As cybercriminals continue to explore new avenues for profit, the ransomware landscape has seen an influx of less experienced hackers attempting to capitalize on the lucrative malware market. However, with users becoming more reluctant to pay ransoms, these new entrants are adopting a “Frankenstein” approach by cobbling together pieces of code from previous ransomware strains, resulting in a new generation of unpredictable and dangerous malware.
Table of Contents
- The Decline of Ransom Payments
- Enter Frankenstein Malware
- Notable Frankenstein Ransomware Variants
- The Risks of Bad Code and Outdated Components
- Defensive Strategies Against Frankenstein Malware
- The YourCyanide Ransomware: A Deep Dive
- Impact and Mitigation of YourCyanide
- Indicators of Compromise (IoCs)
- The Importance of Proactive Cybersecurity
- Conclusion
1. The Decline of Ransom Payments
Recent reports suggest that ransomware victims are becoming increasingly reluctant to pay ransoms. Cyber insurer Corvus reported that the percentage of its policyholders who paid a ransom dropped from 33% in 2021 to 28% in 2022. Ransomware incident response firm Coveware reported that for victims it assisted, 41% paid a ransom in 2022, compared to 79% in 2019.
This decline in ransom payments can be attributed to several factors, including growing public awareness of the risks associated with ransomware, the hardening of attitudes towards ransomware groups, and increased efforts from cyber defenders to combat these threats.
2. Enter Frankenstein Malware
Despite the shrinking ransomware market, new cybercriminals continue to enter the fray, seeking to make a quick profit. However, rather than developing their unique ransomware strains, these inexperienced hackers are repurposing pieces of code from previous malware, creating a new type of threat known as “Frankenstein malware.”
In essence, Frankenstein malware consists of various components taken from different ransomware strains, combined to create a new and unpredictable threat. This approach allows less sophisticated attackers to quickly enter the market without investing time and resources into developing their ransomware from scratch.
3. Notable Frankenstein Ransomware Variants
Several recently discovered ransomware variants showcase the Frankenstein approach:
- ESXiArgs: This ransomware targets VMware systems and utilizes a ransom note from one strain, an encryption scheme from another, and additional components from various sources.
- Rapture: Rapture borrows heavily from the leaked source code of the Paradise crypto-locker.
- GazProm: Named after the Russian gas giant, this ransomware uses leaked Conti source code and features a ransom note with ASCII art of Russia’s president.
- RA Group, Rorschach, and RTM Locker: These ransomware strains use the source code from Babuk, which leaked in September 2021.
4. The Risks of Bad Code and Outdated Components
While the Frankenstein approach allows new cybercriminals to enter the ransomware market quickly, it also presents significant risks for both the attackers and their victims. The repurposed code may contain bugs and vulnerabilities that can cause the malware to malfunction, potentially rendering victims’ files irrecoverable, even if they pay the ransom.
Additionally, many of the components used in Frankenstein malware may be outdated, making it more challenging for cyber defenders to predict and mitigate the threats effectively.
5. Defensive Strategies Against Frankenstein Malware
To better protect against Frankenstein ransomware, organizations should consider implementing the following defensive measures:
- Multifactor Authentication (MFA): As recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), MFA should be widely employed to secure access to critical systems and high-value targets such as system administrators and software-as-a-service staff.
- Regular Software Updates: Keeping software and systems up-to-date will help minimize the risk of exploitation through known vulnerabilities, which Frankenstein malware may still utilize.
- Proactive Threat Intelligence: Utilizing threat intelligence platforms can help organizations identify and mitigate potential threats before they become critical issues.
- Backup and Recovery: Regularly backing up critical data and implementing a robust recovery plan can minimize the impact of a ransomware attack.
- Network Security: Implementing robust security configurations on network infrastructure devices such as firewalls and routers can help protect against ransomware attacks.
6. The YourCyanide Ransomware: A Deep Dive
YourCyanide is a recent example of a Frankenstein ransomware variant. It is a CMD-based ransomware strain that uses Discord, Microsoft Office, and Pastebin as part of its payload delivery mechanism. Researchers traced its origins back to the GonnaCope ransomware family, which first surfaced in April 2022.
YourCyanide shares many similarities with other ransomware strains, such as using an obfuscated file to fetch a malicious executable (GetToken.exe), encrypting files and renaming them with a .cyn extension, and dropping a ransom note on the victim’s system. However, it also exhibits some unique behaviors, such as spreading via email and leveraging a Telegram bot for communication.
7. Impact and Mitigation of YourCyanide
The YourCyanide ransomware poses several risks to organizations:
- Stolen credentials could provide unauthorized access to the organization’s networks.
- Exposed Personally Identifiable Information (PII) could facilitate social engineering schemes, phishing attacks, and identity theft.
- Data breaches could reveal sensitive business practices and intellectual property.
To mitigate the impact of YourCyanide, organizations should consider the following measures:
- Audit and monitor logs of events and incidents to identify unusual patterns and behavior.
- Reset compromised login credentials and enforce strong password policies for user accounts.
- Implement MFA across logins.
- Ensure all vulnerable and exploitable endpoints are patched and secure.
- Monitor for anomalies that may indicate possible system takeovers.
8. Indicators of Compromise (IoCs)
Organizations should be aware of the following Indicators of Compromise (IoCs) associated with the YourCyanide ransomware:
SHA256:
- Listed in the reference article.
URL:
- https://pastebin.com/raw/2K5m42Xp
- https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe
- https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
- https://ipv4.wtfismyip.com/text
Domain:
- Pastebin
- Wtfismyip
- Discordapp
- Telegram
9. The Importance of Proactive Cybersecurity
As Frankenstein ransomware continues to emerge, organizations must prioritize proactive cybersecurity measures to stay ahead of these evolving threats. By employing robust security practices, such as MFA, software updates, threat intelligence, and backup and recovery strategies, organizations can reduce the likelihood and impact of ransomware attacks.
10. Conclusion
The rise of Frankenstein ransomware presents new challenges for organizations and cyber defenders. It highlights the need for organizations to be proactive in their cybersecurity measures and stay informed about the latest threats. By understanding the risks associated with these new ransomware variants and implementing effective defensive strategies, organizations can minimize the impact of ransomware attacks and safeguard their valuable data and systems.