In cybersecurity terms, is there anything more Darwin-esque than ransomware? Small variations in targets, attacks, points of entry, payout and even attacker priorities have saved it from extinction and increased its ability to compete, survive and reproduce just as Charles Darwin contended organisms developed.
Unfortunately, though, those attacks have evolved into a greater menace for organizations, harder and more costly for security teams to thwart and remediate.
Not your father’s ransomware
While it surfaced in the early 2000s, “ransomware’s popularity really skyrocketed around 2016 and 2017” with the widespread and devastating WannaCry and Petya/NotPetya attacks in 2017 helping to “bring ransomware into mainstream discussions” and showing “cybercriminals just how effective (lucrative) the attacks can be,” says Alex Guirakhoo, strategic intelligence analyst at Digital Shadows, the latter likely explaining why the frequency has increased. According to a recent McAfee report, ransomware samples rose 118 percent in 2018.
Since its relatively humble beginnings, “we’ve seen a rise in things like ransomware-as-a-service: Subscription-based ransomware packages that can be used by cybercriminals with little to no technical knowledge,” says Guirakhoo, pointing to GandCrab, which “was widely popular until its creators announced they were shutting it down in June 2019.”
Along the way, ransomware has become more scalable. “What has changed is that it is now more commoditized and the code is often written with a bias for propagation,” says Dave Weinstein, CSO at Claroty and former CTO of New Jersey.
And as McAfee notes, cybercriminals have adopted new tactics and code innovations. Just consider PowerShell malware, which increased 460 percent in the first quarter of 2019, with developers experimenting with new techniques.
In fact, malware sophistication is outpacing defenses. “Attackers are also implementing more technically sophisticated tactics in ransomware itself: For example, the Sodinokibi ransomware variant has been observed exploiting a privilege escalation flaw, a tactic more commonly seen in nation-state — linked cyber espionage campaigns,” says Guirakhoo.
Among the emerging advancements in ransomware is the use of command-and-control bots, used to not only encrypt data, but also navigate through computer systems, steal credentials and gain access to system administrator accounts, says Rosenzweig.
Malwarebytes CEO Marcin Kleczynski agreed the types of ransomware are becoming more complex, particularly those that use the legitimate software found on most devices to hide and propagate. “This makes it a magnitude harder to stop,” he says.
And not only is it more difficult to battle, but the advent of ransomware as a service (RaaS) means even wannabee criminals with a minimal technological skillset can get into the game, Kleczynski says.
Because the skill level needed to launch a ransomware attack “has greatly diminished,” says Thycotic CISO Terence Jackson, “exploit kits can be easily purchased off of the web now just like other commercial off the shelf software (COTS).”
Unskilled bad actors might not be able to “build ransomware, but they can distribute it,” Kleczynski explains.
The nature of the attacks has changed as well. “Beginning with our research from 2018 on the SamSam ransomware crew, we began to see a shift in the threatscape to a new generation of ransom attacks,” says Chester Wisniewski, principal research scientist at Sophos. “As we dove deeper, we predicted the convergence of bespoke ransomware attacks into what we are now calling automated, active attacks (AAA).”
Those attacks hauled increasingly larger ransoms, “but at a much smaller volume than previous ransom schemes,” Wisniewski says. More recently, Sophos has seen an uptick in rise in supply chain compromise “as a method of increasing the scale of attacks without increasing the workload on the criminal’s resources,” he says. “Sadly, our prediction that this would likely escalate has proven true as we observed with the Texas municipality attacks.”
The Texas attacks mark “a paradigm shift” in the ransomware business models, according to Yaniv Balmas, head of cyber research at CheckPoint. “The key change is marked by an evolving business model oriented around multiple players and stages,” he says. “Hence, we are now in the era of what we call “boutique” ransomware attacks.”
Threat actors have learned that “taking down critical services, like city councils or entire corporations, are much more profitable than spreading the same ransomware to thousands of potential victims,” Balmas explains.
The attacks often are executed in multiple stages. “The first stage almost always involves a preliminary infection with generic malware,” he says. “Ransomware actors often purchase the first stage infection from other groups who are selling their infected ‘install base’ to others.”
Malware may sit undetected for months, in anticipation that computer systems will weaken. “After allowing the first stage of infection to cultivate, hackers then proceed to infect the system with ransomware,” says Balmas. “This way, it’s more difficult to trace.”
