Ransomware continues to spread across the news as attacks spring up consistently. Although it has become a buzzword in and of itself, ransomware is a genuine threat that continues to grow and demand attention. It is also a threat that doesn’t end with ransomware alone; a series of tactics and approaches to this type of threat should also be considered when seeking a solution to this rising problem. A perfect example of this would be the initial access to the Colonial Pipeline. This was reportedly a result of accessing a legacy VPN account without multi-factor authentication. We see usernames and passwords reused, across the board, all too often. This may seem like a small factor but as seen in this example, it can lead to data breaches that then find their way to dark web forums.
The Internet Crime Report 2020 shows the number of ransomware incidents were already on the rise in 2020 after the Internet Crime Complaint Center (IC3) received a record number of complaints. “In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million.” The report also highlights that “although cybercriminals use a variety of techniques to infect victims with ransomware, the most common means of infection” included email phishing campaigns, Remote Desktop Protocol (RDP) vulnerabilities and software vulnerabilities. In a New York Times podcast on “Who is Hacking the U.S. Economy?” Nicole Perlroth highlights another shift we have seen in ransomware. “When I first started covering this about 10 years ago it looked very different. This was something that was hitting people’s individual computers in Europe. People would log on to their computer and they would see a ransomware note only it purported to come from Interpol or the FBI and it said hey we locked up your computer we know you’ve been looking at some illegal sites … and we need you to pay this fine. The fines were something like 100 to €200 in those days and at the time cybersecurity experts warned me that eventually, this would come for the United States. When it did, it didn’t look that different. It was ransomware groups holding up individual PC users and demanding 100 to $200 in fines. But then something happened in 2017 that really brought ransomware to the next level. That was the year we started seeing nation-states use ransomware to bring entire companies and industries to their knees.”
Ransomware groups are mercilessly opportunistic, and the battle to disrupt ransomware has only just begun. This post will highlight key takeaways pertaining to the rise in ransomware that we are seeing today and recommendations for security teams looking to address these types of attacks.
Piecing Together the Rise in Ransomware Attacks
It was only about two years ago that we started to see more ransomware extortion activity, in which a threat actor gains access to sensitive data and holds it hostage using malware or similar tactics while they demand a heavy ransom to release the data “safely.” In the past, this was viewed as just another form of cybercrime that for the most part only affected the target.
It’s also important to note that cybercriminals target both individuals and organizations as well. In some cases, attacks begin with individuals which can then lead to an organization-wide attack. Using the lure of a missing person to target vulnerable families for extortion schemes fits within a broader trend in recent years of increasingly innovative “get-rich-quick” scams that can cause severe disruption to personal lives. We regularly see offers and demands for social engineering work in both top-tier and lower-level underground hacker forums. Threat actors seek to operationalize publicly available information on social media and other open sources with more sensitive data obtained from the latest data leaks on the dark web. Technological enhancements in easily accessible online intelligence tools have scaled and spread this kind of targeting.
Additionally, ransomware attacks have moved to impact entire communities as critical resources are put at risk. The Colonial Pipeline attack led to a shutdown that affected almost half of the East Coast’s fuel supply. Weeks later, the JBS attack impacted the U.S.’ largest meat supplier. In an interview with the Wall Street Journal, Philip Reiner, chief executive of the Institute for Security and Technology, stated ransomware attacks have “risen to the level of a national security threat. And when that is understood and accepted, that means you can shift priorities, for instance, within the intelligence community or within law enforcement.”
We have seen a strong response by U.S. law enforcement showing the importance of addressing external threats and disrupting attacks. The FBI has outlined several initiatives to battle ransomware, including establishing a Ransomware Task Force, private sector cyber company partnerships, the ability to seize assets and more. We are also seeing cryptocurrency tracking as a notable vector of disruption to “turn the tables” on cybercriminals. The Department of Justice announced that it “seized 63.7 bitcoins currently valued at approximately $2.3 million. These funds allegedly represent the proceeds of a May 8th ransom payment to individuals in a group known as DarkSide, which had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation.”
