the dark web
and what they're telling potential customers, as you want to say,
what they can do with it.
Well, let's go through the research together.
First of all, in terms of the threat actor, who do you suppose is behind this? No, that's a very loaded question. Sorry.
That's Rory Gold. Unfortunately, it's quite difficult to really pin down, you know,
who this person is or where perhaps they come from.
I mean, there are a few flags.
I mean, for instance, there was, or rather within the original post on the Russian dark web forum, it says that targeting any CIS,
as in Commonwealth of Independent States, is prohibited
and will result in an immediate ban.
So that might make one think, okay, maybe it's a Russian or it's a Russian speaking actor. But to be honest, whenever you sort of,
whenever you dig through the panel and you even look at the screenshots that they present you,
you can see that there's Mandarin characters hidden within some of the ransom notes.
So to be honest, can't really come off the fence on this one and can't really give it any sort of
attribution.
But, you know, there are certain things that might make you think.
Well, and you suspect that it's a small team behind this.
Yeah, we would be of the opinion it would be a very small team.
At least two people.
Can't really put a maximum on it,
but wouldn't imagine it would be a particularly large team
or a large effort behind it.
Well, let's go through it together.
I mean, the story sort of begins with some forum activity that you all tracked down.
Take us through the story here.
So essentially, after Joachim found sort of some public-facing stuff displaying the panel,
displaying the panel displaying the
displaying the ransomware as a service that it was for sale I looked through
some forums that I would know would generally be used to sell these sorts of
items one forum in particular a Russian language one so I went through the
forum I searched for it and it was rather easy to find actually as you can
see anybody that looks at the blog,
you can see the original posting. It's fairly generic. They give you a link to it.
They tell you all the things it does, how configurable it is. It gives you the price.
It gives you the service fee. So yeah, as a starting point, that was a good space to go with.
Yeah, it's interesting to me to see the post that you share here,
kind of the salesmanship that's on display here.
Also, a very good use of English.
Yes, a suspiciously good use of English
because obviously this is the initial offering of the ransomware.
But if you dig into the profile of the actor,
well, we'll just call him Corinda because that's what their username was.
If you dig into their user history within the forum, I think it was maybe about four or five months before the smog offering, there was a post looking for a front end dev.
They wanted somebody who was fluent in English and they were willing to pay $2,000 in Bitcoin.
This post itself was written in rather broken English,
which would sort of contrast with the smog offering,
which was in perfect English, grammatically and always.
So the distinction between the two would lead us to believe
that there were in fact at least two different people,
an English-speaking front-end dev and then somebody else in the shadows as it were.
Well, let's dig into the ransomware offering itself. Can you walk us through
someone who would engage with them? What sort of thing would they find themselves able to use?
Unfortunately for businesses and individuals out there it's
actually rather easy to do this. In the initial offering it gives you an onion
link to the website that Smog is hosted on. Once you click through to that URL
and you go to it you're presented with a fairly generic registration. You know you
put your email in, you generate a password, you confirm your password and
you enter a security code. Once you do that, you get a
confirmation and it's sent to your email address pretty quickly.
From there, you're given a Bitcoin wallet address. You send your
0.2 Bitcoin to that address and once you're there,
your account's active. You're essentially good to go
from that point. You can immediately go into the dashboard that the developers created. If anybody looks at the
blog, they can see the photos of it. It's actually, I would argue, it's quite a nice UI.
It's pretty clean. It's rather sparse. You know, it does what it needs to do.
And honestly, from there, it's just, it's point and click. You don't need to program anything.
You really don't need to do anything at all.
You just come up with a campaign title.
Whatever company you're targeting, like the BBC or something,
you can call it BBC.
Set it to a business model,
so it'll infect all the computers within that network,
but it only needs one decryption code to release all of them. Or,
if you really want to be nasty, you could send it out under the regular mode, which means every
single computer needs its own decryption key. You can generate a ransom message saying, you know,
haha, you've been pwned, send money to this Bitcoin address. And there you go. You just
click the create button and that's it, you're away. Now, in terms of the messages actually going out to infect people,
the email messages, I suppose a phishing campaign, something like that,
is that outside of what Smog will do, that you're on your own for that part of it?
Yes, in terms of infection vectors or people you might want to target,
that's one of the places you will be on your own
and you have to figure that one out yourself.
Yeah, and I would say it's something
that we kind of see.
One of the things that the ransomware service provides
is they provide you with the actual ransomware.
They do handle sort of part and the money part of that for the users of the service.
And then it's up to the user to try to infect and target the specific victims that they want to target.
and target the specific victims that they want to target.
They just make it easier from sort of getting it to that point and then sort of cashing out.
Yes, they are. They're very generous.
They will manage the funds coming in
and take their 20% fee off it before you ever get to it.
So I suppose that's one drawback from it.
Well, let's dig into the ransomware itself i mean uh you all were able
to take a look at the code here what's going on under the hood so under the hood um it's actually
a relatively simple ransomware um under sort of in general the all ransomware have a very very
similar sort of functionality they they look for specific files on the machine,
they encrypt them, and then sort of inform the user that this has happened
and then how to sort of achieve a decryption key.
But then in addition to that, other sort of ransomware will do other things.
Some try to propagate through the network
and try to remove certain backups. If it's not targeting specific backup files,
something we see sort of in with Windows, it tries to disable the shadow copy and remove
any shadow copy files. So you can't do an easy sort of recovery. And this sample,
So you can't do an easy sort of recovery.
And this sample, the current sort of generation of this ransomware doesn't have any of these functionality.
The other sort of things, while sort of some programs are running, they may lock specific files to prevent them from being tampered with or removed.
