This blog discusses ransomware trends and what to do about ransomware.
The following blog is a summary of our webinar, "Ransomware: Don't Panic—Prepare." This discussion is hosted by Gary Glover, VP of Assessments, who is joined by the VP of Forensic Investigations, Dave Ellis.
Our aim is to provide a comprehensive understanding of ransomware, its impact on the world today, and conclude with essential security practices and strategies for recovering from such attacks.
In the media, ransomware often dominates the headlines, creating a sense of impending doom. However, we'd like to encourage you to take a moment and relax. Let's shift our focus to the fundamentals and discuss practical steps that can enhance your ability to withstand these attacks.
When it comes to security, it's crucial to remember that it's the accumulation of small improvements in numerous areas that significantly enhances your overall business security. Rarely is it a single aspect that needs improvement; instead, it's about making incremental enhancements across various domains.
Now, let's delve into the current state of ransomware worldwide. It seems like every day, we hear about new and increasingly devastating attacks worth millions of dollars. These attacks originate from both nation-states and even services provided by companies specializing in selling ransomware.
Interestingly, some countries turn a blind eye to the operations of these groups, as long as their own citizens are not targeted. This approach seems to be based on a mutual understanding of non-interference. In some cases, these nation-states themselves may even benefit from the attacks, though the extent of their involvement, including potential backdoors, remains uncertain.
Recently, a Russian-language group called REvil carried out a significant attack known as the Kaseya attack. This incident impacted an organization providing IT services to numerous companies, affecting up to 1,500 businesses across various sectors, including grocery chains, pharmacies, and even railways in Sweden.
While Russia often takes the spotlight in ransomware discussions, other countries are also actively involved. North Korea, for example, heavily engages in these activities and has amassed significant sums through cryptocurrency-related attacks. It's essential to note that ransomware is not exclusive to any specific nation. Organized criminals exist worldwide, engaging in malicious activities wherever they find opportunities.
Today, we'll delve into the operations of a ransomware company known as DarkSide. This deep dive is inspired by recent research conducted by a New York Times reporter, which unearthed valuable information about DarkSide's activities and shed light on their modus operandi.
DarkSide serves as a prototypical example of the ransomware groups currently active in the cyber landscape. While there are other groups responsible for larger-scale attacks or greater financial losses, studying DarkSide offers valuable insights into their operations, the impact on victims, and actions individuals can take to avoid falling prey to such attacks.
In a graph showcasing the top five companies, DarkSide emerges as the fifth contender, alongside other ransomware groups following a similar model. Notably, we won't be discussing NetWalker, despite their significant presence and numerous attacks on the healthcare sector worldwide, some of which have resulted in fatalities.
DarkSide aligns with the prevalent trend of ransomware-as-a-service, where they collaborate with affiliates who possess the skills to breach systems but lack the expertise in developing ransomware or negotiating with victims. These affiliates rely on DarkSide's support, including tech assistance and guidance during ransomware propagation.
Remarkably, these ransomware groups often operate like conventional corporate entities, complete with departments such as development, management, support, HR, and potentially even recruitment efforts. DarkSide itself was formed around August 2020, and its exact origins and founding members remain unknown.
It's worth mentioning an intriguing NPR story where a New York Times reporter gained access to DarkSide's dashboard on the dark web. While ethical considerations limited the reporter's actions, the insights obtained were fascinating. DarkSide's dashboard provided help desk support, chat rooms, English customer assistance, Bitcoin-related guidance, updates on new products, and industry news. It's truly an all-in-one hub for ransomware operations.
When it comes to financial aspects, many ransomware-as-a-service providers, including DarkSide, handle payments and distribute a percentage to the initial attacker. This streamlined approach simplifies the process for the criminals involved, ensuring they receive their share efficiently.
In summary, the ransomware-as-a-service model employed by DarkSide and similar groups is an effective way for cybercriminals with system-breaching skills to outsource ransomware development and related tasks. By collaborating with multiple affiliates simultaneously, DarkSide maximizes their profits while coordinating efforts among different attackers to target specific systems. They earn a percentage of the ransom payments, which can range from 10% for substantial sums to up to 25% for smaller-scale attacks.
The persistence of ransomware as a problem lies in its profitability. As long as these malicious actors continue to profit from their activities and businesses remain willing to pay ransoms, the issue will persist.
