Understanding Ransomware
Ransomware threats have become a relevant part of any organizations risk landscape awareness in the past few years as threat actors and their TTPs become more advanced and take on a more diverse range of targets. Understanding what ransomware is, what risk it presents for your organization, and how to build an effective response and recovery plan are all crucial for implementing a strong threat intelligence program and keeping your assets, infrastructure, and personnel secure.
In this article, we:
Ransomware uses data encryption to block organizations access to their own sensitive data, demanding a ransom is paid to unlock it safely. Personnel facing a ransomware attack are denied access to internal files and programs, and ransomware actors often design their malware to spread throughout an organizations infrastructure while targeting its entire database and file servers, more effectively forcing the company to pay the ransom.
As attacks evolve to become more severe, threat actors have also adopted tactics to add external pressures, such as threatening to release confidential information, doxx executives, or inform clients that the company is not willing to pay to protect their data, to increase the likelihood of payment.
Although its become increasingly discussed in the past decade, ransomware attacks have existed for almost 40 years. One of the first recorded ransomware attacks, taking place in 1989 and released via floppy disk, was the AIDS Trojanalso called the PC Cyborg Virus. This ransomware attack demanded that victims send $189 via post to a P.O. box in Panama to restore access, although the encryption strategy used would not be effective at locking organizations out of their own systems today.
Until the 2000s it was difficult to efficiently receive ransom payments, making ransomware attacks relatively rare compared to today. Threat actors usually collected payments through money transfer services like Western Union or MoneyGram, or would request users to send prepaid debit cards through services like MoneyPak. With the advent of cryptocurrency, it has become much easier for threat actors to receive payments and quickly profit, which has led to this type of attack becoming more widespread.
Ransomwares evolution has seen a shift in the way threat actors choose their targets and tailor their attacks. In the past, general ransomware attacks were more common, and would target wider groups of victims at once to take advantage of a larger volume of lower value payments. They were fairly random, and would prey upon whoever happened to download the malware that would force them to pay.
However, extortionist sites, like the one associated with the criminals behind Maze ransomware, have given threat actors the ability to effectively target specific entities that are willing to pay higher ransoms in a single attack. Victim-shaming sites prevent targeted organizations from keeping an attack private and taking their time to pay the ransom, which makes them more willing to pay and helps the perpetrators profit quickly and with a higher success rate.
As ransomware attacks become more advanced, many threat actors have also begun leveraging other tactics in addition to holding confidential data hostage to further encourage organizations to pay up quickly. One of the most common secondary threats is to release the private information theyve captured, either to the general public or to a companys board, further damaging an organizations reputation in the wake of an attack.
Flashpoint has observed up to four tactics used in a single attack, often progressing from the aforementioned data encryption and theft to DDoS attacks, which shut down the victims sites so customers cannot get service, and harassment, which involves the threat actors directly contacting customers, investors, and the media to publicize the attack.
As a result, ransomware attacks often disable organizations and leave them unable to move forward without giving into demands, which is why ransomware has become a growing issue for companies as more threat actors attempt to profit from this lucrative threat vector.
This cybercrime industry is expected to grow to over $265 billion by 2031, and has become a risk for organizations across categories that must be considered as organizations build their threat intelligence and risk remediation programs.
Essentially, ransomware is built to infiltrate an organizations system, encrypt the files so theyre inaccessible to other users, and send a ransom demand to the victim. There are several ways threat actors accomplish these steps, but they are most often broken into the following components:
In order to gain initial access to a system, threat actors leverage a variety of infiltration vectors to help them infect an organizations database. Some of the most common include:
Recommended: Where Do Cybercriminals Stand on Ransomware Now?
Ransomware attacks often make use of multiple tactics to achieve the required level of access necessary to execute a large-scale attack.
Once an organizations infrastructure has been compromised, ransomware actors must encrypt the data so it is inaccessible to others and can be used to leverage payment for its unlocking.
This part of an attack is often the most straightforward, since encryption functionality is built into an operating system. It involves accessing the fileswhich is possible with the previously-installed malwareand then encrypting them with a unique attacker-controlled key. These new files replace the old ones, and the organization is no longer able to access their data, leaving them paralyzed and vulnerable to further breaches.
After an organization is locked out of their systems, a ransom is demanded via the ransomware to make organizations pay as quickly as possible. This is normally communicated to the victim via a ransom note, which is either programmed to be set as the display background of the device victims are trying to access their files from, or is contained in each of the encrypted directories so it is found as victims attempt to open their files.
These notes inform the victim of the price they must pay to regain control of their infrastructure, which are often demanded in cryptocurrency. If and when the ransom is paid, the victim receives either the encryption key or a copy of the encryption key that can be entered into the decryptor program (also provided by the attacker), which restores organizational access to the files and data.