The DOJ’s ability to “follow the money” and seize assets was successful for a few reasons. First, they tracked the most active groups and then they moved to track bitcoin wallets and addresses associated with the ransomware payments. Once the payment is made, there is a race condition to get it back versus transfer and wash it to other cryptocurrencies or forms of money. In this case, DarkSide was the group responsible for the attack, and the bitcoin address was identified. In an interview with BBC World News, James Foster, ZeroFox CEO, supported this tactic during his commentary on the rise in ransomware attacks: “These are financially motivated attacks, financially motivated groups. Follow the money, get it back and take away the motivation.”
Just the Beginning of What’s to Come
The battle to disrupt ransomware has only just begun. We have documented so far this year over 900 victims by over two dozen active ransomware groups known to steal and leak data to the dark web. Three other groups by the names of Conti, Avaddon and REvil are just as active as DarkSide was and have been emboldened by the U.S. response to fight back. REvil, a group tied to the JBS attack, recently stated in an interview that “it no longer makes sense to avoid working in the United States, all restrictions have been lifted.” From our monitoring, REvil is the third most active ransomware group so far in 2021, with 97 confirmed victims since February. Their position should be watched closely for follow-through as REvil has previously used public-facing interviews to amplify their mystique and to attract more affiliate talent to their team. They want to build their brand further but also stay in business.
Other groups continue to target all industry sectors, including healthcare, without regard. For example, Conti’s infection of an Irish hospital happened a few days after the Colonial Pipeline incident. Most likely, these ransomware gangs will finish out current operations on high visibility targets and resort to targets that less directly affect the daily lives of citizens of a country to avoid public scrutiny and pressure from law enforcement. Regardless, these developments alone point to the importance of the recently announced ransomware task force and adopting a proactive approach to defending an organization’s attack surface against ransomware targeting.
ZeroFox’s James Carnall, GM & VP, Services in Operations, and Olga Polishchuk, Sr. Director, Investigations & Analysis in Operations, sat down to discuss “A Year in Threat Intelligence.” During the discussion, the rise in ransomware and its ties to the dark web became central (jump to minute 4:46 to hear more).
Tying Predictions Together
Since November of last year, we have seen many of these malicious groups leverage ransomware, double extortion and new pressure techniques in an evolved capacity. Our team narrowed in on ransomware predictions in the “The Future of Digital Threats: 2020 Insights, 2021 Predictions” report. As Olga describes in her discussion with James, in 2020, there was a boom in the amount of information posted to dark web environments. Threat intelligence surrounding collections in these environments can be challenging as the dark web can be a very “noisy” environment to monitor. The key is to understand who is behind these campaigns and what their driving motivations are. It is the financially motivated groups that have been incredibly active; understanding how they continue to evolve is critical. For example, our threat intelligence team recently noticed a prominent ransomware group recruiting to staff their call centers. We are seeing groups who have always operated within their own circle reaching out and searching for additional members. This means they have so much work they are finding it difficult to keep up with the staff they have on hand.
Since the second half of 2019, ZeroFox has observed the creation of and tracked updates to over two dozen primarily Tor-hosted leak sites stood up by ransomware gangs to dump the data of non-compliant victims.
Recommendations for Security Teams
When it comes to ransomware and persistent threats it is critical the following areas are covered at a bare minimum:
- Track updates to the nearly two dozen active ransomware data leak sites for crossover in business operations and exposed data.
- Conduct risk and vulnerability modeling of the latest tactics, techniques and procedures (TTPs) that are gaining traction in the cybercriminal underground.
- Incorporate open-source monitoring into mitigation and response strategies to easily comb through and prioritize dark web threat activity.
- Enhance employee cybersecurity training to include discussion on more sophisticated targeting such as information stealer malware.
While monitoring the dark web is time-consuming, it has become a necessary element of any strong threat intelligence program, especially when tied to ransomware risks. Understanding where to focus those efforts is critical to finding and addressing threats at scale. Learn more about the TTPs threat actors leverage on the dark web and where to focus security efforts when it comes to ransomware and more in our research report, Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On.