The ransomware landscape has evolved into a massive problem in the past few years. The modus operandi and TTPs are more mature, threat actors are targeting big public and private organizations and the amount of the average ransom payments have increased significantly as well. We have already looked at ransomware landscape earlier this year on this blog, but the rapidly increasing use of this type of malware is reason enough for us to have a closer look at its evolution.
We’ll cover a number of topics in this three-part blog series:
- How ransomware has emerged as the biggest cyberthreat in terms of both data loss and direct and indirect costs for its victims.
- How US local government is being targeted: Ransomware threat actors are finding bigger monetizing opportunities targeting cities and counties.
- The GandCrab and Sodinokibi connection: Clues emerge that the operators behind these two RaaS might be the same.
- The social engineering response to a RaaS operator: International law enforcement agencies might have socially engineered the GandCrab operator and scammed the scammer.
- The ‘Triple Threat’: Emotet, TickBot, Ryuk. The use of multiple malware families in ‘Big Game Hunting’ ransomware attacks.
The Rise of Ransomware
Different types of ransomware - a type of malware that encrypts files on a target computer and asks for a ransom to be paid - have been around for a long time, but the last decade saw a massive increase in the level and sophistication of ransomware attacks. Ransomware is now the most damaging cyberattack in terms of both data loss and the direct and indirect costs to its victims.
The arrival of Bitcoin and alternative cryptocurrencies gave a real boost to the viability – and profitability – of ransomware. Threat actors could now rely on a permission-less payment system to execute the transaction.
The New Age of Ransomware emerged in 2013. Threat actors began employing a vast, shadowy infrastructure to execute attacks and process payments. Cryptolocker was the first large-scale ransomware operation, targeting around half a million computers and collecting a total of $27 million in ransoms.
The use of ransomware as a way to monetize cyberattacks escalated, reaching its peak with WannaCry in 2017. This ransomware affected about 200,000 networks in 150 countries. WannaCry weaponized advanced exploits leveraging zero-day exploits that had been developed by the US National Security Agency and leaked earlier that year by the Shadow Brokers threat actor.
The threat actors behind Cryptolocker and WannaCry followed the classic modus operandi (MO) of developing the malware and executing the cyberattack. While they were extremely successful, the possibility to weaponize exploits and deliver the ransomware was beyond the reach of many threat actors.
That was soon to change, as 2016 saw the emergence of Ransomware-as-a-Service (RaaS), a new model for ransomware activities that bridged the gap between ransomware developers and threat actors.
RaaS is a fee-based model. The threat actor does not execute the cyberattacks: it develops and rents out the ransomware and its underlying infrastructure. The sale takes place on hacking sites on the clear web and the dark web. By paying a monthly fee, anyone can buy ransomware, along with associated patches, enhancements and support. In addition to the license, the malicious actor will also have to share a percentage of the ransom money with the RaaS operator.
This new model allows for malicious groups lacking technical know-how to execute fairly advanced attacks without having to worry about coding the malware and setting up the command and control infrastructure.
The RaaS model became widespread in 2018 with the arrival of GandCrab which affected more than 1.5 million victims and, according to the GandCrab operators, generated more than $2 billion in ransom revenue. The operators of GandCrab allegedly retired in May 2019 and now the most aggressive and popular ransomware strains are Sodinokibi and Ryuk.
Previous ransomware attacks used a ‘spray-and-pray’ approach, attacking as many machines as possible in massive phishing campaigns, hoping many would be compromised. They asked for ransoms of a few hundred dollars’ worth of cryptocurrency. This has changed. Campaigns now are more targeted, and the ransom amounts have increased sharply. The average ransom paid is now $36,295 and for the public sector the average sum is $338,700.
This trend shows no sign of abating. The extremely high return on investment for threat actors (and aspiring threat actors) is too good to resist.
Ransomware Targeting US Local Governments
The targeting of local governments is a new trend for ransomware operations in 2019. Many municipalities and counties, particularly in the US, suffered ransomware attacks that brought their operations to a complete halt, with the exception of emergency operations, such as police and firefighters, which normally operate on separate networks.
- In March 2018 a ransomware attack targeted the city of Atlanta. The ransomware operators asked for a ransom of $58,000 in Bitcoin, which the city refused to pay. Multiple municipal systems were affected. Among the files encrypted was police footage. The loss of this data potentially jeopardized court cases. Atlanta’s recovery took months, with a total cost to the taxpayer of about $17 million.
- In March 2019 Jackson County, Georgia, was targeted by a ransomware attack. The attack forced most of the local government's systems offline with the exception of 911 emergency services. The county decided to pay the $400,000 ransom, stating that the alternative would have been being down for months at a much higher price.
- Also in March 2019, Orange County suffered a ransomware attack which shut down most IT systems. County officials did not disclose the ransom requested but said they refused to pay.
- In April 2019, the city of Greenville, North Carolina, was attacked using the Robbin Hood ransomware. The result was an almost complete shutdown of the city's network infrastructure. The ransom requested was approximately $24,000 per system. It took weeks for the city to resume normal operations. Officials claimed the restore was done without paying the ransom.
- In May 2019 the city of Baltimore was targeted, crippling the city's government operations for over a month. The ransom requested was $76,000 in Bitcoin, which city officials refused to pay. Estimates for the recovery costs to the city of Baltimore IT systems put the final bill at around $18 million.
- In June 2019, the city of Riviera Beach, Florida, was also targeted. All city services were all but shut down. Only the emergency 911 service continued to function, albeit with limited operations. City officials voted unanimously to authorize the ransom payment after they realized some high value data could not be recovered via backups. The ransom paid was Bitcoin worth $600,000.
- In June 2019 another Florida city, Lake City, got hit by ransomware. The infection pushed all the city’s non-emergency IT systems out of operation. In an emergency meeting, Lake City officials voted to pay the ransom of $500,000 in Bitcoin.
- In July 2019, La Porte County was hit by the Ryuk ransomware. A forensic investigation firm, together with the FBI tried to recover the encrypted data but with no success. Without access to back-up data, La Porte County had no chance of recovery. The council therefore decided to proceed with the payment of about $130,000 in Bitcoin, taking advantage of a cybersecurity insurance policy signed last year that covered $100,000.
As we can see, attacks against local governments are becoming more common. This MO is called ‘Big Game Hunting’. Rather than executing massive, untargeted spam campaigns that hope to maximize the number of victims, Big Game Hunting is highly focused. The threat actor meticulously selects its target, studies it to understand if it is able to pay the ransom and if it can restore operations without having to pay. If it looks promising, the threat actor executes the attack.
As we can see from looking at these cases, recovery costs can outweigh ransom costs by orders of magnitude, often making paying the ransom the most preferred options. This is the case for many local governments whose disaster recovery processes may be lacking. In many cases, these organizations have taken insurance covering cyber incidents. Such insurance makes payment of the ransom a highly likely and preferable option. Therefore, for Advance Persistent Threat groups, Big Game Hunting provides the highest payouts possible in a ransomware attack.
The targeting of local governments is just one of the new trends for ransomware operations to have emerged this year. In the second part of this blog series we will look at more recent developments in the ransomware landscape and the most common pieces of malware used in ransomware attacks, such as GandCrab and Sodinokibi.