Feature US and European cops, prosecutors, and NGOs recently convened a two-day workshop in the Hague to discuss how to respond to the growing scourge of ransomware.
“Only by working together with key law enforcement and prosecutorial partners in the EU can we effectively combat the threat that ransomware poses to our society,” said US assistant attorney general Kenneth Polite, Jr, in a canned statement.
Earlier this month, at the annual RSA Conference, this same topic was on cybersecurity professionals’ minds – and lips.
Ransomware, and other cybercrimes in which miscreants extort organizations for money, “is still the vast majority of the threat activity that we see,” Cyber Threat Alliance CEO Michael Daniel said in an interview at the security event.
Increasingly, however, cybercrime rings still tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.
The FBI and CISA this month warned about a lesser-known extortion gang called Karakurt, which demands ransoms as high as $13 million. Karakurt doesn’t target any specific sectors or industries, and the gang’s victims haven’t had any of their documents encrypted and held to ransom.
Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don’t receive a payment.
“That’s exactly what’s happening to a lot of the victims that we work with,” Mandiant Intelligence VP Sandra Joyce told The Register. “We call it multi-faceted extortion. It’s a fancy way of saying data theft paired with extortion.”
Some of these thieves offer discounted ransoms to corporations to encourage them to pay sooner, with the demanded payment getting larger the longer it takes to cough up the cash (or Bitcoin, as the case may be).
Until it is not the lucrative business that it is today, it’s not going away
Additionally, some crime groups offer “sliding-scale payment systems,” Joyce noted. “So you pay for what you get,” and depending on the amount of ransom paid “you get a control panel, you get customer support, you get all of the tools you need.”
As criminals move deeper into extortion, they rely on other tactics to force organizations to pay up – such as leaking stolen confidential data from Tor-hidden websites, and devising other ways to publicly humiliate companies into paying a ransom for their swiped documents, Joyce added. “Until it is not the lucrative business that it is today, it’s not going away.”
This echoes what Palo Alto Networks’ Unit 42 incident responders are seeing as well. Crooks post, on average, details about sensitive information stolen from seven new victims per day on these dark-web leak sites, according to Unit 42 research released at RSA Conference.
“The cyber-extortion crisis continues because cybercriminals have been relentless in their introduction of increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented, global digital crime spree,” wrote Ryan Olson, the VP of threat intelligence for Palo Alto Networks who leads Unit 42.
More sophisticated … marketing campaigns?
Indeed, much has been made about the growing ransomware-as-a-service market, whereby malware developers rent out their code to less tech-savvy fraudsters to deploy on victims’ networks, once access has been obtained by buying stolen or leaked login credentials or paying someone else to do the intrusion, or similar.
Indeed, the Conti internal communications leaked earlier in the year highlighted how these ransomware gangs operate akin to software-as-a-service startups.
And on top of that, the way that these crime groups use marketing and public relations campaigns points to a whole new level of sophistication, according to Ryan Kovar, who leads the Splunk Surge research team.
In March, Kovar’s security biz published research on how long it takes ten of the big ransomware families – including Lockbit, Conti, and REvil – to encrypt 100,000 files. They found Lockbit was the swiftest – indeed the reason the team undertook this analysis in the first place was because that ransomware gang claimed on its Tor website to have the “fastest ransomware.”
“They’re to the point where someone said, ‘We’re losing ground to other ransomware families. And we actually have to create marketing material to better position our ransomware as the choice du jour,'” Kovar said in an interview on the sidelines of RSAC.
“That’s fascinating,” he continued. “The sophistication shows there’s a competitive aspect to this beyond just ‘we’re good at converting ransoms to Bitcoin’.”
But still hitting the same, unpatched vulns
Miscreants may have moved on to new extortion techniques and more sophisticated business models, but they are exploiting the same, known vulnerabilities – simply because these still work and don’t require a heavy lift from the malware operators. These are profit-seeking criminals, after all, looking to keep costs low and profit margins high.
“The way the ransomware actors have success … is often through those known exploitable vulnerabilities,” NSA Cybersecurity Director Rob Joyce said, speaking during a panel at RSA Conference.
Enterprises can reduce their risk by patching these known actively exploited bugs, he added. “That needs to be the base,” Joyce said. “Everybody needs to get to that base level and take care of the unlocked doors that [cybercriminals] are coming in today.”
In a separate interview at the show, Aanchal Gupta, who leads Microsoft’s Security Response Center, concurred.
“Businesses sometimes think they have to do something unique about ransomware,” she told The Register. “And I would say no, you do not have to do anything unique about ransomware. All you need to do is the same protect, detect, respond.”
Protect means patch your systems, and detection requires visibility across the network, Gupta added. “Because they all come through the known vulnerabilities that have been disclosed, and there are patches available 99 percent of the time.”
Typically, these profit-driven crooks aren’t breaching networks through zero-day exploits, she said. “They are not going to purchase a zero-day for a half a million dollars to do a ransomware attack,” Gupta noted.
Gupta and others encouraged organizations to run table-top exercises so they are prepared if or when an attack hits.
Tell the truth. Even if it hurts
The public response to an intrusion needs to be transparent if it’s to be helpful – even if it’s embarrassing. This includes having a ransomware press release written in advance, noted Dmitri Alperovitch, chair of security-centric think tank Silverado Policy Accelerator.
“Write a press release that you’re going to put out in the event of a data leak, or a ransomware attack,” he said. “Have that ready because oftentimes, inevitably, it takes days for people to get their arms around what they’re going to say publicly, and they involve way too many lawyers. Get that out of the way early on so that you can just fill in the details.”
And don’t lie. Eventually, corporations do recover from ransomware attacks – especially if they have good backups.
But they may not regain customers’ trust if they aren’t transparent about what happened, CrowdStrike CTO Mike Sentonas told The Register. His company was hired to assist in incident response after a “well-known media company got hit with ransomware,” Sentonas said.
CrowdStrike advised the corporation to tell the truth, “and they went and did the opposite, said it was a sophisticated adversary and no one could have ever stopped this,” Sentonas said. In fact, “it was a really basic attack,” he noted. “And you come out looking a little bit silly through that process.” ®