🐈 Ransomware statistics your CISO won't share

Read time: 5 minutesChuckles: 9

Hi again, it's meoward – your inbox's weekly dose of security. It's like DayQuil, it makes you feel better without the sleepiness.

On the stack this week:

• 💰 Median ransom payments drop 51%: but isn't the average ransom going up? Statistics are hard, we break the numbers down and make them simple.

• 🪦 Macros are dead, long live macros: Microsoft Office macros are now more difficult to run, so how are attackers pivoting?

• 💫 Living off Microsoft Defender: LockBit is using Microsoft Defender to side-load Cobalt Strike.

• ⛺️ Hacker Summer Camp: 5 pro tips on how to make the most out of your Vegas voyage to DEF CON and BlackHat.

Chop, chop. Look lively now.

Average cost of a ransom: a useless statistic without context

There's been some huge ransom payouts. Last year we saw Colonial Pipeline pay $5 million (they got some back!). And the largest yet, Insurance giant CNA Financial paid $40 million.

The most common statistic about ransomware is the average ransom payment. This is a bit misleading.

Coveware published a report last week with two interesting (and related) stats:

1. The median ransom (the amount most companies paid) dropped by 51% in Q2 2022.

2. Big companies aren't paying the ransom.

Large companies and governments are under a lot of pressure to not pay the ransom. It sets a bad precedent, and generally puts the victim in a bad light. So a lot of these big companies aren't paying.

As a result, ransomware operators have moved on. Smaller ransomware-as-a-service (RaaS) operations are spinning up and targeting smaller companies. Smaller ransom payments, sure, but at least they're paying.

Macros are out, here's what attackers are using instead

Back in February, Microsoft announced they would be making it a lot more difficult to enable Office Macros. Macros would be blocked by default for files downloaded from the Internet or received via email. The change was temporarily reversed in July after blowback from customers.

But on July 20th, Microsoft reversed their reversal. After decades of malware living their best life, Microsoft finally decided to take one for the team.

It only took 25+ years

So how does Office determine where a file came from? The Zone.Identifier data stream.

Quick file system lesson (sips coffee). Files on a filesystem have data attributes, the most obvious being the file data itself. This is called the primary data stream, sometimes referred to as $DATA. NTFS, the filesystem Windows uses, supports alternate data streams (ADS).

This file has two data streams: $DATA (the file itself) & Zone.Identifier

The Zone.Identifier data stream is added to files by most web browsers and email clients. It tells us where the file came from. When Word opens a DOC file with a Zone.Identifier, it checks if it came from an untrusted place (like the Internet). If it did, it will block any macros from running.

So now what?

This has led to the return of an old classic. That's right, it's the return of container files! You see, when you download a container file (ZIP, ISO, etc.), only the container gets the Zone.Identifier data stream. The files inside don't.

Malware like IcedID and Qakbot have already started using containers. Proofpoint is seeing a huge uptick in campaigns using containers, and a drop in macro usage.

Zip you up and keep you safe, my sweet malware

Microsoft Defender, now with Cobalt Strike!

LockBit, the ransomware group, is using a novel technique to avoid detection. It's using Microsoft Defender to side-load the Cobalt Strike DLL (a popular command and control tool).

It works like this (another sip of coffee):

1. Get initial access to a Windows computer.

2. Download and save the following files to C:\windows\help\windows:

   1. MpCmdRun.exe: a legit and Microsoft-signed Defender binary, mostly used for automating Defender tasks

   2. mpclient.dll: a Defender DLL with some added "extras"

   3. c0000015.log: an encrypted Cobalt Strike payload

3. Run the downloaded MpCmdRun.exe.

4. MpCmdRun.exe loads mpclient.dll, which (here's the "extras") decrypts and loads the Cobalt Strike payload.

5. Profit!

Why is this possible? MpCmdRun.exe can run from any directory. So when it's run from C:\windows\help\windows, it looks by default for mpclient.dll within that directory. To make matters worse, no checks are done to validate mpclient.dll. Load it and run it, baby!

How do we detect something like this? A quick win is to look for Defender binaries executing outside their normal directories.

Unfortunately, it looks like MpCmdRun.exe isn't the only option attackers have...

No, DEF CON isn't canceled

Hacker Summer Camp is almost upon us. Here's 5 hot steamy tips to make the most of your DEF CON and BlackHat experience:

1. 🔥 Las Vegas is hot and dry. Bring sunglasses and drink lots of water. Shower when you can.

2. 💃 Sign up for the parties ahead of time. Checkout the DEF CON party calendar.

3. 👟 Bring comfortable shoes. You're going to be walking and standing a lot.

4. 👋🏻 Find old friends, meet new people. Avoid line con and limit the number of talks you plan to attend. The talks all end up on YouTube anyway. The DEF CON villages are a great place to meet new people.

5. 🎟 Get your DEF CON ticket and swag as early as possible. If you didn't buy your ticket through BlackHat or the DEF CON online shop, it's cash only ($360) at the door. The lines are long and the swag always sells out.

6. 🚨 [BONUS] If you're looking at Google Maps and thinking a two mile walk looks totally reasonable. It's not. You'll die. I promise. Take the Monorail or a taxi.

Snacks

• 🪲 [exploit] A great write up on exploiting CVE-2022-20186, a vulnerability in the Pixel 6's Arm Mali GPU.

• 🔒 [tool] TLS Anvil, an automated TLS test suite to discover compliance and security issues.

• 📣 [solution] AWS now has a Customer Incident Response Team. It's a specialized 24/7 global support team for customers with active security events.

• 🧠 [blog] PPLdump is dead. What the heck was PPLdump and what change did Microsoft make in the July 2022 update to break it?