Repeat Offenders Target Prior Ransomware Insurance Victims for Fun and Profit
Ransomware has become an ever-growing threat in the cyber landscape. The number of attacks is growing, the size of the ransoms is increasing, and as a result, so are the premiums for ransomware insurance. Now it appears that there is a growing trend whereby threat actors compromise ransomware insurance victims who have already been attacked in recent memory.
A New Ransomware Trend
An interesting trend may be emerging in the ransomware world. Some victims are being attacked multiple times. ZeroFox research has uncovered three victims in the last month that were compromised two or more times during that time. The first case is a manufacturing company that had originally been compromised by Maze ransomware in April of 2020. They were again compromised in March of 2021, this time by the Darkside ransomware team. In June 2021, they fell victim to compromise yet again, this time to Conti.
In the second case, a financial services company originally fell victim to Egregor in October 2020. They were compromised again by Conti in June 2021. The third re-victimized company was a retail company originally attacked by DoppelPaymer in March 2021 and again by Grief ransomware three months later in June 2021. These timelines are represented in Figure 1.
Why Target Prior Ransomware Insurance Victims
The reasoning behind selecting companies that had already been infected is not absolute. Still, repeat attacks against victims definitely appear to be on the rise, and the selection of targets who have ransomware insurance policies is too frequent to be coincidental. Actors such as REvil have even gone on record and stated that insured victims are preferred targets. A recent report by CyberReason reported that four out of five victims of ransomware were attacked again. It was not immediately clear, however, what defined the relationship between the initial and subsequent attacks.
In the cases with Maze, Darkside, and Egregor, Conti had operated in a cartel with them both before they went defunct. It may seem unlikely that these targets were selected for monetary reasons given they had been recently victimized, and if they paid out already then, they would be in a worse position financially to pay a ransom. However, ransomware actors openly admit to doing easy jobs for easy money. Particularly with insured companies, an already compromised company is already shown to be vulnerable. Even if the money may be less than an initial breach, it has a higher likelihood of success.
ZeroFox does not have any evidence to relate Grief ransomware to DoppelPaymer. Grief is a newcomer to the landscape, and not as much is documented about their operations or their team members. Given the interconnected history of many of these teams, it is entirely possible that a member of their organization was familiar with the earlier attack and used the knowledge and TTPs to score a quick victory for their reputation.
ZeroFox does not have the specific details of these attacks, including the ransoms paid. However, all of these groups share a similar attack chain for their intrusions. With the possible exception of Grief, all of these groups have worked with affiliates (or have been affiliates of each other) in a ransomware-as-a-service group, sometimes referred to as a cartel. Under such a model, the initial attack and compromise are done separately, possibly even using a different team, and the ransomware is deployed after the exploitation phase is complete. However, these ransomware actors may have some common reconnaissance techniques and have simply captured the same vulnerabilities in their scans before these companies have effectively secured their networks. Regardless, this seems less likely given the tight interrelation of many of these groups.
The Continued Rise in Ransomware
As ransomware continues to increase, it’s imperative that security teams are prepared to identify and take action on these kinds of attacks quickly. Here are a few recommendations from the ZeroFox threat research team:
- When breaches occur, always change known compromised passwords, as well as passwords on critical accounts.
- Ensure multiple-factor authentication is enabled.
- If the initial attack vector is known, ensure that the vulnerabilities leveraged are corrected immediately.
- Perform a penetration test to determine weaknesses in the network configuration and correct the findings as soon as possible.
Ransomware has increased across the board, not only in terms of the sheer volume of attacks but also in terms of required ransoms. We are also aware that actors are actively targeting companies with ransomware insurance. However, it is becoming clear that being a recent victim of an attack is not a deterrent from being attacked again and may actually increase the risk of one or more subsequent attacks.