Ransomware attacks have matured over the years, adopting more stealthy and sophisticated techniques, while at the same time fixing many of the implementation errors that earlier iterations had. Moreover, some attacks are now gaining a new data leak component, which exposes companies to more than the traditional data loss associated with ransomware.
The trends observed over the past year indicate that these attacks are not going away and are likely to increase in frequency.
Ransomware started out as a consumer threat, representing an aggressive evolution over the scareware attacks that used to trick people into paying fake fines or buying rogue software to fix non-existent issues. While the early campaigns proved profitable for cybercriminal gangs, the consumer ransomware landscape became crowded. As consumer antivirus firms improved their ransomware detection capabilities, casting a wide net to gain as many victims as possible became a less effective technique.
In a report released in August 2019 that looked at the ransomware evolution between Q2 2018 and Q2 2019, security firm Malwarebytes noted that “this once dangerous but recently dormant threat has come back to life in a big way, switching from mass consumer campaigns to highly targeted, artisanal attacks on businesses.”
Over the analyzed period, the number of ransomware detections in business environments rose by 365%, while consumer detections declined. That trend continued for the rest of the year, according to Adam Kujawa, director of Malwarebytes Labs. “We’re seeing an overall focus on businesses and an increase in all kinds of infection methods,” he tells CSO. “A big part of that is that it’s easier today to infect a business than it was a few years ago and the EternalBlue and other exploits certainly had something to do with that.”
EternalBlue is an exploit for a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol that was patched in March 2017 and affected all versions of Windows. It was the primary propagation method through corporate networks for the WannaCry, NotPetya and other ransomware worms that crippled many organizations worldwide during 2017.
“It might not be the sole reason why we see such an increase in business focus for these types of attacks, but I think that what happened with WannaCry and NotPetya revealed the underbelly of enterprise security,” Kujawa says. Before that, many people might have assumed that these are big companies, with security teams and it’s hard for hackers to break in, but seeing how massive and damaging those attacks were — and not because of misconfigurations, but because of not patching in time — might have convinced more cybercriminals that it’s worth going after businesses instead of consumers, he says.
Since private companies are not always required legally to disclose ransomware incidents, the impact of ransomware attacks on the business sector is hard to quantify, both in terms of cost and prevalence. It’s also hard to say how often such victims decide to pay the ransom, but it’s clearly enough for cybercriminals to keep investing in this threat.
In an alert issued in October 2019, the FBI’s Internet Crime Complaint Center (IC3) warned that “since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
“Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent,” the organization said.
Publicly traded companies sometimes release information about the impact of ransomware attacks in their Securities and Exchange Commission (SEC) filings as part of their obligations to disclose significant cyberattacks to their shareholders. Companies might be forced to disclose such incidents when they need to explain serious business disruptions to their customers and partners.
For example, as a result of the 2017 NotPetya attack, transport giant Maersk had to suspend operations at 17 port terminals causing huge waiting lines for cargo loading and a logistical nightmare that took months to sort out. The incident cost the company over $200 million, but it also had a serious impact on its customers’ business.
When ransomware hits public institutions such as municipalities, hospitals, schools or police departments, there is greater visibility into the impact — and the statistics are worrying. According to a report released by security firm Emsisoft in December, during 2019, ransomware attacks affected 113 government agencies, municipalities and state governments; 764 healthcare providers and 89 universities, colleges and school districts with up to 1,233 individual schools were potentially impacted.
An argument could be made that public institutions don’t have the same level of security as large companies because of budget constraints and outdated IT infrastructure, which is why they’re easier targets for attackers. In a report released in October 2019, the state auditor for Mississippi said that “several state agencies, boards, commissions, and universities are failing to adhere to state cybersecurity laws, leaving Mississippians’ personal data vulnerable to hackers” and concluded that “many state entities are operating like state and federal cyber security laws do not apply to them.” According to Emisoft, Mississippi was actually one of the states least affected by ransomware in 2019 based on public reports.
An APT-level threat
Even if public institutions are easier targets, the risk of ransomware infections is not lower for private companies. Over the past couple of years, ransomware gangs have adopted sophisticated techniques including targeted delivery mechanisms, manual hacking using administrative tools and utilities already available on systems (a tactic known as living off the land), stealthy network reconnaissance, and other attack procedures that used to be primarily associated with cyberespionage groups and nation-state actors. This is part of a larger trend of traditional cybercriminals adopting advanced persistent threat (APT) techniques.