So some ransomware will actually go through all the running processes on the machine and sort of turn off and stop all these processes
to release those files.
And it doesn't even have that sort of functionality.
So it's relatively simple.
But say, flipping on that side,
it is sort of a ransomware that is marketed
to function on multiple operating systems.
So it works on the panel they sell it for both Windows, for Mac, and for Linux.
What we've found is we've found samples for both Windows and Linux in the wild.
So far, none of the Mac one has come under our radar.
And the fact that it's sort of simple
allows sort of the same sort of code base to be used.
They don't have to write specific sort of codes
for certain operating system to do certain tasks.
And they can just compile different,
different architectures
and different operating system
directly from the same code base
without sort of part of it. So it's relatively easy from sort of the development standpoint. architectures and different operating systems directly from the same code base without a
little part of it. So it's relatively easy from the development standpoint.
Now, does that simplicity lead to being, I guess for lack of a better word, noisy?
Is it easy to detect? Ransomware in general are relatively easy to detect.
and somewhere in general are relatively easy to detect.
They're pretty noisy when they do run.
Most sort of EDR system would sort of pick this sort of activity up as they are reading and writing a lot of files pretty quickly,
which is usually a very abnormal activity.
But in terms of that, it doesn't do anything else.
So there's no other sort of direct indicators.
It doesn't try to reach out to any
network servers or something like that to
pull something down, so you won't have any
network-based indicators
directly from this ransomware,
in addition to how it sort of landed on the machine.
So
I wouldn't say it's sort of harder
or easier than any
other kind of ransomware.
And it's not actively going after your backups or anything like that, right?
It has a list of certain file extensions.
So it will actually crawl through and look for files.
So if it has a.backup or common file extensions that people might put on backup files,
it would decrypt them.
But it doesn't try to sort of connect to, say,
a network share, for example, and try to encrypt that.
And then also sort of if you have in Windows
the shadow copy enabled,
it currently doesn't remove those and disable that.
I see.
What is your sense for how successful this has been?
Has it caught on or are you seeing much usage of it?
I'd say since we started looking at it,
it started to, first initial sort of samples coming in
were more of like a test type system.
It seemed like maybe users were buying it and just sort of generating something and seeing how it worked and see potentially how it was
detected by um av products um and it's mainly based on sort of the ransomware notes that was
put in some of them would have been sort of the generic, the default one, and some had tests in them and things like that.
We have picked up a couple of samples that are, appears to be some decoy files.
So it was at the end of June, we started to see the first one, which was a self-extracted executable that was it was looking like a word file so it had an icon
of microsoft word and it had a sort of a file name of a corporate detail june 2020 which could
intend that this might be some sort of a potential phishing lure that might have been used to be
honest if joachim hadn't found those live samples,
I would have been incredibly skeptical about this small ransomware completely.
There's no activity on any of the forums. People are not talking about it. Even on that initial
offering post, there were a few replies to it, maybe three or four. And it was people saying,
can anybody vouch for this? Is this real? There was no replies, that there was no reputation for the author. Since then, I've seen
some more activity mentioning smog on other forums. But again, it is just people saying,
you know, has anybody used this? Is this legit? Does anybody have any, you know, info, any feedback,
anything? And nothing. None of those posts receive any replies whatsoever.
And I mean, it got to the point
where the moderators in the forum
locked the initial offering post after 10 days
and asked that the actor, Corinda,
would move $8,000 into an escrow account for the forum
because they were beginning to become convinced
that it was an exit scam
and didn't really believe that there was anything behind it.
So that cautioned me, I'll say that.
Yeah, that's interesting.
So I guess, I mean, that's an interesting component to this as well,
that it's possible that some of these offerings
may be scams themselves.
I mean, it's sort of layers upon layers.
It's entirely possible.
You know, the moderators for the forums, as silly as it sounds,
work very hard to try and combat any sort of exit scams
or any scams in general or phishing or whatever it might be.
Because, of course, these are all heavily reputation-based.
So they'll be a very active middleman in any because of course, these are all heavily reputation based. So they will be a very active
middleman in any sort of process, which will involve large sums of money being moved about
between sellers and buyers or whatever the relationship may be. So in general, I mean,
wrapping up on this one, is it more of an interesting one to take a look at from a
research point of view,
but probably something, at least at this point, that isn't a real active threat?
I think it's kind of taken in sort of both ways.
It's obviously one of the things is you don't really know what the next big threat is going to be.
And it's always good to be prepared of whatever is out there.
So sort of with regards to this one,
when sort of the panel first came up,
in sort of the,
because there were no samples,
anyone knew anything about it,
it was hard to sort of write
sort of detections for it.
Now when sort of it has been identified,
at least sort of like on the defender side,
we're actually aware of the threat
so we can sort of at least prepare for that because in the end it doesn't really matter you
know which successful ransomware um sort of service or sort of malware is actually infecting
you either way it's like they do their job they do you know encrypt and destroy people's data.
And even if it's successful or not,
it still hurts the people that actually gets infected by it. Right.
So if we can at least prepare and help the community
protect against that, that's what we're all about.
Yes, I would agree with Joachim there.
Because it's a ransomware as a service, it may seem a little more amateurish
or not as serious of a threat.
And it'd be quite easy to be lulled into a false sense of security
thinking that no serious actor is going to use this
or it's not going to seriously damage you.
But it only takes that one person to
infect you with it and it's a huge issue and of course there could be other concerns that
perhaps other more serious threat actors or threat groups could use something like
this to avoid attribution you know you really just don't know Thank you. Keep your company safe and compliant.
Our thanks to Rory Gold and Joachim Kennedy from Anomaly for joining us.
We'll have a link to their research on the smog ransomware as a service in the show notes.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.