The attacks often are timed to reach critical stages over a weekend when they might not be noticed as quickly. “The ransomware propagates through the victim network in record amounts of short time,” says Balmas. “The motive is to leave the paralyzed victim without a choice, but to pay ransom, which are staggering amounts.”
Attackers work to stay a step ahead of victims and customize their attacks. “Instead of playing a numbers game, attackers are adopting more specific, tailored tactics and techniques,” says Guirakhoo of Digital Shadows. “Big game hunting techniques, or the specific targeting of fewer, but higher profile and more lucrative targets have also become increasingly popular.”
Attackers may be aided by binary approaches to authentication, which Acceptto CEO Shahrokh Shahidzadeh says “allow too many cybercriminals into networks, allowing them to effectively plant ransomware attacks.”
The attacks appear to be more successful when leveraging a valid digital credential for planting the ransomware.
While many aspects of ransomware and attacks have evolved, one thing has remained constant – phishing is still the main point of entry.
“Phishing remains the main point of entry but social engineering tactics in general are the biggest threat,” says Weinstein.
“Phishing is likely going to remain one of the most popular attack vectors over the next few years: It’s relatively simple, can be performed en masse, and is clearly effective,” says Guirakhoo. “It’s a tactic that’s used by low-level cybercriminals up to highly advanced nation-state threat groups. Ransomware variants like SamSam are notable for instead brute forcing RDP connections to gain initial access.”
The May 2019 “Too Much Information: The Sequel” report, published by the Digital Shadows Photon Research Team, uncovered “more than two million files encrypted by the NamPoHyu variant. NamPoHyu brute-forces Samba servers to encrypt files remotely, but like SamSam, this delivery mechanism is the exception rather than the norm,” he says.
Indeed, while targeted attacks use spearphishing for initial access, McAfee notes user interaction is key to execution.
“The key point of entry for ransomware is the human element,” says Lucy Security CEO Colin Bastable. “Human error typically starts with the IT people who either are not properly prepared or have made an error that opens the gate to the hackers.”
“It only takes one employee to open the door,” cautions Terence Jackson, CISO at Thycotic. “This makes the attackers job much easier and again lowers the technical bar of entry to perpetrate an attack.”
Hackers work hard at polishing their social engineering practices.
“They might be phishing, which is like casting a net in hopes of tricking someone at a company to gain access,” says Bastable, who calls spearphishing that directly targets business particularly “diabolical” as emails luring victims become more real-looking.
The bounty of credentials found online have made attackers’ job easier. “The ransomware game of cat and mouse continues to evolve as cybercriminals adapt to security vendor updates with more creative phishing email quality as well as leveraging the unprecedented availability of stolen/exposed credentials available courtesy of the numerous breaches that have been made visible in the press,” says Shahidzadeh, who explains valid digital credentials purchased on the dark web or stolen in a breach “provides the best access for planting ransomware when an organization” isn’t adequately protected.
Attackers also “are paying close attention to which attacks make the news, and more so, to which ones are profitable,” says John Nye, an ethical hacker and senior director of cybersecurity research and communication at CynergisTek.
Money, money, money, money
The profitability of ransomware attacks has been on the rise. “The economics have changed. The marketplace is a lucrative one,” says Claroty’s Weinstein.
The boost in profitability largely coincides with the growth of cryptocurrencies. “Before it was very hard for the criminals to get paid, they’d have to demand payment in pre-paid credit cards where they’d get and use the number,” says Zohar Pinhasi, CEO of MonsterCloud. “Once bitcoin became prevalent it opened up a loophole that was ideal for these cyberterrorists.”
With more than 5,000 cryptocurrencies to choose from, “hackers are switching away from bitcoin to keep ahead of organizations like the Interpol, FBI, CIA and NSA,” says Pinhasi. “This is an avalanche that can’t be stopped… it’s only going to get bigger.”
Guirakhoo agrees. “As organizations continue to pay high extortion demands (sometimes reaching hundreds of thousands of dollars), cybercriminals are likely to continue perceiving ransomware as a lucrative opportunity,” he says.
They may also take aim at something other that information. “Some have speculated that ransomware threats might evolve to extort not data but operations for money,” says Weinstein. “This is one more reason why it so critical for infrastructure owners and operators to segment their networks.“
As stolen digital credentials proliferate and continuous authentication solutions are deployed, “it is highly likely that ransomware attacks will continue to adapt and evolve,” says Shahidzadeh.
Score one for Charles Darwin.