“We’ve seen an increase in what I like to call manual infections,” Kujawa says. These are attacks where there’s a vulnerability in an internet-facing server or protocol, or some other way in which attackers can get access to a system terminal and use it as a backdoor. This allows cybercriminals to disable security software, perform various tasks and deploy ransomware on very specific targets, instead of just relying on an automated malware program that’s otherwise limited in functionality, he says.
SamSam, a ransomware program that dates back to 2016, is known for being exclusively deployed in that way, but the same tactic has been adopted by newer groups observed over the past year like Ryuk, RobinHood and Sodinokibi.
Moreover, there are signs that ransomware is evolving into a new type of threat where cybercriminals are not just encrypting data but are also stealing it and threatening to release it on the internet. This exposes organizations to damaging public data breaches and the associated regulatory, financial and reputational implications.
In December 2019, a hacker group called Maze threatened to release data that was stolen from organizations the group infected with ransomware if those organizations refused to pay the ransom. The victims included the city of Pensacola, Florida, which was hit on December 7 in an attack that disrupted its phones, municipal hotline, email servers and bill payment systems.
Other hacker groups have used data leaks as an extortion technique. In 2015, a ransomware program called Chimera that targeted consumers also threatened to release private information stolen from victims. However, in the case of Chimera, it was just a scare tactic and the attackers did not actually steal any data from infected systems.
Many of the threats made over the years by cybercriminals to release stolen information turned out to be bogus because exfiltrating large quantities of data has historically been hard to scale. To do that for a large number of victims, hackers need infrastructure capable of receiving and storing hundreds of terabytes of data. That adds significant overhead to their campaigns. However, the rise of cloud infrastructure, which provides easier maintenance and lower cost for storage and data traffic, is beginning to make those attacks much more viable.
In late December 2019, the Maze group published parts of data they claim to have stolen to prove that they really were in possession of potentially sensitive information exfiltrated from victims. Their first website, hosted at an ISP in Ireland, was taken down, but they were soon back online with a different website hosted in Singapore.
“That’s an unexpected evolution of this threat,” Kujawa says. “It does expose the criminals more, for sure, but it’s also an effective method of putting pressure on. It’s utilizing the media and awareness of a threat.”
Kujawa believes ransomware gangs might increasingly resort to such tactics because as more organizations learn how to deal with ransomware and put solid data recovery plans in place, criminals might find it harder to extract money from them by simply locking their files. “If companies believe their data, which they feel is valuable and important to hold on to, may be released if they don’t pay this ransom, regardless of whether or not the attackers can do it, the threat itself may inspire some victims to pay,” he says.
New attack methods
The primary methods of distributing ransomware remain spear-phishing and insecure Remote Desktop Protocol (RDP) connections. However, attackers also buy access to systems already infected with other malware. Online marketplaces sell access to hacked computers and servers, and botnets deploy additional malware for those willing to pay. For example, the relationship among the Emotet spam botnet, the TrickBot credential-stealing Trojan and Ryuk ransomware is well known in the security community.
The initial compromise in Ryuk ransomware incidents almost always comes through commodity malware, Chris Yule, a security researcher at managed security services provider Secureworks, said in a presentation at the DefCamp conference in November. His talk provided insights from real-world ransomware infections at large corporations.
“We see Emotet leading to TrickBot infections and then, over time, we see some of those TrickBot infections lead to Ryuk compromises,” Yule said. “We don’t know for sure why that is, but the logical assumption seems to be that the group behind Ryuk is paying for access.”
Trickbot is doing its normal activity of automated credential theft, but once the Ryuk operators take over, everything changes, according to Yule. The activity becomes more hands-on and involves using system administration tools, network scans, the use of public attack frameworks like PowerShell Empire to disable endpoint malware detection and more. The attackers are spending time learning the environment, identifying domain controllers and other important targets and preparing the terrain for the big ransomware hit while trying to remain undetected, a tactic common to APT groups.
The good news is that between the initial Emotet infection and the Ryuk deployment there’s usually a significant window of time when companies can detect and deal with the infection. In the case presented by Yule, that window was 48 days.
The bad news is that detecting this type of manual hacking and lateral movement based on “living off the land” tactics is not easy without more advanced network and system monitoring tools. This means that organizations that have not built up their capabilities to defend against APTs because it’s not in their threat model could now also miss ransomware and other sophisticated cybercriminal attacks.
Another interesting infection vector that some ransomware groups have adopted over the past year is to compromise managed services providers (MSPs) that have privileged access into their networks and systems of many businesses by virtue of the services they provide. This poses a problem because smaller and medium-sized organizations are outsourcing their network and security management to specialized vendors, so it’s important to take steps to limit the damage that can happen when trusted third parties or the tools they use become an insider threat.