Ransomware attacks have matured over the years, adopting more stealthy and sophisticated techniques, while at the same time fixing many of the implementation errors that earlier iterations had. Many attacks are now gaining a new data leak component, which exposes companies to more than the traditional data loss associated with ransomware. The trends observed by researchers over the past year indicate that these attacks are not going away and are likely to increase in frequency. With the advent of new laws protecting consumers’ personal private and financial information, the threat of class action lawsuits adds additional risk to organizations.
Ransomware was first introduced as a consumer threat, representing an aggressive evolution over the scareware attacks that used to trick people into paying fake fines or buying rogue software to fix non-existent issues. While the early campaigns proved profitable for cybercriminal gangs, the consumer ransomware landscape became crowded. As consumer antivirus software firms improved their ransomware detection capabilities, casting a wide net to gain as many victims as possible became a less effective technique.
Over the analyzed period, the number of ransomware detections in business environments rose by nearly 400 percent, while consumer detections declined. That trend continued for the rest of the year, according to industry experts. Analysts are noticing a focus on businesses and an increase in the infection methods, such as EternalBlue is an exploit for a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol that was patched in March 2017 and affected all versions of Windows. It was the primary propagation method through corporate networks for the WannaCry, NotPetya and other ransomware worms that Red Sky Alliance reported.
WannaCry and NotPetya revealed the vulnerability of enterprise security. Most people have assumed that enterprise sized companies, defended by security teams would make it (nearly) impossible for hackers to breach. Recent events show us, how massive and damaging those attacks were, and not because of misconfigurations, but because these firms were not implementing software patches in when required. The lack of timely software patch maintenance may have incited more cybercriminals to attack businesses instead of consumers.
Since privately held companies are not always required legally to disclose ransomware incidents, the impact of ransomware attacks on the business sector is hard to quantify, both in terms of cost and prevalence. It is also hard to say how often such victims decide to pay the ransom and move on. An alert issued in October 2019 by the FBI's Internet Crime Complaint Center (IC3) warned that "since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information." These are only reported attacks, many firms decline to disclose them. "Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent," the report stated.
Publicly traded companies (are supposed to) release information about the impact of ransomware attacks in their Securities and Exchange Commission (SEC) filings as part of their obligations to disclose significant cyberattacks to their shareholders. Companies might be forced to disclose such incidents when they need to explain serious business disruptions to their customers and partners.
For example, as a result of the 2017 NotPetya attack, the global transportation company, Maersk had to suspend operations at 17 port terminals causing huge waiting lines for cargo loading and a logistical nightmare that resulted in months of remediation. The incident cost the company over $200 million, but it also had a serious impact on its customers' business.
When ransomware attacks are targeted at public institutions such as municipalities, hospitals, schools or police departments, there is greater visibility into the impact due to national media reporting. According to experts, it is estimated that during 2019, ransomware attacks affected 113 government agencies, municipalities and state governments; 764 healthcare providers and 89 universities, colleges and school districts with up to 1,233 individual schools were potentially impacted.
Although public institutions may appear to be easier targets, the risk of ransomware infections is not lower for private companies. Over the past couple of years, ransomware gangs have adopted sophisticated techniques including targeted delivery mechanisms, manual hacking using administrative tools and utilities already available on systems, stealthy network reconnaissance, and other attack procedures that used to be primarily associated with cyberespionage groups and nation-state actors. This is part of a larger trend of traditional cybercriminals adopting advanced persistent threat (APT) techniques.
Cyber threat experts have observed an increase in manually placed infections. These are attacks where there is a vulnerability in an internet-facing server or protocol, or another way in which attackers can get access to a system terminal and use it as a backdoor. This allows cybercriminals to disable security software, perform various tasks and deploy ransomware on very specific targets, instead of only relying on an automated malware program.
SamSam, a ransomware program that was first seen in 2016, is known for being exclusively deployed in that manner, but the same tactic has been adopted by newer groups observed over the past year like Ryuk, RobinHood and Sodinokibi. There are signs that ransomware is evolving into a new type of threat where cybercriminals are not just encrypting data but are also stealing it and threatening to release it on the internet. This exposes organizations to damaging public data breaches and the associated regulatory, financial and reputational implications.
In December 2019, a hacker group called Maze threatened to release data that was stolen from organizations the group infected with ransomware if those organizations refused to pay the ransom. The victims included the city of Pensacola, Florida, which was hit on December 7 in an attack that disrupted its phones, municipal hotline, email servers and bill payment systems.
Hacker groups have used data leaks as an extortion technique. In 2015, a ransomware program called Chimera that targeted consumers also threatened to release private information stolen from victims. However, in the case of Chimera, it was just a scare tactic and the attackers did not actually steal any data from infected systems.
Many of the threats made over the years by cybercriminals to release stolen information turned out to be bogus, because exfiltrating large amounts of data has historically been hard to scale. To transfer large amounts of data for many victim organizations, hackers would need infrastructure capable of receiving and storing hundreds of terabytes of data. The rise of cloud infrastructure, which provides easier maintenance and lower cost for storage and data traffic, is beginning to make those attacks much more viable and less expensive.
In late December 2019, the Maze group published parts of data they claim to have stolen to prove that they really were in possession of potentially sensitive information exfiltrated from victims. Their first announcement website, hosted at an ISP in Ireland, was taken down, but they were soon back online with a different website hosted in Singapore.
The most popular methods of distributing ransomware remain spear-phishing and insecure Remote Desktop Protocol (RDP) connections. Attackers can also buy access to systems already infected with other malware. Online marketplaces sell access to hacked computers and servers, and botnets deploy additional malware for those willing to pay. For example, the relationship among the Emotet spam botnet, the TrickBot credential-stealing Trojan and Ryuk ransomware is well known in the security community.
The initial compromise in Ryuk ransomware incidents often comes through commodity malware. Cyber Threat Analysts have seen Emotet leading to TrickBot infections. Also observed are those same TrickBot infections leading to Ryuk compromises. Trickbot is doing its normal activity of automated credential theft, but once the Ryuk operators take over, it appears that actors are directing the efforts. The activity becomes more hands-on and involves using system administration tools, network scans, the use of public attack frameworks like PowerShell Empire to disable endpoint malware detection and more. The attackers are spending time learning the environment, identifying domain controllers and other important targets and preparing the terrain for the big ransomware hit while trying to remain undetected, a tactic common to APT groups.
The good news is that between the initial Emotet infection and the Ryuk deployment there's usually a significant window of time when companies can detect and deal with the infection, if they are diligent.
The bad news is that detecting this type of manual hacking and lateral movement is not easy to detect without more advanced network and system monitoring tools. This means that organizations that have not built up their capabilities to defend against APTs because they are not in their threat model could now also not detect these types of ransomware and other sophisticated cybercriminal attacks.
Another interesting infection vector that some ransomware groups have adopted over the past year is to compromise managed services providers (MSPs) that have privileged access into their networks and systems of many businesses by virtue of the services they provide. This poses a problem because smaller and medium-sized organizations are outsourcing their network and security management to specialized vendors, so it is important to take steps to limit the damage that can happen when trusted third parties or the tools they use become an insider threat.
Red Sky Alliance has been has analyzing and documenting APT threats for 8 years and maintains a resource library of Fusion reports. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat training for all employees.
- Review and update your cyber threat and information security policies and procedures.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org