To gauge the scale of internet-based crimes, it's crucial to consider their magnitude compared to traditional organized crime activities. In the past, organized crime primarily profited from narcotics, prostitution, and extortion, which were the main sources of income. However, global organized crime earnings from internet-based crimes have long surpassed those from the traditional activities.
Over a decade ago, the revenue generated by internet-based crimes exceeded that of narcotics, extortion, and prostitution. Since then, the gap between the two has widened significantly.
This shift has made internet-based crimes more appealing to high-ranking figures in organized crime due to the relatively lower risk involved. Involvement in a narcotics ring could result in a lifetime prison sentence, whereas implication in an internet-based crime might lead to a few years behind bars. Additionally, it is much more challenging to implicate the higher-ups in these crimes than it is to catch the individuals operating the keyboards.
This trend represents the future trajectory of organized crime, with traditional activities taking a backseat to the cleaner and more lucrative realm of cybercrime. The shift allows criminals to make more money while facing reduced personal risk.
DarkSide has been a prominent player in the ransomware landscape, but their current status is currently unknown. From the beginning, DarkSide had been under FBI surveillance. Following the seizure of the Colonial Pipeline ransom payment of around $4.4 million in the summer, DarkSide abruptly went silent. This incident prompted many other ransomware-as-a-service providers to reconsider their policies and refrain from attacking critical infrastructure. It tarnished their reputation and put pressure on governments that had previously turned a blind eye to their activities. Criminals prefer to operate in darkness and anonymity, avoiding any spotlight that could jeopardize their operations or lead to governmental intervention.
As for DarkSide's fate, it remains uncertain. There are speculations that they have reemerged under a new name, BlackMatter, and continue their attacks on companies. Comparisons between the BlackMatter ransomware and DarkSide's previous malware reveal striking similarities, suggesting that the developers and individuals involved in creating the ransomware have resurfaced in this new entity. This pattern resembles a criminal restructuring or bankruptcy, allowing them to shed debts and start anew under a fresh identity—a disturbing parallel to legitimate business practices.
Another important part of the conversation around ransomware is how the United States gives ransomware attacks a similar priority to terrorism is because these crimes often support or fund terrorist activities. Many of the proceeds from ransomware attacks are being funneled towards supporting terrorism. Therefore, investigating and preventing ransomware attacks has become crucial to national security.
The White House and the FBI have issued statements emphasizing the need for companies to take the ransomware threat seriously and improve their security measures.
The Deputy National Security Advisor stated, “Business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.” Cooperation between companies and law enforcement agencies is encouraged to investigate the attacks and identify the perpetrators.
The FBI Director, Christopher Wray, said, “while the FBI has a policy of disturb discouraging targets of such cyber attacks from paying the ransom, the agency is more interested in having companies cooperate with the Bureau in their investigations into the attacks to help piece together the puzzle of who was behind the attacks and figure out ways to thwart them.”
When it comes to paying the ransom, it is a complex decision that varies from case to case. Companies need to consider various factors, such as the trustworthiness of the attackers and the potential consequences of non-payment. There have been instances where companies paid the ransom but did not receive a working decryption key or faced subsequent demands for more money.
Furthermore, ransomware attacks may not be limited to encryption but could also involve data theft through eskimming, leading to the potential exposure of sensitive information.
You might pay the ransom and then find out that the attackers also dropped a card skimmer on their system and they are leaking card data. Each case needs to be evaluated carefully, and seeking assistance from law enforcement agencies can help in understanding the scope of the attack and mitigating further damage.
The Washington, D.C. Police Department experienced a ransomware attack shortly after the Colonial Pipeline attack. In this case, they decided to refuse to pay the ransom. The attackers retaliated by releasing critical information captured from the police department's networks onto the dark web. This included sensitive data such as personnel files, disciplinary reports, and intelligence reports on investigated gangs and groups. This example highlights the potential damage a ransomware attack can inflict on an organization or municipality, emphasizing the need for robust cybersecurity measures.
The United States is particularly vulnerable to cyberattacks because it is so digitized and it's owned by organizations who often have not prioritized security. It's important to note that the United States pays more ransoms than any other country. This includes both ransomware attacks and cases involving other types of hostage situations. The prevalence of such attacks and the willingness to pay ransoms make the US a lucrative target for cybercriminals.
