19
July 2022
Ransomware Payload Types Including Brickers and Wipers
Andy Harris
Brickers and Wipers are the latest form of ransomware attacks
In any ransomware attack, there are two key elements to consider: how the attack strikes and how it damages the IT environment before making its ransom demand.
Since early 2022 there has been an evolution in the ways ransomware of ransomware with two new significant payloads, "Brickers" and "Wipers".
Ransomware Delivery
Here's a breakdown of the significant types of current ransomware delivery mechanisms.
Mutator
Continuously change the layout of the code fragments to avoid signature detection.
Dropper
A small code fragment that when executed pulls together elements of the attack from many places.
Replicator
Code that moves the attack laterally across an organisation, generally working on file-shares and the like.
Listener
Keylogger functionality that listens for login activity to harvest credentials for use in exfiltration, bricking and wiping. This is where Osirium's PAM helps. With PAM, none of your users, SysAdmins, DevOps etc will be using the privileged credentials for systems, devices and applications. This means that this component of ransomware is effectively denied access to the credentials needed to jump to other devices.
Exfiltrator
Code that selects, fragments and temporarily encrypts data to be send back to the attackers.
Command Shell
Code that sends and receives commands. Typically it will listen to social media or other common locations for commands. It can use previously stored credentials to connect to other architectures (e.g. hypervisors). Once connected to those systems, commands can be issued to delete backups/configurations, encrypt data (such as virtual machine images) or destroy firmware. As mentioned above, this component can't deliver it's payload without privileged credentials.
Ransomware Payloads
Then there are the actual payloads, including "brick" and "wipe":
Encrypt
Encrypt the victim’s data in place, ransom for the keys to restore. Osirium's PEM helps here, in that local admin rights are needed to access encryption at the disk level.
Exfiltrate
Copy victim’s data, ransom to prevent publication.
Brick
Render victim’s hardware devices useless, by destroying sections of boot-loaders or in the case of secure boot devices corrupting key stores. Devices become uneconomic to repair.
The diagram depicts the internal EEPROM/flash/non-volatile memory layout of a typical embedded device. In general there is a low level bootloader in ROM which is used at the manufacturing stage to install the vendor's bootloader. It's the vendor's bootloader than handles the specifics of the device firmware and has enough infrastructure to handle firmware uploads and upgrades. To access the functions of the bootloader, an administrator account is needed.
If an attacker has access to an admin account through ransomware, they can use the command shell component to deliver commands to the device. In the case of simple systems either the vendor bootloader, or first instruction of the vendor firmware can be overwritten with a 'goto self' or 'reboot' command. This immediately renders the device useless since vendor firmware cannot be reloaded.
Many devices have a secure boot facility to ensure that users cannot not load their own firmware. Over the years this has become a popular practice where various communities have 'improved' vendor's firmware. This is done to either unlock performance or access functions available in more expensive versions. Only signed versions of firmware can be installed, the public keys are held in the vendor's bootloader. Given a privileged account (admin account) if these keys are corrupted then no firmware can be loaded - rendering the device useless.
Wipe
Render victim’s disk based data useless and beyond the reach of data recovery organisations.
Typically achieved by destroying partition tables, file allocation tables, file headers and the master boot record. This is actually a very small amount of data compared to the overall size of any disk. To get to these locations needs local admin rights. Osirium Privileged Endpoint Management (PEM) is the perfect protection since it allows organisations to safely remove local admin rights without stopping productivity.
Here's 50-second overview of ransomware payload types including Brickers and Wipers.
Protecting Against Ransomware Attacks
So there are the moving parts of ransomware, along with how Osirium's products help prevent elements of ransomware from delivering their payloads.
If you'd like to learn more, please get in touch.