Creaky Old WannaCry, GandCrab Top the Ransomware Scene

Nothing like zombie campaigns: WannaCry’s old as dirt, and GandCrab threw in the towel years ago. They’re on auto-pilot at this point, researchers say.

What’s old in ransomware is new again. Or, more accurately, never really went away.

New analysis shows that for a years-old malware, WannaCry is still a viciously active pest. The self-propagating ransomware cryptoworm that’s been parasitizing victims since 2017 was the top most detected ransomware family by far in January 2022, researchers found.

Webinar Promo

Click to Register for FREE

Out of 10.5 million malware detections from Jan. 1 – 30, WannaCry showed up in 43 percent, as shown in the chart below.

The runner-up at No. 2 was GandCrab, which showed up in 13 percent of detections, in spite of the ransomware-as-a-service (RaaS) gang having hung up its spurs way back in 2019 (though the gang resurfaced with REvil malware months later).

What’s up with zombie ransomwares, still pumping out infection attempts years after they (supposedly) said sayonara? It’s attributable to “automatic campaigns that were never turned off,” Bitdefender said.

Martin Zugec, technical solutions director at Bitdefender, told Threatpost that there are multiple reasons why these old ransomware families are still visible in the company’s telemetry. “While the first inclination would be to attribute detections to false positives – for example, detections from malware collectors or testing systems of security researchers – we extensively process our data to exclude such false detections,” he noted.

That leaves one possible explanation being “malicious websites that are still automatically spreading malicious samples,” or what he called “abandoware.”

Another common reason is ransomware that similar code as one of the older ransomware families that’s triggering detections, Zugec suggested: “For example, code sold to another ransomware group.”

Alternatively, it could  be a competing group trying to “hijack” the ransomware operation and collect the ransom, he added. Or, then again, it could be attributed to ransomware operators faking their business shutdowns, then coming back under a new name “but often using the same (or very similar) code,” he said, with a relatively recent example of a resurrected group being Cerber.

The newest numbers that show WannaCry and GandCrab refer to ransomware detections, mind you, as opposed to infections. As well, the number of detected ransomware families varies by month, “depending on the current ransomware campaigns in different countries” according to Bitdefender’s monthly Threat Debrief, published Wednesday. In that report, the company said that researchers had identified 202 ransomware families in January.

Top 10 ransomware families detected in January 2022. Source: Bitdefender.

Who/What Felt the January Malware Chill

Bitdefender researchers spotted ransomware streaming in from 149 countries in January. The plague continues to spread around the world, but the United States is the malware’s favorite haunt, accounting for 24 percent of detections: the most of any country. Canada was next up, at 15 percent.

“Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections,” according to the company’s threat report.

With regards to most-targeted industries, at the top of the list was government, accounting for 26 percent of detections, followed by telecommunications at 24 percent, education and research at 24 percent, and technology, which trailed at 9 percent.

New FluBot & TeaBot Campaigns

January also brought two new mobile banking malware campaigns serving up the banking trojans FluBot and TeaBot. Last month, Bitdefender researchers discovered a raft of active campaigns that were flooding Android devices with the trojans through smishing and malicious Google Play apps that targeted victims with fly-by attacks.

As Bitdefender Labs said last month, researchers intercepted more than 100,000 malicious SMS messages trying to distribute Flubot malware since the beginning of December.

Cybercrooks’ zest for mobile malware makes sense, given that “access to cryptocurrency trading and banking on devices makes mobile platforms an attractive target for cybercriminals,” according to the report.

A separate report on mobile malware, published by Kaspersky on Tuesday, documented a downward trend in the number of attacks on mobile users year over year from 2021 to 2021. However, the attacks, though less numerous, are “more sophisticated in terms of both malware functionality and vectors,” according to Kaspersky.

Some examples of banking trojans new tricks, as pointed out by Kaspersy: In 2021, the Fakecalls banker, which targets Korean mobile users, was upgraded to drop outgoing calls to the victim’s bank and to play pre-recorded operator responses stored in the trojan’s body. As well, the Sova banker, which steals cookies, is now enabling attackers to access a target’s current session and personal mobile banking account without knowing the login credentials.

Most Detected Android Trojans

Meanwhile, there’s a growing laundry list of Android trojans with ever-more-creative ways to stick it to mobile users. Below is a chart of the Top 10 Android trojans Bitdefender detected in January, along with a list of what rudeness they can get up to.

Top 10 Android trojans. Source: Bitdefender.

  • Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
  • InfoStealer.XY – Obfuscated applications that masquerade as mobile antiviruses. When the malware app is first run, it checks if there is any AV solution installed and it tricks the user to uninstall it. It exfiltrates sensitive data, downloads and installs other malware and displays adware.
  • HiddenApp.AID – Aggressive adware that impersonates adblock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
  • SpyAgent.DW – Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
  • SpyAgent.DW, EA – Applications that exfiltrate sensitive data.
  • Dropper.AIF – Polymorphic applications that drop and install encrypted modules. After the first run, their icons are hidden from the launcher.
  • Banker.XX – Applications that impersonate Korean banking applications to record audio and video, collect sensitive information and upload it to a C&C server.
  • Banker.XJ, YM – Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information. This detection includes variants of TeaBot and FluBot.
  • Banker.VF – Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express …). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the C&C server.

Chipping Away Protection in App Stores

Unfortunately for mobile users – the recipients of these newfangled trojans – it’s not looking good for the mobile app behemoths’ quests to secure their app stores, Bitdefender asserted.

“Tight control over application approval by app store owners is the primary protection provided for mobile devices, but it’s becoming insufficient and challenged by authorities in Europe and the U.S. who have introduced legislation to open up the ecosystem,” according to its report. Such regulation has been introduced in the United States, the European Union, the Republic of Korea, the Netherlands and elsewhere, as Microsoft noted in a Feb. 9 post titled Adapting ahead of regulation: a principled approach to app stores.

.In that post, Microsoft President Brad Smith announced a new set of Open App Store Principles for the Microsoft Store on Windows as well as to the “next-generation marketplaces” it plans to build for games.

Microsoft has spent a few decades dealing with antitrust rules, Smith pointed out. Change isn’t easy, but it’s not impossible to deal with countries’ adoption of new tech regulation “that promotes competition while also protecting fundamental values like privacy and national and cyber security,” he wrote.

App Stores: Too Big for Their Britches?

At this point, the big app stores are sprawling like Walmart on steroids, Bitdefender pointed out, making it ever tougher to police them for malware, adware or “riskware” – i.e., legitimate apps that can turn into threats due to security vulnerability, software incompatibility or legal violations.

“Apple’s App Store is approaching five million applications, and the Google Play Store has close to three million which makes it unwieldy to control,” Bitdefender researchers contended.

“While malicious applications are quickly removed after discovery by platform owners, they often have hundreds of thousands of downloads before they are flagged.” they continued.

A case in point is the Joker mobile malware: The malware, which zaps victims with premium SMS charges, popped up yet again on Google Play last year, in a mobile app called Color Message. From there, it snuck into a jaw-dropping number of devices: more than a half-million downloads before the store collared it.

Expect more of the same, Bitdefender predicted. “Whether an open or closed ecosystem – mobile malware will only increase and additional layers of protection on top of the gatekeeper-app-store model is recommended as part of basic mobile hygiene,” according to the report.

022322 12:33 UPDATE: Added input from Bitdefender’s Martin Zugec.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.

Suggested articles