Greg Foss at VMware Carbon Black investigates the ransomware groups who are raising the stakes and running double-extortion rackets in today’s cybercrime ecosystem.
Ransomware has come a long way since the first recorded attack was initiated via a floppy disk posted out to attendees of the World Health Organisation’s international AIDS conference in 1989. As the world navigates a different global health crisis more than thirty years on, ransomware has proved to be an infection that has not only survived in the intervening period, but has grown exponentially as ransomware groups have evolved in tactical expertise and sophistication.
As 2020 dawned, organised ransomware groups were already engaging in targeted hands-on campaigns designed to generate maximum revenue from victims. However, in the spring the ransomware market opportunity got even bigger as the rapid switch to mass home-working necessitated by COVID-19 work-from-home orders created the perfect, disrupted environment for ransomware attacks. Consequently, attack volumes are up 900% year on year.
At the same time, penalties for falling victim to ransomware are rising. On top of the downtime and lost revenue caused by the attack itself, there are also punitive fines issued for data loss resulting from attacks. Additionally, authorities are ratcheting up pressure on organisations not to pay ransoms, in a bid to try and cut off the attackers’ incentive. The U.S. Department of Treasury recently issued an advisory notice that firms who engage with ransomware victims to facilitate ransom payments may be liable for prosecution if they pay groups that are subject to US sanctions.
Ransomware groups are running rampant
Ransomware groups are running rampant in today’s disrupted digital environment and they are constantly adapting their tactics to amplify the pressures faced by businesses. So, who are some of the key groups in play, how are they evolving, and what can organisations do about it?
VMware Carbon Black’s Threat Analysis Unit researchers closely track ransomware groups to stay up to date with new strategies and approaches. At one end of the scale the availability of Ransomware-as-a-Service (RaaS) is opening the market to less skilled attackers. But what is more concerning is that we are now seeing a notable shift away from unsophisticated tactics in favour of a longer-term approach designed to deliver a far more substantial pay-off.
Attackers are identifying lucrative targets – those with minimal tolerance for downtime or a lot of valuable IP such as manufacturers and research companies. They are devoting considerable effort to gaining undetected access to the network, exfiltrating data, and – crucially - gaining persistence sometimes months before they encrypt the organisation’s systems and demand a ransom.
This approach gives attackers several lucrative bites at the cherry and ramps up pressure on the unfortunate victim. First, and most obvious, they can demand a ransom in return for unencrypting systems. Second, if victims resist, the attacker threatens to publish the data they have stolen as proof of the attack and to cause major reputation and regulatory damage, as well as exposing trade secrets. Some groups even pitch their ransom demands based on the likely fines that businesses would face if a breach becomes public. Third, if the victim still resists paying the ransom, the stolen data can still be sold on the dark web, offering another revenue stream.
One of the most prominent ransomware groups, Maze Cartel, has refined this extortion tactic. Data stolen from companies that refuse to yield to its ransom demands is published on the Maze News website, showing just how brazen such groups have become.
Groups such as Maze Cartel and fellow ransomware specialists Ragnar Locker, who have now joined forces, make much of their “principles”. They frame their actions as whistleblowing on companies that are trying to cover up breaches and who are – to quote their website - “exposing themselves and their customers, partners to even greater risk” by not paying “bug-hunting bounties” or, in reality, ransoms.
These two groups have recently announced a partnership meaning they are sharing infrastructure and intelligence to make their operations more wide-ranging and effective. This is also making attribution of attacks more complicated, as groups are sharing code and infrastructure and pivoting through systems, so what bears the hallmarks of an attack from one particular group may actually be masking the actions of another.
Another group that purports to show honour among thieves is C10p, which lists its ethical policy stating it will not attack medical facilities or charities, though they exclude pharmaceutical companies from their no-attack list as “they are the only ones who benefit from the current pandemic”. Rest assured, these nods to morality in no way disguise that these groups are not to be trusted! It’s important to note that this is not a universal view that is held across the myriad of double-extortion ransomware groups, as we recently saw with Ryuk and their latest attack against Universal Health Services (UHS).
The extent of extortion and stolen data exposure
Tracking the data published by ransomware groups on their extortion sites also shows the level of penetration and time these attackers are spending in the systems. The REvil Happy Blog often details how long they have spent in an environment and what level of analysis they’ve conducted before launching the attack and exposing the data they’ve stolen. Frequently, attackers have spent months in the network, evading detection, bypassing controls and exfiltrating data.
Groups such as Sekhmet, who run their website on the Clearnet, give an indication as to how much interest there is in stolen data, as they track the number of views each data dump post has. When there are tens of thousands of people lined up to view your breached data, the groups hope that you’ll be persuaded to pay their ransom rather than lose your data so publicly.
In the face of persistent, sophisticated and targeted attacks combating ransomware and extortion needs to encompass prevention, mitigation, and post-event incident response and remediation. Prevention in terms of endpoint protection, plus mitigation in the form of network segmentation to make it harder for adversaries that get into the network to move laterally through it and gain persistence while exfiltrating data. Visibility is critical, to spot incidents where software is not behaving as expected.
We’re also seeing an increase in attackers compromising email, slack, and related inter-office communication channels at an organisation’s trusted partners. Rekindling old conversations and eventually culminating in a transferral of a macro-enabled document or related malicious payload – ostensibly from someone you trust, that will allow the attacker access to your network.
When attacks do take place., they need to be viewed not as a short-term incident, but as evidence of long-term infiltration that should be subjected to a full incident response investigation to root out any remaining access and make sure attackers are completely closed out.
It may be thirty years old, but ransomware is showing no signs of slowing down. As penalties grow and pressure on victims increases, attackers will continue to evolve their tactics to gain the maximum pay-off. Staying up to date with threat intelligence on the tactics of different ransomware groups and how they are evolving their strategies is of paramount importance for security operations teams to stay ahead of these adversaries and their continued expansion of adversarial capabilities.
Greg Foss is Senior Cyber Security Strategist at VMware Carbon Black