1989 was a historic year. Opening the year, in George H. W. Bush became the 41st President of the United States, and in February the first of 24 GPS satellites entered Earth’s orbit. To cap off a year that marked the fall of Communism, on December 31st Poland’s president signed the Balcerowicz Plan, ending communist rule in Poland and leading to the collapse of the Warsaw Pact.
Bookended by the historical events that took place throughout a year packed full of political and technological change, and almost unnoticed outside of the nascent cyber industry, in October 1989 the first instance of ransomware, the “AIDS Trojan”, was released. How little we suspected at the time just how crippling and common this new form of cyber-attack would become.
In the more than three decades since, ransomware has evolved from that first, floppy disk, flawed, enfant terrible to a global network of criminal gangs creating, maintaining, and leveraging ransomware attacks at an industrial scale. Today ransomware infrastructure is now available as-a-service, available on-demand to any miscreant with sufficient seed funding, and morals loose enough for them ignore the damage they reap. Such ‘ransomware-as-a-service’ (RaaS), first seen in 2015, is now a common modus operandi on a global basis and has significantly expanded the pool of threat actors capable of targeting an organization with ransomware type attacks.
Even now the final line of defence against ransomware is a well architectured and executed strategy toward data and system backups. Historically any organisation with recent enough and complete backups could elect to not pay the ransom demand, and instead restore once they had enough confidence they’d ejected the attackers.
Unsurprisingly ransomware gangs adapted to this development by ensuring that their cyber weapons also targeted and encrypted any and all backup locations that could be found connected to the network. In our game of cat and mouse we defenders adapted too; ensuring that backups were stored in data vaults isolated from the network, and written to immutable media.
Meanwhile our game of cat and mouse continues. More recently ransomware gangs have evolved in two other hugely significant ways. Understanding these latest changes in attacker behaviour is crucial if you are to defend your organisations against the disruption and downtime, and the financial and reputation loss that ransomware delivers.
Firstly; some background. The time attackers remain with access to your network is called ‘dwell time’, and attackers will also use it to establish various methods to re-access your network should you initially discover them and kick them out. The longer the dwell time, the more deeply and broadly attackers may infiltrate into your systems and the more time they have to target your information crown jewels.
Before moving to the actual ransom demand stage of the attack, ransomware attackers will lay low in your network, spending time to discover and steal copies of your most interesting and valuable data. As they do this they “hop” from machine to machine; a process we call “lateral movement”. Based on studies of major attack campaigns and threat actors we know that attackers can move laterally to their ultimate target in six or less hops. Meanwhile they often use this dwell time to install malicious software (malware) that will allow them to lock up and ransom numerous other, secondary targets.
Once the attackers have located their best target, perhaps a customer database or sensitive financial records they will exfiltrate a copy to the cloud, and then execute what we think of as the classic ransomware technique; encrypt your data and systems and call for the ransom.
If you refuse to pay the ransom to release your encrypted data (because you assume you can just restore from backup) then the attackers will still hold you to ransom, threatening to release or sell the stolen copy. Regardless of whether you pay at all the attackers can and will sell that stolen data, in effect guaranteeing themselves reward for their criminal behaviour. Around half of all ransomware attacks now involve this “double extortion” approach. Meanwhile, as they ratchet up the pressure on their victim for payment they will generally release “proof of life” samples of the stolen information to the public.
No longer can any organization assume that backups are an effective solution to ransomware, no can they assume that their victim status can be kept out of the public (and regulator’s) eye.
As you consider your defensive strategies it is also important to know that ransomware is no longer only introduced into your environment through phishing attacks, physical media (“Oh look! I’ve found a 512Gb USB stick. Let me put that in my machine to see what interesting files are on it”), or by exploiting vulnerable and unpatched systems.
In July 2021 the ransomware gang known as REvil launched an attack that leveraged software vendor Kaseya Limited’s VSA (Virtual Systems Administrator) solution, and their MSP (Managed Service Provider) ecosystem. All this was just the opening act to the primary goal; to push ransomware down to up to 1500 downstream victims. REvil has subsequently been disbanded, though the criminal and technically skills individuals are assumed to still be free to conduct their attacks as members of alternative groups. This is an example of an “island hopping” attack; one which steps across multiple, intermediary victims that ultimately lead to the attacker’s ultimate prize. The lesson is that even your most trusted systems can be a route in for the ransomware gangs.
Considering these evolutions by ransomware gangs it is critical you adapt your own defensive strategies.
Firstly; assume attackers are in your environment and preparing to launch an offensive. Don’t wait for them to pounce. Hunt for the subtle breadcrumbs that attackers leave behind as they look for data to steal and prepare for their next stage of attack.
The tools needed in your arsenal for such Threat Hunting include ‘Endpoint Detection & Response’ (EDR) tools, or their more recently introduced ‘Extended Detection & Response’ tools. XDR is the natural evolution of EDR and by providing additional insights offers the means to reduce the average time to detect and respond to an attack. For more information on Carbon Black XDR, click here.
Critical too is a baseline knowledge of what ‘normal’ looks like in your own network. By understand ‘normal’ it becomes easier to recognise ‘unusual’, more easily recognise attacker behaviour, and reduce the overall length of the attacker’s dwell time. Threat Hunting requires you to have the skills and discipline to recognise the attacker’s trail, whether sourced from an external Managed Detection & Response (MDR) provider or internally. For more information on MDR, click here.
Beyond these defensive measures; begin today to plan your journey to Zero Trust. Zero Trust is not a single product you can buy nor implement and any vendor which tries to sell you on “Zero Trust in a Box” should themselves be treated with zero trust.
Zero Trust (ZT) is an architecture (codified as it happens in NIST 800 SP 27). Designing to a ZT architecture requires continual baselining of the security posture of all the endpoints and workloads in your environment, as well as your network architecture, and rethinking how and when you grant user (and API) access to critical data stores and applications. A ZT architecture makes it significantly more difficult for an attacker to gain an initial foothold in an environment, or then move laterally from one machine to another.
Ransomware is here to stay. Criminal gangs both small and large are banking their ill-gotten rewards as they target organisations which have not kept up with the continued evolution in the tools, techniques, and procedures attackers deploy at scale.
The time to evolve your defenses is now. Before the attacker targets you to demand payment in untraceable crypto-dollars be ready.