Usually, a gang of hackers is responsible for numerous non-standard ransomware infections. These turn out to be carried out via a re-tooled version of the Bucbi ransomware, which hasn’t been used so massively since the year of its appearance – 2014.
According to the researchers from Palo Alto Networks, these ransomware infections are rather different due to the fact that they do not rely on social engineering tactics to trick victims into installing the ransomware. Instead, the group’s members are doing it themselves, after hacking into vulnerable enterprise networks.
These attacks have a direct connection to a series of incidents on which Fox-IT researchers reported last week. The experts said that they’ve seen cyber-crime groups use brute-force attacks against corporate networks running Internet-available Remote Desktop Protocol servers.
Currently, Palo Alto is reporting on who’s behind these attacks, why and how they’re doing it. According to the experts, the exact origin of the cyber criminals is not clear yet. The company says that the group is identified as the “Ukrainian Right Sector,” but evidence in the ransomware code points at a Russian point of origin, especially because of the usage of the GOST algorithm, developed by the former USSR government and only made public in 1994.
Despite the code clues, the Ukrainian Right Sector is a real-world organization, an extremist Ukrainian nationalist political party with paramilitary operations which opposes Russia.
When it comes to the Bucbi ransomware, the security experts claim that this version has been heavily modified. The main three differences are: the ransomware works without needing to connect to an online C&C server, uses a different installation routine, and employs a different ransom note.
The similarities between the 2014-2016 versions include the presence of many similar debug strings, similar file names, and the fact that both use the GOST block cipher function.
The researchers from Palo Alto claim that Bucbi’s installation is what has drawn their attention to this specific threat. Bucbi ransomware is considered as unique due to the fact that it relies on hackers brute-forcing their way into corporate networks via open RDP ports.
Palo Alto suspects the hackers to have used a tool called “RDP Brute (Coded by z668),” though this is hardly the most interesting detail.
“Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (PoS) specific usernames,” the Palo Alto experts noted.
“It is likely that this attack originally began with the attackers seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions.”
Among the specific usernames to PoS systems are strings like FuturePoS, KahalaPoS, BPOS, POS, SALES, Staff, and HelpAssistant.
In any case, all the above-mentioned proves that cyber-crime gangs often adjust their strategies to take advantage of vulnerabilities they find at a particular point in time, adapting to the type of the systems they find.