These three components make up the framework for any ransomware attack, although their implementation can vary based on threat actor group.
Ransomware comes in many forms, including:
Tracking Ransomware: Understanding your Exposure and Taking Action
Ransomware-as-a-service: RaaS has become more popular in recent years, and refers to anonymous threat actors that act on behalf of another party to carry out an attack. From infiltrating a system to collecting the ransom, these anonymous hackers receive part of the payment in exchange for their assistance.
The WannaCry ransomware attack of May 2017 affected Microsoft Windows users worldwide, encrypting data and demanding Bitcoin ransom payments. This mass attack targeted organizations around the globe, using EternalBlue, a Microsoft exploit developed by the NSA for older Windows systems. This exploit was stolen by hacker group The Shadow Brokers and subsequently leaked roughly a month before the attack, which allowed for the ransomwares rapid propagation to a large number of countries across industries.
Related Reading: Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
Petya is a strain of ransomware that targets Microsoft systems, encrypting data and preventing the operating system from starting. First observed in March 2016, it demands ransom payments in Bitcoin and was initially propagated via email attachments, although there have since been attacks using Petya malware that use a variety of TTPs to do damage.
One of its most notable variants, dubbed NotPetya, emerged in June 2017 and was used to carry out a widespread ransomware attack around Europe and the US. These attacks primarily targeted Russia and Ukraine, and are believed to be politically-motivated attacks against Ukraine that took place on its Constitution Day.
A suspected variant of Petya, Bad Rabbit ransomware was first observed in 2017 and disguised itself as an Adobe Flash installer, exposing those who unknowingly visited compromised websites via drive-by downloads. Once infected, a victims display would demand a Bitcoin ransom payment within 48 hours, although it was reported that payment did unlock the device, which does not always happen during ransomware attacks.
REvil was a Russian-language RaaS group that executed ransomware attacks by threatening to release sensitive organization information to the public unless a ransom was paid. In one of its most high-profile cases, it obtained confidential schematics for unreleased tech products. An announcement was made in January 2022 by the Russian Federal Security Service that it had dismantled REvil and arrested several of its members.
In one of its most noteworthy attacks, REvil targeted global IT infrastructure provider Kaseya in July 2021 by hacking its Virtual Systems Administrator software, spreading REvil ransomware to its users. The attack affected thousands of organizations, either directly or indirectly, and was carried out by exploiting an unpatched vulnerability that was fixed by Kaseya nine days after the incident took place.
Conti ransomware, which has existed since 2020, utilizes a number of TTPs to distribute the malware, including spear phishing campaigns, weak RDP credentials, and the exploitation of vulnerabilities in external assets. In February 2022, Conti chats were leaked, identifying individuals involved with the ransomware group and exposing other details of how it is run. However, there is evidence that Conti is still operating despite the leaks, and is still an active threat in the ransomware space.
Related Reading: Conti Affiliate Leaks Ransomware Documents
Carried out by criminal hacking group DarkSide, a ransomware attack was leveraged against American oil pipeline system Colonial Pipeline in May 2021 that led to the suspension of all pipeline operations in an effort to contain the attack. Working with the FBI, the organization made a payment of 75 bitcoin, approximately $4.4 million, to DarkSide, making it the largest attack on an oil infrastructure target in American history. They were subsequently provided an IT tool by the threat actor group to restore the system. It was announced in June 2021 that 63.7 of the bitcoin, or $2.3 million of the total payment, had been recovered.
Related Reading: DarkSide Ransomware Links to REvil Group Difficult to Dismiss
In December 2020 a ransomware attack against workforce management company Ultimate Kronos Group left many organizations, including some major enterprise companies, unable to process payrolls and consequently in violation of their obligations to employees. UKG was subsequently sued by several of its customers for alleged negligence in security practices and data protection, highlighting the importance of organizations implementing best practices to protect their and their users data.
Recommended: The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling
As ransomware evolves to become more aggressive to organizations, there are developments that organizations should be aware of to better protect themselves from these types of threats.
2021 saw an increase in the number of ransomware attacks executed against organizations, growing by 105 percent compared to 2020. Although they make up just a small portion of total victim numbers, governments and healthcare organizations saw particularly steep growth in attacks, with the former seeing a 1,885 percent increase in the number of attacks and the latter experiencing a 755 percent increase. Especially with the rise of remote work, threat actors have taken advantage of heightened vulnerabilities that leave organizations more susceptible to a breach in their infrastructure.
Not only has the quantity of ransomware events proliferated, but ransomware actors have also evolved their tactics to make for more severe attacks that are meant to increase the likelihood of victims sending payment.
Coordinating attacks with major organization events like an IPO, sharing confidential information on victim-shaming sites, and threatening to sell stolen data to outside parties that are willing to pay for it have all been observed by Flashpoint as methods being used to put pressure on companies to submit to ransom demands.
