The threat landscape is ever-changing. As time goes by, threat campaigns use new and more sophisticated technologies than seen before. Still, some reuse tried-and-tested methods while adding a few other functionalities, as in the case of FTCODE ransomware operators. The malware, first seen in 2013, suddenly disappeared.

Six years later, in 2019, FTCODE resurfaced but with a new and more frightening feature. The ransomware infection chain included the capability to steal victims’ login credentials from their web browsers and email clients. The data-stealing component poses more risks, thus leaving victims virtually no choice but to pay up.

Enterprises have one more option, though—enhance their cyber defense in the form of actionable threat intelligence. Threat intelligence obtained from the Threat Intelligence Platform (TIP) and data feeds can prove effective defenses against data-stealing ransomware. We explored these options in the succeeding sections. But first, let’s discuss why the new FTCODE functionality is alarming.

Data-Stealing Ransomware: Leaving Victims with No Choice

The average ransomware payout in the third quarter of 2019 was US$41,000. The attackers’ ransom demand also increased from US$267,742 in the second quarter to US$377,026 in the third quarter.

In the first FTCODE ransomware campaign, attackers asked victims to pay the ransom in exchange for file decryption. That left some victims the choice not to pay and instead rely on stored backups. The more recent variants, however, have taken that option away. Victims had so much more to lose, and so are pressured to pay the ransom. If they refuse, the attackers could leak their sensitive data to the public or sell their credentials on the Dark Web. The problem then spirals into another predicament in the form of a data breach.

How Threat Intelligence Can Help Defend Against Ransomware Attacks

Data has become a very crucial commodity these days, and this is true even in the field of cybersecurity. But instead of being bombarded with disaggregated data, organizations can use reports from Threat Intelligence Platform so they can better mitigate cyberattacks, including those that involve data-stealing ransomware. Here’s how the platform can help:

Malware Detection

We used reported indicators of compromise to prove how a reliable threat intelligence solution can help fend off ransomware and other types of malware at the onset. Among the IoCs [1] [2] associated with the FTCODE ransomware campaign are the following domain names:

• biz[.]lotsofbiz[.]com
• home[.]southerntransitions[.]net
• power[.]hagertyquote[.]com

We ran these domains on the platform to create a report and found that they were all malware hosts. Below are the screenshots of the results.

Unveiling Connected Domains

Once a threat is detected, it’s essential to follow through and investigate each IoC further. Since attackers are more likely to use the same infrastructure, they tend to leave digital footprints. As such, looking at associated domains could also enhance your protection against data-stealing ransomware.

Threat Intelligence Platform also revealed other domains hosted on the same IP address as IoCs. That is possible because it extracts data from an IP/DNS database. Such a database would reveal the domains associated with the IoC, allowing organizations to gather more threat intelligence. By doing so, they can prevent more attacks.

To demonstrate, let’s look at the Threat Intelligence Platform’s analysis of power[.]hagertyquote[.]com. It detected three other domains that resolve to the same IP address.

It’s essential to determine if these domains also figure in malicious activities. To do that, security experts can run them on the Threat Intelligence Platform by clicking the “Build Report” link. In this particular case, the platform warned us that verifikace[.]me and www[.]verifikace[.]me appear on Google Safe Browsing while the IP address itself is deemed “suspicious” on VirusTotal.

Given all that, any organization should also consider blocking these related domains, along with the original IoCs indicated in the report.

Aside from these critical data, Threat Intelligence Platform also checks for vulnerabilities, inconsistencies, and misconfigurations in Secure Sockets Layer (SSL) certificates, open ports, mail server records, name server configurations, and WHOIS domain records, among others.

Most businesses can’t afford to suffer from a data breach, so when data-stealing ransomware makes their way into systems, the likely scenario is to pay the attackers. After all, a data breach is far more detrimental, with 60% of small enterprises going out of business within six months of an incident. In a data breach, victims won’t only lose money, but the trust of their clients as well. Paying the ransom would reduce the possibility of the attackers releasing the stolen data.

However, the decision to capitulate would create a never-ending cycle of ransomware attacks. It would even give the attacker more confidence in asking for more. And each year, the ransom amount increases. The most logical course of action, therefore, is to proactively defend systems against ransomware attacks with the aid of proven threat intelligence platforms.