Why ransomware might be your biggest threat
Ransomware attacks have matured over the years, adopting more stealthy and sophisticated techniques, while at the same time fixing many of the implementation errors that earlier iterations had. Moreover, some attacks are now gaining a new data leak component, which exposes companies to more than the traditional data loss associated with ransomware.
The trends observed over the past year indicate that these attacks are not going away and are likely to increase in frequency.
Ransomware started out as a consumer threat, representing an aggressive evolution over the scareware attacks that used to trick people into paying fake fines or buying rogue software to fix non-existent issues. While the early campaigns proved profitable for cybercriminal gangs, the consumer ransomware landscape became crowded. As consumer antivirus firms improved their ransomware detection capabilities, casting a wide net to gain as many victims as possible became a less effective technique.
In a report released in August 2019 that looked at the ransomware evolution between Q2 2018 and Q2 2019, security firm Malwarebytes noted that “this once dangerous but recently dormant threat has come back to life in a big way, switching from mass consumer campaigns to highly targeted, artisanal attacks on businesses.”
Over the analysed period, the number of ransomware detections in business environments rose by 365%, while consumer detections declined. That trend continued for the rest of the year, according to Adam Kujawa, director of Malwarebytes Labs. “We’re seeing an overall focus on businesses and an increase in all kinds of infection methods,” he told CSO. “A big part of that is that it’s easier today to infect a business than it was a few years ago and the EternalBlue and other exploits certainly had something to do with that.”
EternalBlue is an exploit for a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol that was patched in March 2017 and affected all versions of Windows. It was the primary propagation method through corporate networks for the WannaCry, NotPetya and other ransomware worms that crippled many organisations worldwide during 2017.
“It might not be the sole reason why we see such an increase in business focus for these types of attacks, but I think that what happened with WannaCry and NotPetya revealed the underbelly of enterprise security,” Kujawa said. Before that, many people might have assumed that these are big companies, with security teams and it is hard for hackers to break in, but seeing how massive and damaging those attacks were — and not because of misconfigurations, but because of not patching in time — might have convinced more cybercriminals that it is worth going after businesses instead of consumers, he said.
Since private companies are not always required legally to disclose ransomware incidents, the impact of ransomware attacks on the business sector is hard to quantify, both in terms of cost and prevalence. It is also hard to say how often such victims decide to pay the ransom, but it is clearly enough for cybercriminals to keep investing in this threat.
In an alert issued in October 2019, the FBI’s Internet Crime Complaint Centre (IC3) warned that “since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
“Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent,” the organisation said.
Publicly traded companies sometimes release information about the impact of ransomware attacks in their Securities and Exchange Commission (SEC) filings as part of their obligations to disclose significant cyberattacks to their shareholders. Companies might be forced to disclose such incidents when they need to explain serious business disruptions to their customers and partners.
For example, as a result of the 2017 NotPetya attack, transport giant Maersk had to suspend operations at 17 port terminals causing huge waiting lines for cargo loading and a logistical nightmare that took months to sort out. The incident cost the company over $200 million, but it also had a serious impact on its customers’ business.
When ransomware hits public institutions such as municipalities, hospitals, schools or police departments, there is greater visibility into the impact — and the statistics are worrying. According to a report released by security firm Emsisoft in December, during 2019, ransomware attacks affected 113 government agencies, municipalities and state governments; 764 healthcare providers and 89 universities, colleges and school districts with up to 1,233 individual schools were potentially impacted.
An argument could be made that public institutions do not have the same level of security as large companies because of budget constraints and outdated IT infrastructure, which is why they are easier targets for attackers. In a report released in October 2019, the state auditor for Mississippi said that “several state agencies, boards, commissions, and universities are failing to adhere to state cybersecurity laws, leaving Mississippians’ personal data vulnerable to hackers” and concluded that “many state entities are operating like state and federal cyber security laws do not apply to them.” According to Emisoft, Mississippi was one of the states least affected by ransomware in 2019 based on public reports.
An APT-level threat
Even if public institutions are easier targets, the risk of ransomware infections is not lower for private companies. Over the past couple of years, ransomware gangs have adopted sophisticated techniques including targeted delivery mechanisms, manual hacking using administrative tools and utilities already available on systems (a tactic known as living off the land), stealthy network reconnaissance, and other attack procedures that used to be primarily associated with cyberespionage groups and nation-state actors. This is part of a larger trend of traditional cybercriminals adopting advanced persistent threat (APT) techniques.
