Evasion techniques will make ransomware even more effective—#2021Predictions

by Maria Patricia Revilla Dacuno, Researcher, Tactical Defense Unit

Several developments that occurred in 2020 will help shape the evolution of ransomware attacks in 2021.

This year, Ragnar Locker and Maze ransomware were observed using virtual machines running VirtualBox by Oracle, to deploy ransomware attacks to avoid endpoint protection (EPP) detections. Since EPP will protect the immediate host but not the spawned virtual machine images, the ransomware sample will be invisible to the EPP. It’s reasonable to assume that other ransomware families could follow the same technique, and that other threat actors will develop new evasion techniques to avoid being blocked by different types of EPP technologies.

Emotet, a malware family that gained notoriety for delivering Trickbot (which then delivers Ryuk ransomware), leveraged improved social engineering tactics in its spam campaigns in 2020. Researchers also saw it using a new module that steals email attachments in addition to stealing email content. The stolen attachments were then seen being used as an “email thread hijacking” technique. This results in a spoofed email with the readable information in the stolen document being reused in a malicious document to increase email credibility. Considering Emotet’s content stealing capabilities, we can imagine that attackers can think of more ways to customize attacks based on the information they gather. Furthermore, Emotet spam campaigns started using password protected archives to prevent security products from scanning malicious documents. All these developments demonstrate Emotet’s operators’ efforts to make their attacks even more effective. Defenders must prepare themselves for new developments from this threat.

Another significant development were the discoveries of Buer and BazarLoader – new loaders for deploying Ryuk ransomware. One can speculate that Emotet’s notoriety might have motivated attackers to try out new “loader-as-a-service” offerings. The two new loaders use cloud storage such as Google Docs to deliver payloads (compared to Emotet’s use of compromised websites). Attackers may be trying new loaders with new techniques to avoid detection, or it may be due to more competitive pricing from operators. But whatever the reason, we’ll likely see more players offering new services to ransomware threat actors.