Cross-platform attacks could make ransomware even more deadly

Multiple recent breaches have highlighted the new threat

In which languages like Rust and Golang are used to spread cross-platform malware across Windows, OSX and Linux. The approach lets ransomware gangs deploy the same software across different environments – and can also make incursions harder to detect. So how do these attacks work, and how should your cyber strategy adapt? First, we need to look at what’s driving ransomware’s evolution. 

Ransomware is deadly – but the gangs haven’t always had their way 

Ransomware began in the late 1980s, when viruses spread by floppy disk and ransom payment was by cheque. But as networks grew more connected, data-stealing attacks spread further and faster. The Australian Cyber Security Centre considers ransomware “the most destructive cybercrime threat” not because of its frequency – Business Email Compromise (BEC) and simple fraud are far more common – but because the impact of a single incident can be seismic. In December, an attack on a New Zealand IT provider put several government systems offline. Australian health insurer Medibank, which was breached in October and refused to pay the ransom, could face data privacy compensation claims totalling $700 million; its share price dropped 20% in the aftermath of the attack. 

But, while trends such as the rise of remote working have opened up new attack surfaces for criminals to exploit, the gangs haven’t had it all their own way. Notable successes include the arrests of numerous members of the notorious REvil gang and the leaking of confidential messages from the Conti group by a disaffected former member, while the plummeting value of cryptocurrencies has hit earnings. These factors have put a dent in many types of cybercrime and discouraged more than a few casual cybercriminals. But cybercriminals are an innovative bunch, with other hackers ditching tried-and-true tactics and exploring cross-platform attacks.

Why cross-platform attacks are booming 

While it feels pretty good to see the largest gangs brought to justice, the criminals behind ransomware haven’t vanished overnight. Instead, they seem to be pivoting from working in larger, high-profile groups towards smaller, nimbler operations that have a smaller target on their back. Ransomware-as-a-Service (RaaS), in which experts hire out their malware and expertise, offering one-off deals, subscription models and direct collaboration to other criminals, is growing.  

Approaches such as extortionware (in which hackers threaten to expose valuable data unless a ransom is paid) and cross-platform attacks form part of this trend, as attackers use flexible tools and methods to maximise their returns while minimising the risk of discovery. But what are the factors driving the growth of cross-platform cyberattacks? 

1. Tools are evolving. Malware kits are making it easier for criminals to produce multiple iterations of the same malware on demand, while multi-platforms tools offer more bang for attackers’ buck. Code only needs to be written once, then retooled to attack multiple targets in different environments.
2. Command lines allow groups to focus on or exclude certain environments, such as client virtual machines, and tailor their attack to individual targets.
3. Cross-platform binaries can be harder for antivirus tools to detect. 

The biggest threats in cross-platform ransomware 

Criminals are nothing but opportunists, and recent months have seen numerous gangs develop multi-platform malware. Early adopters include: 

1. BlackCat malware, written in Rust, which emerged in late 2021. Microsoft notes that the RaaS group has mounted “successful attacks against Windows and Linux devices and VMWare instances''. Tools analysing Rust are not as sophisticated as those designed for C, making analysis harder.
2. Blackbasta, which may be linked to Conti or Russian group FIN7, is another RaaS group with multiple attacks under its belt; its malware has Windows and Linux versions.
3. Luna, which operates on Windows, Linux and ESXi, and is also written in Rust. Its operators claim only to work with Russian-speaking partners.
4. A new variant of RansomExx ransomware, RansomExx2, has been written in Rust, with a Linux version already operational and a Windows equivalent believed to be in development.
5. RedAlert, which emerged in mid 2022, strikes at both Windows and Linux VMWare ESXi servers.
6. Deadbolt attacks network-attached storage devices. It is written in Golang but uses an HTML ransom note and a Bash script for decryption.

Other examples are emerging all the time, with the usually Windows-focused Conti group releasing a Linux variant, and Agenda recently adopting Rust.  

How to keep cross-platform attacks at bay 

Cross-platform attacks are likely to be one of the big stories of 2023, with more criminals likely to jump on the bandwagon. So how can companies protect themselves? 

1. Patch software and keep security tools updated across all devices, including servers running Linux.
2. Share news about new threats to relevant teams: your security team should get the latest threat intelligence and training; general employees should be offered relevant, regular training and high-level information about threats such as phishing.
3. Focus on detecting lateral movements and outgoing data to nip incursions in the bud.
4. Assess your attack surface and ensure you have multi-layered security to protect your key resources.
5. Consider holistic approaches to cyber defence such as a security mesh or cloud-based solutions such as SSE and SASE.
6. Limit the damage users can do via the principle of least privilege (and its natural conclusion zero trust), and do not allow the enabling of macros from email attachments.
7. Be prepared for the worst, via regular offline backups and a comprehensive incident response plan. 
    

Protecting your data from cross-platform ransomware  

Cross-platform malware is increasingly common, especially as part of a Ransomware-as-a-Service (RaaS) model. And as government collaboration on ransomware puts the squeeze on the big gangs, this adaptable mode of attack may become even more popular. 
 
Even the best defences will be breached sometimes, but by understanding current threats, optimising your security and doing the basics well, you can manage your risk. A ransomware attack is any CISO’s worst nightmare, but forewarned is forearmed, whatever platform you’re defending.