As we have seen in this blog series so far, the ransomware ecosystem is quickly evolving (if you missed the previous parts, check out ‘The Rise of the Biggest Cyberthreat’ and ‘GandCrab, Sodinokibi and How to Scam a RaaS Operator’).
The ease of executing ransomware attacks has attracted multiple threat actors who now can simply leverage a ransomware attack by renting the malware and the infrastructure. With this approach, the threat actor does not need to be very technical and does not have to worry about coding or setting up the infrastructure as they can easily lease it. Instead, the threat actor can now focus on properly selecting the target based on how desperate it will be to resolve the situation, its vulnerability and its ability to pay the ransom.
The New Age of Ransomware, combined with Big Game Hunting is shifting the pattern of attacks away from generic spray-and-pray non-targeted ransomware campaigns and towards carefully tailored operations. Rather than relying on massive spam campaign hoping for a high number of victims willing to pay small ransom amounts, these operations select a high-value target and employ a high degree of stealthy reconnaissance before executing the encryption process.
Triple Threat
The new modus operandi (MO) is very different: The target is selected based on the perceived capability of paying a large ransom. Reconnaissance is performed to carefully study the target and locate the most valuable information assets. Exfiltration is performed on valuable data in order to sell it on the black market or leverage it to blackmail the target, threatening a public data dump of confidential documents at a later stage. Network enumeration is performed, and critical elements are compromised before encryption.
One example is the discovery and compromise of backup servers. Once the backup servers are compromised, the encryption process will target them as well, thereby making data recovery impossible. The loss of high-value data, combined with the impossibility of recovery by normal means and the financial capability to pay the ransom, increases the chance that the target will agree to pay a large ransom.
Emotet, TrickBot and Ryuk, with their Downloader/RAT/Ransomware capabilities have been combined in multiple operations to allow for a high degree of modularity to perform the steps mentioned above. The use of these three malware families together has been named the ‘Triple Threat’.
Protective Measures
Ransomware families and the operators behind them have evolved rapidly in the last few years.
From massive spam campaigns targeting random victims and seeking small ransoms, these operations now target high-value targets and demand ransom in the tens or hundreds of thousands of dollars. The success of these operations has brought many big organizations to their knees, causing massive embarrassment and financial damage in addition to the actual data loss.
While the FBI and other international law enforcement agencies keep asking victims not to pay the ransom, without a spotless and fully tested disaster recovery process in place, recovery costs for those who don’t pay are almost always orders of magnitude higher than the actual ransom sum. In these cases, paying the ransom is the most convenient, efficient and cost-effective approach to recover the lost data and bring the organization back online.
The ease of monetization and the high return on investment, combined with the exploitation of new MO and tactics, techniques and procedures (TTPs) such as RaaS, is likely to increase the number of threat actors wanting to get a piece of the pie and attempt a ransomware operation.
Organizations need to be prepared for this type of attack. It is a matter of when, not if. The best approach is to have a solid and robust disaster recovery process in place, with strict and tested backup procedures and a backup environment fully separated from the operational network environment.
Executing regular drills to simulate a ransomware attack and the consequent data disaster recovery process, are of utmost importance. Such drills allow organizations to find any possible weaknesses in their preparations. If weaknesses in the disaster recovery process are discovered as a result of an attempt to restore after a ransomware attack, it will be too late.
This is what happened in many of the incidents mentioned in this series. Victims ended up paying large amounts of money either in ransom or by having to engage external personnel to deal with the incident. Depending on the value and importance of the data stored, an insurance policy might also be a helpful option in a worst-case scenario.
EclecticIQ Fusion Center analysts will continue to monitor current and new ransomware operations observed in the wild and advise on the best course of action.