Ransomware attacks have resulted in significant financial losses. Some notable examples include the REvil group demanding $70 million, the JBS Foods hack resulting in an $11 million ransom, and the Colonial Pipeline attack where a $4.4 million ransom was paid. Recently, a cooperative attack targeted a chicken supply company, demanding $5.9 million. These incidents highlight the large sums demanded by attackers, indicating that even large organizations are vulnerable.
However, smaller businesses are not exempt from such attacks. Ransomware initially targeted the healthcare industry and then expanded to big corporations, municipalities, and even small businesses. It is crucial for organizations of all sizes to be cautious. Ransomware is expected to persist due to the ransomware-as-a-service model, where attackers worldwide with penetration testing skills can easily obtain and deploy ransomware.
Phishing attacks are a popular method used by attackers, with well-crafted emails often mimicking legitimate communication within an organization. Clicking on a malicious link in such emails can initiate an attack. Protecting sensitive data requires implementing measures like network segmentation and granting users the least privilege necessary for their roles. Vigilance and cautious clicking are essential in preventing ransomware incidents.
People are still not setting up remote access correctly, which has been an issue for 15 years. It is crucial to ensure that remote access is secured with multi-factor authentication. Stolen credentials are another common issue, where attackers gain access to systems by stealing someone's login information. If these credentials have administrative rights or can elevate user rights, attackers can install malicious payloads.
It is common for people to look to big organizations or the government to solve cybersecurity problems. However, the government can only do so much, such as negotiating with other countries or implementing mandates like HIPAA. Ultimately, individuals and organizations need to take responsibility for their own security and apply basic security principles.
Some basic principles include updating software, using strong passwords and multi-factor authentication, avoiding clicking on unsolicited links or opening attachments, and backing up systems regularly. Developing good security habits is essential, and employees should be trained to spot phishing emails.
Preventing ransomware requires a two-pronged approach: focusing on prevention and preparing for recovery. Prevention measures include restricting permissions to install software, implementing the principle of least privilege, and using application listings, email filters, and firewalls. Regular backups are crucial, and they should be stored offline or in encrypted cloud backups.
Employee training should be ongoing, and individuals should be familiar with incident response plans and practice them regularly. It's important to take a holistic approach to security and consider the potential impact on various areas of the business.
In the event of an incident, it's important to act quickly, consider getting help from experts or authorities like the CISO, FBI, or Secret Service, isolate affected systems, review all connections, and prioritize recovery efforts. Monitoring security logs and staying informed about current attack vectors is also crucial.
It is highly recommended to practice restoring from backups as it can provide valuable insights and a truly enlightening experience. Especially for businesses relying on older technology like tape backups, practice restoring from backups can highlight the challenges and time requirements involved in the restoration process.
Overall, cybersecurity requires proactive measures, ongoing training, and a comprehensive approach to prevention, detection, and recovery.
See also: 6 Phases in the Incident Response Plan
Today, we discussed the persistence and profitability of ransomware as a well-organized and lucrative form of cybercrime. There is a high likelihood of experiencing a ransomware attack, so it’s important to proactively implement effective controls rather than waiting for an incident to occur. Proper preparation can significantly reduce the impact and mitigate potential damages. We hope this information will be instructive to you as you create your own workforce training programs and incident response plans.
Q: Do you think criminals are shifting away from stealing personal ID information and focusing more on ransomware attacks?
A: It's a great question, and I can understand why someone would ask that. However, my answer would be no. The theft of personally identifying information actually enhances the effectiveness of ransomware attacks. By obtaining personal information, including credentials, attackers can gain access to systems more easily. In the eyes of a hacker, having more information is always advantageous. So, it's crucial to continue protecting your personal data as it remains a prime target for cybercriminals, and this trend is unlikely to change.
Q: What is the recommended frequency for conducting simulated phishing testing?
A: When it comes to frequency, the minimum recommendation would be once a year. However, it's essential to avoid predictability. If you always conduct the tests at the same time, such as the first week of November or during holidays like Christmas, people will start expecting it, diminishing its effectiveness. You have options to either assign someone within your organization to research and perform the tests or utilize services that generate phishing attempts and provide comprehensive results.
.svg)
