eCrime industrialisation – how ransomware groups are lowering the bar of entry and maximising profitability

Written by VMware Security Business Unit

Wherever there is disruption, cyber criminals see opportunity. Alongside the devastating health and economic impacts of the global coronavirus pandemic, we have also seen a huge escalation in ransomware attacks as people shifted to working from home. VMware threat researchers have recorded a 900% year on year increase in ransomware attacks in the first half of 2020.

Attacks are not only more frequent, they are also more sophisticated, as adversaries strive to maximise the revenue potential from each hit. As modular and more extensive malware has become ubiquitous, adversaries are diversifying and adopting more strategic and multi-stage tactics. They’ve identified factors such as high financial and regulatory penalties and reputational damage that offer more leverage to extort money from victims. As a result, it is now easier than ever for criminals with minimal skill to execute highly impactful attacks.

Destructive attacks and the sale of direct access into corporate networks are also rising trends and the lucrative payoff potential from all these is changing how adversaries approach their craft; a typical ransomware attack today is designed to do a lot more than simply encrypt data.

 

Shift from spray and pray to cultivate and curate – rise of the hands-on ransomware attack

In the past, a ransomware attack typically originated in a phishing email where the victim unwittingly opened an infected document or clicked a link that executed actions to immediately encrypt the environment and demand a ransom. Adversaries launched high volumes attack campaigns, on the assumption that some would make it through defences and pay-day would follow.

The current approach is much more hands-on-keyboard, with the attacker actively involved in orchestrating targeted attacks that will deliver multiple opportunities to monetise the results. In the attacks we’re seeing today, the eventual encryption and ransom demand comes a long way down the line; victims should assume that attackers have been inside their network for a significant period, have mapped out their infrastructure, and have already exfiltrated their most sensitive assets. The new evolution of ransomware attacks involves:

 

Research phase: the adversary gathers intelligence about your organisation through open source intelligence gathering (OSINT)  – everything from social media, geographical footprint, publicly exposed IP addresses found on Shodan. Paying special attention to an organisations employees. All of this helps to establish an attack plan, most commonly targeted towards unsecured edge-devices, with Microsoft’s Remote Desktop Protocol (RDP) being leveraged by far and away

 

Reconnaissance: Adversaries scan your organisation from the internet, looking at edge devices that could be a potential entry point, extrapolating what the rest of your environment might look like and what resources are worth targeting. They might identify home users with publicly exposed devices and target them with a phishing email, but more typically we see adversaries go after poorly configured edge devices, such as a Windows server with Remote Desktop Protocol exposed and no multifactor authentication in place as an ideal access vector.

 

Access and consolidation: On entry the attacker conducts initial post exploitation reconnaissance to gain access to a credential and elevate their privileges so they can pivot from the Demilitarised Zone into the internal systems and map out the internal infrastructure. At this point most ransomware groups we’ve been following will try to back-door additional systems with redundant access to a secondary command and control server, additionally with the goal of infecting the back-up server even getting their payloads deployed within the backups themselves. They probably won’t use this – it’s insurance in case their initial route gets cut off – but from a victim’s perspective this is something you need to look out for in incident response.

 

Slow and steady data exfiltration: to avoid triggering the controls companies have in place to prevent large scale data exfiltration, attackers will look for a discreet way to get the data out of the organisation. This might be through a user within the environment, moving files slowly or overtly to a compromised user and offloading the files to another server – such as a compromised webserver – which serves as a collection point for the stolen data. Or they might move the data out slowly through protocols such as DNS.

By now the attacker has achieved the first part of their goal. They have stolen data that they can monetise directly, and they have persistence on the victim’s systems. The victim is still unaware and now the attacker starts to plan for the next stage of their attack.

 

Extortion – reputations and data held to ransom

This is where we are seeing the convergence of data theft and ransomware. Once attackers launch the encryption phase of the attack, they lock up the victim’s data and demand payment in a traditional ransomware style.

Businesses with good data back-ups and recovery capabilities might be tempted to call the attacker’s bluff – until the extortion starts. Attackers threaten to release parts of the stolen data on the web to publicise the exploit if payment is not forthcoming. So even if the business can recover its data, its reputation and company secrets are still on the line.

The Maze Cartel is an arch-exponent of this technique. When victims don’t pay, they publish stolen data on their website. It is bold and shows the capabilities and power these groups exercise. We’re also seeing these groups collaborating and sharing infrastructure and code, which is making attacks harder to attribute and increasing their overall capabilities.

If the victim bows to pressure and pays the ransom their data has still been breached and is for sale on the dark web, adding another revenue stream for the attacker. Of equal concern should be the fact that the adversary still has a redundant command and control access that they can sell or use to conduct further attacks.

 

How to combat evolving ransomware attacks

You have to treat ransomware like you would any other breach – this is someone who is in your environment, and they have access to a lot of sensitive data. You need to conduct full incident response and recovery following each of these attacks, looking especially for signs of residual access to your environment following ransomware data theft.

To protect networks, defenders need to deploy endpoint protection, making sure they are blocking ransomware and have layered visibility of what is happening within the network. Understand the details of what your processes are doing and segment your networks effectively so that the scenario described above is not easy for an attacker to achieve.

Watch for evidence of initial access reconnaissance activity, configure alerts for large-scale data exfiltration, look for redundant command and control access and bear in mind that attackers are playing the long game. They are aiming to retain their foothold in the environment for as long as possible, so you might be looking for something that activates on a weekly or even monthly cycle, so is easy to miss. If you have suffered an attack, you should hire an incident response firm to look for these hard-to-find indications that your network is still being curated for future attacks.

It’s important to understand that this new approach is bespoke work. It’s targeted and long-term tradecraft and the pay-off is higher as a result; attackers will use every means at their disposal to get the most return on their efforts and grow their profits in the current highly disrupted environment.