Ransomware evolution
Vicky Ray, Principal Researcher, Unit 42, Palo Alto Networks shares about the different type of ransomware attacks out there.
EITN: How many types of ransomware services are there? For example, REvil is ransomware as a service operator? Are there other business models?
Vicky: In recent years, we have seen the rise of “ransomware as a service” (RaaS) due to its ability to yield huge profits to criminal organisations. This subscription-based service has grown in popularity as it provides a lower barrier to entry for cybercriminals to get into the ransomware business and become an affiliate. This also allows non-technical affiliates to successfully execute ransomware attacks by purchasing the necessary exploits and malware and collaborating with other key players in the RaaS ecosystem.
This model is different from the more traditional ransomware attacks in the past, where a cohesive team both builds the malware and executes the attack. In the RaaS model, there are at least two parties who establish a business relationship: the developer and the affiliate. The developer writes the malicious program that encrypts and potentially steals the victim’s data. The author then licenses this malware to the affiliate for a fixed fee or a share of successful ransom payments.
The affiliate executes the attack and collects the ransom, potentially also including additional business arrangements, like purchasing exploits or using cryptocurrency. We have increasingly seen a third player assisting in the RaaS attacks – ‘the Service Provider’. The “Service Provider” AKA “ransomware consultant” helps the affiliate at various stages of the ransomware attack, starting from selecting victims, providing exploits, attacking victims and also in the negotiations.
There are several other tactics used by the RaaS gangs such as double extortion and using distributed denial-of-service (DDoS) against victim websites as additional leverage.
In a case of double extortion, ransomware operators encrypt and steal data to further coerce a victim into paying a ransom. A DDoS attack employs very large numbers of attacking computers to overwhelm the target with bogus traffic, and threat actors can employ DDoS attacks against victim organisations that do not cooperate during the negotiation period.
EITN: Can you share signature ways that the group negotiates with their victims?
Vicky: Affiliates of REvil operations often use two approaches to persuade victims into paying up. The first method entails encrypting data so that organisations cannot access information, use critical computer systems, or restore from backups. The second method involves stealing sensitive data and threatening to post it on their leak site, a tactic known as double extortion.
If the victim does not pay, REvil threat actors typically publish the exfiltrated information. Furthermore, when victims fail to meet deadlines for making payments via bitcoin, the attackers often double the demand. We have observed threat actors who are clients of REvil focus on attacking large organizations, which has enabled them to obtain increasingly large ransoms. REvil and its affiliates pulled in an average payment of about US$2.25 million during the first six months of 2021 and has published data of at least 273 victim organisations on their leak site, which is more than 10 times compared to the end of last year
EITN: How do cybercriminals boost ROI in their criminal business?
Vicky: Cybercriminals can increase their profits by monetising their services with the Ransomware as a Service (RaaS) model and earning a cut of the profits from affiliates, all without being involved in the actual attack. REvil is one of the most prominent providers of ransomware as a service (RaaS) and collects a percentage of ransom payments. The average payment we’ve observed in REvil cases this year approximates $2.25 million and the largest known ransom it’s taken in was $11 million following a high-profile attack on the world’s largest meat processing company JBS. REvil’s latest attack against Kaseya VSA has seen them asking for a record ransom of US$70 million.
Additionally, when victims refuse to cooperate, threat actors can employ DDoS attacks to cause their operations to shut down, effectively forcing them to comply.
EITN: What is their motivation behind attacking software companies like Solarwinds?
Vicky: The attack on Solarwinds and the resulting impact on several of Solarwinds customers being compromised was not perpetrated by ransomware gangs or cyber criminals. It was coordinated by well-funded and organised threat actor who were not financially motivated but are suspected to be a nation-state. The threat actors were trying to gain access to several critical networks to steal sensitive data via updates installed with Trojan malware to SolarWind’s Orion IT monitoring and management software. Supply chain attacks remain to be a great concern as the scale and impact of cyber attacks on technologies with global reach can end up with devastating consequences to businesses. The recent supply chain attack on Kaseya VSA is an example of how ransomware actors leverage a vulnerability in a software to deliver ransomware to a large number of victims who were customers of Kaseya using their VSA product.
EITN: What do you make of the recent Colonial Pipes incident where part of the ransom paid was retrieved? Is the response to mitigate/stop ransomware, enough?
While it’s commendable that the authorities were able to retrieve part of the ransom in the Colonial Pipeline incident, this case is an exception to the norm – most victims are not fortunate enough to have the authorities stepping in and retrieving their ransom. As such, they need to adopt a more proactive approach and ensure robust cybersecurity.
The most effective strategy to reduce the risk and impact from ransomware attacks relies on having a holistic defence posture and being prepared to handle such attacks from all levels of people, process and technology to prevent a successful attack. There are several measures to reduce Ransomware exposure including curbing initial access and setting in place a backup and recovery process.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Organizations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox.
It is also imperative that organizations continue to back up their data and ensure this is maintained securely offline. Recovery processes must be implemented and rehearsed with critical stakeholders to minimize downtime and cost to the organization in the event of a ransomware attack.
Lastly, one of the most effective forms of protection from ransomware is to ensure endpoint security solutions are deployed to all enterprise environments and devices. These will drastically reduce the risk of infection from common variants and provide stopgap measures, allowing one technology to offer a line of enforcement when another may not be effective.
EITN: When Palo Alto looks at ransomware do you categorise your research according to ransomware gangs, types of ransomware attacks (ie. supply chain, etc), types of business model (as service), etc?
Vicky: There are several aspects we look at when researching and building protections against ransomware. For example, we perform deep inspections and analysis of ransomware samples to understand its capabilities and also associations to known ransomware families, if any. We also track campaigns based on several attributes of a ransomware, like crypto wallets, associated TTPs (Tools, Tactics & Procedures), attribution to a specific gang and many more.
EITN: What are ransomware trends that you have noticed, and how do you see this panning out in 3-5 years?
Vicky: Some of the trends that we’ve noticed include:
- The increased adoption of the Ransomware-as-a-Service Model. The ease of success with ransomware attacks tells us that more financially motivated operators will continue appearing on the scene. We expect more and more operators will follow this model for all sums of money.
- Increase in Variants and Capabilities. New and updated ransomware variants and families will continue to be developed and deployed for use as standalone malware or alongside commodity malware. Additionally, with Linux being targeted more often, it is clear that adversaries will continue to build out the capability to target all kinds of systems.
- More to Adopt Double Extortion Proof of compromise and double extortion techniques were also less than a year-old heading into 2020, but they have now exploded in popularity. At least 16 different ransomware variants are now threatening to expose data or utilizing leak sites, and more variants will likely continue this trend. Our latest observations suggest several double extortion ransomware gangs actively targeting organisations with the Conti gang leading the list with 437 victim data leaked in the darknet leak site, followed by REvil at 273.
- Increasing Ransom Demands The highest ransom demand has increased from US$500 to $70 million in just a few years. The average ransom paid in 2020 has also grown three times in 2021. As long as attackers keep getting paid, these demands will continue to rise.