Ransomware IOCs and Trends in Late 2015 and Early 2016

Ransomware continues to evolve and there are many articles online that detail its continual changes. For that reason I won’t be rehashing all the evolutionary changes of ransomware. Instead this post seeks to point out some of the key trends in 2015 and 2016, as well as give analysts extra resources that will hopefully help them find and properly identify the more prevalent variants. To begin ill start with a very brief rundown of recent trends.

One notable event in 2015 was the discovery of the ransomware known as Linux.Encoder.1, which is considered the first ransomware to target Linux based systems. Furthermore, while the first OS X ransomware was discovered in 2014 (FileCoder), there was a new OS X ransomware in 2016 called KeRanger. It might be too early to call this a trend but obviously threat actors are looking to expand their reach.

The next noticeable change was a shift in who threat actors are targeting. For instance, SamSam (also known as Samas) was first introduced in February 2016 and made headlines for targeting enterprise networks, mainly hospitals. Instead of employing user focused attack vectors like exploit kits and phishing, which cast a wide net, SamSam uses a targeted approach. Specifically attackers behind SamSam used open source tools like JexBoss to identify vulnerable JBoss application servers. Once they had a foothold in the network they moved laterally to compromise machines and hold them ransom. A full write up on SamSam can be found here.

Below is a link for a comprehensive list of ransomware. This list is helpful for SOC analysts and the public as it contains plenty of IOCs.

https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: