by Jane Lo, Singapore Correspondent
“Ransomware is like a very expensive, ‘surprise’ penetrative testing tool. You pay for a service, and you learn about your weakest point,” said Candid Wüestastutely (VP, Cyber Protection Research, Acronis), at Acronis Global Cyber Summit 2020.
With Covid-19 work-from-home guidelines accelerating the digitalization trend, cyber attackers have been unrelentless in exploiting the ever-expanding internetfor launching their wares.
One of these is ransomware attacks, which have skyrocketed across sectors from the healthcare sector to manufacturing plants.
Theimmediate question for many caught in such situation is, shouldthe victim give in to the ransom demands?
While cyber insurance may make it easier to pay up, it does not guarantee data recovery.
“The criminals may have lost the decryption keys. Or even being shut down by the law enforcement agency,” said Candid.
“The payment may also breach anti-money laundering regulations, such as the US OFAC sanctions programs which prohibit transactions against countries and groups of individuals, such as terrorists and narcotics traffickers,” he said.
“Search on nomoreransom.org for resources in unlocking the data,” he advised.
As the threat actors grow in sophistication, how worried should organisations be? We had the chance to sit down with Candid after his presentation to find out.
1. Cybercriminals are ratcheting up ransomware attacks by all indications: the number of incidents, the volume of data compromised, thesize of ransom demands.
Over the last 12 months, “700 or more companies already had their data leaked,” Candid revealed.
Even more recently, the ransomware group Maze that claimed responsibility for Canon’s July ransomware incident – which led to a temporary suspension of Canon’s online platform for users uploading/storage of photos –said it had up to 10 TB of sensitive Canon’s information.
Another group, Evil Corp, was reportedly in negotiations topping $10 million with Garmin – the GPS specialist who saw its fitness-tracker services and commercial aviation offerings such as flight-plan filing disabled by ransomware.
2. They are continuing to advance their techniques in mounting their multi-stage campaigns.
One is stealing 2FA credentials through illegitimate portals.
“We saw one instance where an illegitimate AT&T 2FA entry screen was mimicked from the original,” said Candid.
“We also see phishing pages hosted on trusted public cloud domain, such as Microsoft Azure, IBM Cloud, to mislead users into disclosing their credentials. These sites are not always immediately blacklisted or blocked,” he warned.
Once in the system, they leverage a range of obfuscation techniques, including hiding in virtual machines, he said.
According to SingCert, the ransomware group REvil for example, designs the ransomware in such a way that it does not have a readable string (i.e. more difficult to identify). To further evade detection, the malicious codes may be embedded inside a zipped file, which generally has a low detection rate by anti-virus systems.
3. They are doubling-down their attacks on victims across various fronts to chip away resistance to ransom demands.
One is exploiting fears of reputational damage through “name and shame,” where the victim is threatened with publication of the exfiltrated data.
For examples, in June, the Maze group leaked ~50GB they claimed to have stolen from LG’s internal network, following failed extortion attempts.
The REvil/Sodinokibi group had even set up a dedicated website “Happy Blog” for this purpose. One of its victims, the US giant Brown-Forman(manufacturer of alcoholic beverages including Jack Daniel’s) was named in an anonymous message sent to Bloomberg. REvil claimed to have intruded into the victim’s network and copied 1TB of data and promised to share it on a website.
Another is sabotaging business continuity efforts.
Recent incidents include a SunCrypt ransomware threat actor which “DDoSed” a victim’s website, and the DoppelPaymer group who recently fired a warning shot by publishing the Admin username and password for a victim’s backup software.
4. They are adding to their arsenal of tools.
Tucked away in their “bags of tricks” – in addition to data exfiltration, destruction or encryption – are business process and data tampering tools. One is the recently discovered ransomware strain “Ekans” with the potential to disrupt industrial control systems (ICS). The code contains the usual encryption routines, as well as script to kill specific processes and applications used in ICS.
5. They are creating additional revenue streams from the compromised data.
On the same day that the stolen LG data was publicized online, another hacker was selling access to LG America’s R&D center on a hacking forum, reportedly with the asking price of $10k-$13k.Another group also announced in June on dark web an auction of the database trove of a Canadian agricultural company which has declined to pay a ransom, reportedly with a starting price of $50k.
6. They are extending their reach to beyond their initial victim, infecting the victim’s clients and business partners in “supply chain attacks”.
The most high profile is the NotPetya incident in June 2017. The threat actors targeted the update server of a widely deployed accounting software, M.E.Doc, to deliver the NotPetyamalware. While it was a specific attack against the Ukraine government, the ransomware spread to other users of the software that interacted with the government.
7. They are continuing to grow their operations with investments in “human resources” through recruitment and Ransomware-as-a-service (RaaS) model.
The REvil/Sondinokibifor example, announced on a dark web forum a $1 million deposit as proof of financial means to boost recruitment to develop and maintain ransomware.
Operating on a RaaS model, It also announced search for new “affiliates,” who would be responsible for hacking organisations with ransomware.
In essence, the RaaS model has a core team of developers, and “affiliates” or “distributors”, with the proceeds upon “success” split (usually 30/70) between the two groups.
Marketed for sale on dark web, the ease of “distribution” is optimized for “affiliates” with ready-to-go brute force attacks, Remote Desktop Protocols (RDPs) or Virtual Private Networks (VPNs)exploits and spam campaigns.
The revenue generation power of ransomware is undeniable.
By analyzing bitcoin wallets and ransom notes paid over the past 6 years, FBI has determined that cybercrime victims paid over $140m to ransomware operators over the last 6 years. According to FBI’s presentation at RSA 2020, the Ryuk ransomware family brought in significant revenue at ~$61 million.
“The Global economy is $83 billion, and the crime industry is $4-8 billion. 10% of this is cybercrime, and we believe a 10-30 (!) times growth in cyberattacks is possible in the near future,” said SergueiBeloussov (CEO, Acronis).
As the recent incidents demonstrate, by deploying tools running on scripts without human intervention and indiscriminately at scale across the internet, ransomware is a lucrative growth industry for the threat actors.
Backups, well-rehearsed disaster recovery plans, sophisticated multi-layer defenses, an integrated approach where detection automatically triggers mitigation measures such as patching are minimum requirements.
Most importantly, “prevention is the better than cure”, said Candid.
“Stopping the attack early in the kill chain, such as strong passwords”, he said, can ultimately prevent the unpredictable losses from the ransom payment, penalties, and loss productivity.