Recently, it seems that every time you check the news there is mention of a new ransomware attack. For every attack that gets media attention, there are likely several other attacks that happened, but weren’t deemed newsworthy. Most of the time, these attacks were just as impactful, but may have had their impact localized. In many cases, these attacks go unreported. It is only when there are public-facing consequences when details are released.
Ransomware is not new. The first reported case of an attack happened in 1989 and targeted healthcare organizations. The actor behind the attack delivered the ransomware by sending out over 20,000 floppy disks, spanning 90 countries, to AIDs researchers. Even in the early days, social engineering was used to get the victims to access the malware, in this case the disks purported to contain a questionnaire that would assess a person’s risk of acquiring AIDs. As time has progressed, we have seen an evolution in the quality of the ransomware code, delivery mechanisms used and extortion methods.
One of the things that makes ransomware such a big problem is that there are multiple ways in which it can be delivered. For instance, it can be delivered in the later stages of an exploit kit where phishing is the initial infection vector; or by threat actors using leaked, purchased, or brute-forced credentials to gain access to an organization through a public-facing service. In other words, any initial attack vector can be used to distribute ransomware throughout an organization. Threat actors have also upped their game with their spear-phishing tactics. It is no longer the case where you can just look for grammatical errors or emails coming from a random email address. The attackers have gone to great lengths to ensure their delivery is as realistic and enticing as possible.
The quality of ransomware code has also improved greatly over time. It is the typical cat and mouse game where ransomware code evolves, then the blue teams catch up, and the attackers must evolve and pivot. We have also seen the evolution of extortion tactics in ransomware attacks. Now ransomware will exfiltrate information before encrypting. Ransomware actors have also created public shaming sites where they will list their victims in an effort to force payment and removal from these lists. From there, we saw a shift to double-extortion where the actors demand payment for the decryption keys and then also demand a second payment to ensure that the exfiltrated information was not leaked to the public or sold. We have even seen Distributed Denial of Service (DDoS) as an extortion method, where attackers threaten a DDoS attack against the victim if they choose not to pay the ransom.
Given all the technical advances made by the ransomware authors, possibly the biggest advancement made is on the business side of ransomware. We have seen ransomware actor groups evolve into having successful business models – including distribution of work amongst multiple groups, each with a specific role in the attack chain. Quite possibly the biggest evolution we have seen is the shift to Ransomware-as-a-Service (RaaS). In these cases, the ransomware groups offer a framework for affiliate members to use. These affiliates have already gained access to the victim network and then use the RaaS software and infrastructure to conduct the actual ransomware part of the attack. The RaaS operators collect the ransom and then distribute a percentage to the affiliate. The RaaS actors can choose which affiliates they work with based on targets and risk posture. As another example of the business advances ransomware operators have made, when a takedown is done on a particular infrastructure, that same group (or at least portions of the original group) pop up elsewhere using different infrastructure and possibly modified TTPs.
Security vendors and private researchers also persevere in the fight against ransomware, often times working together to find new ransomware strains and better ways to detect the pre-existing variants. As another tactic in the fight against ransomware, law enforcement organizations across the globe have worked together to issue warrants and occasionally make an arrest. This tactic has proven be ineffective to stop the attacks, the rewards still outweigh the risks. This approach is akin to approaching the cybercriminals the same way that organized crime is tackled. In many ways, as already alluded to, there are vast similarities between the two.
Over the past month, we have seen that the ransomware groups are becoming more brazen in their attacks. First there was DarkSide targeting critical infrastructure provider Colonial Pipeline. Not long after, we saw REvil target the food processing industry with their attack on JBS. Just this week we heard of REvil also targeting Sal Oriens, a subcontractor who works with the National Nuclear Security Administration (NNSA) through the Department of Energy (DOE). All three of these attacks targeted businesses critical to the safety and security of the United States. The impact of the attacks on Colonial and JBS were felt by major segments of the US population. While the impact of the attack on Sal Oriens is not fully known, there is great potential for damage to the nuclear security of the United States. Although it is unclear whether REvil gained access to any classified nuclear secrets, they have threatened to leak the information to any nation-state or military they choose. This attack elevates ransomware to yet another level as in the past, this level of cyber-espionage and theft was limited to nation-state against nation-state.
Attacks such as these are forcing many of the agencies in the United States to re-evaluate how they will tackle the growing threat to the safety and security of critical infrastructure and national security brought out by these incidents. As a first step, the White House issued executive orders regarding upping the security posture of .gov entities including a push to the cloud as well as adopting zero trust architectures. After the Colonial Pipeline attack, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, issued a dire warning to private companies about the threat of ransomware attacks and offered suggestions to help protect against ransomware attacks. At about the same time, Christopher Wray, the director of the FBI, talked about the parallels of the complexity of the current ransomware investigations with that of the 9/11 attacks. The DOJ was also actively releasing a memo at the same time. Lisa Monaco, Deputy Attorney General, released an internal memo directing US prosecutors to report all ransomware investigations they are involved with. The memo discussed the importance of tracking the complete ransomware infrastructure, from the cybercriminals themselves, their network infrastructure, the marketplaces where their services are offered, and also the cryptocurrency transactions involved in all phases of the business. This, too, makes the new tracking of ransomware similar to that of terrorism. As proof that this is the direction that the United States’ government is heading, it was also reported that the FBI was able to recover $2.3M of the ransom that Colonial Pipeline paid. The DarkSide operators, in a public message, indicated that their servers were seized and the money from their founders and advertisers was transferred to an unknown account.
Ransomware continues to evolve in both technology and business model. While security vendors continue the fight against technology, governments around the world need to step up and find ways to cripple the business model. As we have seen, indictments against some of the operators have limited effectiveness. Especially in the case where their hosting countries will not collaborate in the fight to bring down these organizations – if they will not or cannot be extradited then the threat is merely a paper tiger. Taking possession of the hosting infrastructure, not just the C2 servers but anything associated with the advertising of the services, RaaS affiliate infrastructure and any other infrastructure used in the ransomware attack chain or by the ransomware operators could go a long way towards reversing the risk versus reward ratio and force many out of the ransomware business. Taking control of this infrastructure may allow law enforcement and government agencies to take over the financial assets of these organizations and allow for further tracing of transfer of funds to find other ransomware actors. Governments need to work together to ensure that there is no safe haven for ransomware operators and continue to apply pressures to those who still offer safe harbor. This may be the best solution to bring an end to the ransomware epidemic.
Blog post authored by Jim Gogolinski, VP of Research and Threat Intelligence at iboss.