The arsenal of tools used by ransomware hackers is constantly expanding. Understanding the tools they use is one of the first steps for building effective ransomware defenses.
In a previous post, we looked at Mimikatz and why it’s so popular with ransomware gangs. This post will take a look at RapperBot; what it is, how it works, and how you can protect your network against it.
The Origin of RapperBot
RapperBot was first discovered in June of 2022 when cyber security researchers detected a new variety of malware that had infected over 5,000 IoT (internet of things) devices. Early versions of the bot’s code contained a link to a YouTube rap music video; hence the name.
The malware had segments of code from Mirai Bot, a piece of malware known for taking down websites with DDoS attacks. A Mirai bot attack rendered Twitter (now X), GitHub, Netflix, Reddit and AirBnB inaccessible to millions over a period of hours.
RapperBot expanded Mirai bot’s functionality by adding a brute force function. This allows RapperBot to crack SSH keys and infect even more devices than Mirai. It also has the ability to modify the list of authorized keys on a device so that the infected device remains connected to a RapperBot botnet even after RapperBot is removed from a device.
Finally, RapperBot also features obfuscation which changes the appearance of its code and makes it more difficult for anti-malware software to detect it. A true cybersecurity nightmare.
How does RapperBot Work?
In a nutshell, RapperBot works by deploying brute force attacks on devices with Linux SSH servers. It tries a large number of username and password combinations until it finds a match.
Once it infiltrates a device, it gains root access and then begins spreading to other devices. After infecting enough devices, it forms a botnet.
Even though each device may have limited resources, once there are tens of thousands of infected devices in a botnet, the collective resources are massive.
Why do ransomware hackers use botnets?
With tens or hundreds of thousands of devices under their control, hackers have both computing power and bandwidth at their disposal. This can be used for all kinds of evil purposes; most commonly distributed denial-of-service (DDoS) attacks. DDoS attacks can flood a website with traffic, causing it to crash.
A growing number of ransomware hacker gangs are turning to triple extortion ransomware attacks. In addition to encrypting files and stealing data and threatening to release it, they try to increase the pressure using DDoS attacks.
Hackers can do all kinds of other things with botnets too. Some botnets hijack computing resources to mine cryptocurrency. Others are used to search for vulnerable networks and break in. In some cases, they distribute spam emails that may contain ransomware links.
Data centers don’t allow illegal activity, so hackers can turn to botnets to get the computing resources they need. Botnets also help them to hide their actual location or identity.
What do more potent botnets mean from ransomware?
Bigger and badder botnets mean more resources in the hands of hackers, which could mean more ransomware attacks. The ransomware ecosystem relies heavily on specialization. Many services, from ransomware software itself, to breaking into networks, to DDoS attacks, are contracted out by specialists.
That means the attacker that breaks into a network may be paying multiple service providers for the tools that he used to extort money from a company. More botnets mean more services, more competition on the black market, and lower prices for hackers. In short, more innovation in botnets means a more dangerous threat landscape.
What can you do to protect yourself?
We need to start viewing cybersecurity not only as a way to protect ourselves, but also as a kind of community service. Leaving devices unsecured not only puts us at risk, but also helps hackers to victimize others.
In the same way that we don’t throw trash on the ground in public out of consideration to others, we also need to stop being apathetic about leaving access credentials with their default username and password combinations, not keeping up to date with patches, and other lax security practices.
At the same time, it’s important to be aware of how botnets are used and to make appropriate countermeasures. All the usual cybersecurity advice applies, but anti-DDoS software can be an especially useful addition to a cybersecurity suite.
Protection from DDoS attacks remove one more tool that ransomware hackers can use to pressure you, which can help tip the balance in your favor.