“We’ve seen an increase in what I like to call manual infections,” Kujawa said. These are attacks where there is a vulnerability in an internet-facing server or protocol, or some other way in which attackers can get access to a system terminal and use it as a backdoor. This allows cybercriminals to disable security software, perform various tasks and deploy ransomware on very specific targets, instead of just relying on an automated malware program that’s otherwise limited in functionality, he said.
SamSam, a ransomware program that dates back to 2016, is known for being exclusively deployed in that way, but the same tactic has been adopted by newer groups observed over the past year like Ryuk, RobinHood and Sodinokibi.
Moreover, there are signs that ransomware is evolving into a new type of threat where cybercriminals are not just encrypting data but are also stealing it and threatening to release it on the internet. This exposes organisations to damaging public data breaches and the associated regulatory, financial and reputational implications.
In December 2019, a hacker group called Maze threatened to release data that was stolen from organisations the group infected with ransomware if those organisations refused to pay the ransom. The victims included the city of Pensacola, Florida, which was hit on 7 December in an attack that disrupted its phones, municipal hotline, email servers and bill payment systems.
Other hacker groups have used data leaks as an extortion technique. In 2015, a ransomware program called Chimera that targeted consumers also threatened to release private information stolen from victims. However, in the case of Chimera, it was just a scare tactic and the attackers did not actually steal any data from infected systems.
Many of the threats made over the years by cybercriminals to release stolen information turned out to be bogus because exfiltrating large quantities of data has historically been hard to scale. To do that for a large number of victims, hackers need infrastructure capable of receiving and storing hundreds of terabytes of data. That adds significant overhead to their campaigns. However, the rise of cloud infrastructure, which provides easier maintenance and lower cost for storage and data traffic, is beginning to make those attacks much more viable.
In late December 2019, the Maze group published parts of data they claim to have stolen to prove that they really were in possession of potentially sensitive information exfiltrated from victims. Their first website, hosted at an ISP in Ireland, was taken down, but they were soon back online with a different website hosted in Singapore.
“That’s an unexpected evolution of this threat,” Kujawa said. “It does expose the criminals more, for sure, but it’s also an effective method of putting pressure on. It’s utilising the media and awareness of a threat.”
Kujawa believes ransomware gangs might increasingly resort to such tactics because as more organisations learn how to deal with ransomware and put solid data recovery plans in place, criminals might find it harder to extract money from them by simply locking their files. “If companies believe their data, which they feel is valuable and important to hold on to, may be released if they don’t pay this ransom, regardless of whether or not the attackers can do it, the threat itself may inspire some victims to pay,” he said.
New attack methods
The primary methods of distributing ransomware remain spear-phishing and insecure Remote Desktop Protocol (RDP) connections. However, attackers also buy access to systems already infected with other malware. Online marketplaces sell access to hacked computers and servers, and botnets deploy additional malware for those willing to pay. For example, the relationship among the Emotet spam botnet, the TrickBot credential-stealing Trojan and Ryuk ransomware is well known in the security community.
The initial compromise in Ryuk ransomware incidents almost always comes through commodity malware, Chris Yule, a security researcher at managed security services provider Secureworks, said in a presentation at the DefCamp conference in November. His talk provided insights from real-world ransomware infections at large corporations.
“We see Emotet leading to TrickBot infections and then, over time, we see some of those TrickBot infections lead to Ryuk compromises,” Yule said. “We don’t know for sure why that is, but the logical assumption seems to be that the group behind Ryuk is paying for access.”
Trickbot is doing its normal activity of automated credential theft, but once the Ryuk operators take over, everything changes, according to Yule. The activity becomes more hands-on and involves using system administration tools, network scans, the use of public attack frameworks like PowerShell Empire to disable endpoint malware detection and more. The attackers are spending time learning the environment, identifying domain controllers and other important targets and preparing the terrain for the big ransomware hit while trying to remain undetected, a tactic common to APT groups.