With ransomware a firmly established part of the threat landscape across sectors, more responsibility is now placed on the board of an organization to ensure that their security teams have a solid plan to prevent and deal with ransomware breaches effectively and legally. As attacks become more severe, several factors are making it even more important for boards to take on an active role in defending their organizations against ransomware.
Ransomware attacks made up 75 percent of claims reported to cyber insurance companies in 2021, marking the rapid growth in both volume of attacks and the demand from organizations to have a safety net to protect their assets in the event of such an attack. This boost has become unsustainable for cyber insurers, leading to some, like AXA, announcing that ransomware attacks will no longer be covered under their policies.
Meanwhile, judicial bodies are tightening the standards organizations are held to to disclose attacks, and limiting the circumstances under which it is legally permissible to pay the ransom. As a result, these changes stand to put companies in an even more difficult position if a ransomware attack does occur, which means prevention must be prioritized over reaction.
As your organization takes steps to strengthen its defense against ransomware attacks, its helpful to identify things that make your personnel and infrastructure more susceptible to being targeted by threat actors. This knowledge can assist you in understanding what steps to take to better protect your organization from a successful ransomware attack.
Some of the key weaknesses that are in your control that threat actors look for to make for an easier attack include:
Additionally, there are other elements that may make certain companies more susceptible to ransomware attacks that are not necessarily changeable, but are important to be aware of to emphasize the importance of a strong ransomware prevention and defense plan.
Many companies targeted by ransomware attacks:
With all of these factors in mind, its important to have a realistic view on how ransomware risk fits into your organizations broader threat landscape analysis. Having a strong threat intelligence program in place is a good start to protecting your assets and infrastructure from an attack, but it is only one part of building a good defensive strategy.
A robust cyber awareness training program is one of the most impactful ways you can preempt potential threats. An effective program educates all of your employees about best cybersecurity practices and teaches them how they can contribute to a more secure organization, minimizing the risk of successful ransomware distribution through methods like email phishing. Best practices for individuals include:
In addition to these steps each employee should take to help prevent a successful breach, there are broader organizational measures that can be enacted to further impede threat actors from executing a successful ransomware attack. These include:
In the event that a ransomware attack does impact your organization, mapping out how to respond quickly and effectively can greatly minimize the damage afterwards. Planning ahead is key, as it saves your entire team valuable time in the moment when its most impactful, and ensures that everyone knows how to proceed so all efforts are aligned.
Among the most important aspects to include in your response plan are clear definitions of roles and responsibilities for involved teams and individuals, business continuity plans to minimize an attacks impact on your customers and users, communication plans, and vendor partnerships.
The basic steps of a ransomware response can usually be broken into the following parts:
After validating that an attack is taking place, its important to determine its scopehow widespread has it become? Understanding this will help you stop it as quickly as possible by taking the affected devices off of organization networks theyre connected to, preventing the ransomware from spreading to shared drives and other devices. It is also best practice to take your backups and other systems offline to prevent the ransomware from infecting them as well.
After you have secured your organization from further damage, your response teams can begin to investigate the scope of the attack and determine how much of your system has been impacted. Determining the strain of ransomware that was used, what specific files and data have been encrypted, and whether your backups are secure and functioning are also considerations to make as you evaluate the incident.
Once you have a clear view of what has been impacted, you can move forward with recovering your data and finding a solution to restore system access to your personnel. In addition to disclosing the attack to all involved parties, possible solutions to consider include:
Its important to note that submitting to a ransom demand is not always legal, so its crucial to include law enforcement and a knowledgeable party from your own organization to verify that ransom payment is allowed. Since some threat actors are tied to sanctioned entities, or are sanctioned themselves, a due diligence investigation may be needed.
It has historically been in the threat actors best interest to follow through on restoring access to your files and data once they receive a payment, since failing to do so can damage their reputation and decrease the likelihood that future victims will pay. However, it should be noted that there have been cases where threat actors do not follow through on their promise to decrypt your data, so paying the ransom should be carefully considered.
After you have restored access and retrieved your data, your security teams must perform an audit to determine which vulnerabilities were exploited that allowed for a successful ransomware attack and make the necessary changes to prevent it from happening again.
It is not uncommon for the same organization to experience a ransomware attack multiple times, usually because they do not fix the underlying causes of the vulnerabilities, allowing threat actors repeat access. Implementing new and improved measures to secure your infrastructure will make its recovery smoother and more stable.
Your organizations data, infrastructure, and personnel are valuabledont let threat actors take advantage of them. Sign up for a free trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).
Read more:
Definitive Guide to Ransomware: What It Is and How Your Organization Can Prevent, Detect, and Respond to a Ransomware Attack - Flashpoint
Read More..