The good news is that between the initial Emotet infection and the Ryuk deployment there is usually a significant window of time when companies can detect and deal with the infection. In the case presented by Yule, that window was 48 days.
The bad news is that detecting this type of manual hacking and lateral movement based on “living off the land” tactics is not easy without more advanced network and system monitoring tools. This means that organisations that have not built up their capabilities to defend against APTs because it is not in their threat model could now also miss ransomware and other sophisticated cybercriminal attacks.
Another interesting infection vector that some ransomware groups have adopted over the past year is to compromise managed services providers (MSPs) that have privileged access into their networks and systems of many businesses by virtue of the services they provide. This poses a problem because smaller and medium-sized organisations are outsourcing their network and security management to specialised vendors, so it is important to take steps to limit the damage that can happen when trusted third parties or the tools they use become an insider threat.
Malwarebytes has also observed a resurgence in the use of web-based exploit kits to target businesses and deploy ransomware, particularly the RIG exploit kit. These are attacks launched through compromised websites that attackers know are of interest to certain business sectors or are visited by their targets’ employees.
“Our theory as to why that is, is because there have been a lot of vulnerabilities discovered over the last couple of years,” Kujawa said. “There’s an expected focus on the Chromium engine that’s used to run Chrome and will eventually run Microsoft’s new browser. So, trying to exploit that browser will be very important to cybercriminals and exploit kits because a lot of people use that platform.”
Security companies are always trying to find vulnerabilities in the file encryption implementation of ransomware programs to help victims recover their files without paying money. The decryption tools created as a result of those efforts are typically released for free and made available on the NoMoreRansom.org website maintained by Europol.
However, the ransomware programs used by the more sophisticated groups are quite mature. Attackers have learned from their past mistakes or the mistakes of other ransomware developers and have corrected implementation errors.
The code of some ransomware programs has been leaked online and is available to copy and improve. Operating systems also provide cryptography APIs, and there are well-scrutinised open-source crypto frameworks and libraries. All this means that the most popular ransomware programs are also the most dangerous because they use strong encryption algorithms and have no solution.
It’s critical for organisations to have backup plans in place and a data restoration plan that is tested periodically. Backups should also be kept offsite or off network to prevent attackers from deleting or encrypting them as well. In some documented cases, organisations decided or were forced to pay the ransom because their backups were corrupted, or the restoration process would have taken too long compared to just buying the decryptor.
First and foremost, organisations should take themselves off the easy target list by performing internal and external penetration tests and identifying any potentially vulnerable systems or severs exposed to the internet. Remote connections into the network such as VPN or RDP should have strong and unique credentials, as well as two-factor authentication (2FA).
Inside the network, companies should ensure that endpoints and servers are up to date with patches for their operating systems and the software they run. The networks should be segmented based on the principle of least privilege so that a compromise of a workstation in one department can’t easily lead to a full network takeover. On Windows networks, domain controllers should be carefully monitored for unusual access.
Organisations that rely on MSPs or managed security services provider (MSSPs) should make sure the connections from those third parties are monitored and logged and that the software they use also has 2FA turned on. The network and systems access provided to third parties should be restricted to only what is needed to perform their job.
Organisations should have a clear inventory of the data that is critical for their business operations. The systems storing it should be strictly controlled.
Since many ransomware infections start with an infected workstation, the use of endpoint anti-malware software is important. So is removing unneeded plug-ins and extensions from browsers, keeping the software up to date and making sure employee accounts have limited privileges.
Train employees on how to spot phishing emails and question unsolicited messages that ask them to open files or click on links. Create a special email address monitored by the security team where employees can forward emails they believe are suspicious.
Finally, draft an incident response plan and make sure everyone involved knows their role and what they need to do if a compromise does happen, including communicating with your security vendor or MSSP and law enforcement. Do not treat commodity malware infections lightly; investigate them thoroughly, as they could be, and often are, an intrusion vector for more serious threats.
The IC3 and US Cybersecurity and Infrastructure Security Agency (CISA) both have recommendations for preventing or responding to ransomware attacks. In February 2020, the National Institute of Standards and Technology (NIST) released two draft practice guidelines for best practices on dealing with ransomware. The draft guidelines are Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. NIST is accepting comments on them until February 26 and expects to issue final guidance later in 2020.
IDG News Service