With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the third in that series.
Many people are looking forward to midnight, Jan. 1, 2021, when they can once and for all put what many regard as the worst year ever behind them. Unfortunately some things – like ransomware – appear poised to reach new heights in the years ahead.
One can measure this deflating reality in a variety of ways. Volume and frequency? Virtually every threat intelligence company is reporting the number of attacks per day at or well above historical highs. Average ransom payment? Up to nearly $250,000, compared to $100,000 in 2019, though the median gains were much more modest. Impact on society? Nations already roiled by a global pandemic have seen ransomware groups casually blow past any ethical red lines to target hospitals, school systems and other critical infrastructure.
“If I were going to give a status update on the state of ransomware, unfortunately the word would be ‘growing,’” said Herb Stapleton, section chief for the FBI’s cyber division in an interview with SC Media last month.
An illustrative example of just how much growth network defenders are seeing can be found in the rise of one ransomware variant called Ryuk. Through the first nine months of 2019, security researchers detected just over 5,000 attacks that used the malware strain. Those same numbers in 2020 have exploded into the tens of millions, while operators using Ryuk has been identified as responsible for a wave of brazen attacks against hospitals in October.
Katie Nickels, director of intelligence at Red Canary, told SC Media that like prospectors hearing reports of gold in a far-off land, cybercriminals who specialize in other forms of malware have responded to the financial success of ransomware groups and rushed to enter the market themselves. This has created an increasingly complex environment and a dizzying array of groups, malware strains and intrusion techniques for security teams to track.
“It’s gotten to the point where it’s so confusing, I do this on a day-to-day basis and there will still be new ransomware samples that come up that I haven’t heard of [and] almost every week there’s some new group,” Nickels said.
Nickels and her team sift through threat data and digital forensic evidence from the latest ransomware incidents, paying particular attention to the attacks that made it through established layers of security, like email gateways or antivirus programs. The lessons she’s taken away from the experience is that “many organizations can be doing a lot of great things and still be impacted by ransomware.”
As one example, third-party loader malware like Bazar and Buer that is specifically designed to give groups initial access into a network are still largely undetected by antivirus vendors. They have become so thoroughly incorporated into the kill-chains of ransomware groups that it's significantly easier to move laterally across a victim network and deliver the final payload.
“I think the complexity and how [ransomware operators] share their infrastructure and their access and tooling has made it a lot worse,” said Nickels. “We’re reaching a point where I don’t think anyone can prevent that initial access all the time. The shift we’ve had to make is…not just preventing them from getting in, but trying to catch them as close to that initial access point as possible.”
Hospitals, schools and critical infrastructure
Thus far, the direct impacts of most ransomware attacks have fallen on individual companies or its customers. If 2020 augurs what ransomware groups have planned for the future, that may change as larger segments of the public experience outages and other service disruptions from critical infrastructure providers.
While attacks against the education and health care industries have been going on for years, the scope and profile reached new heights in 2020, with COVID-19 acting as a key driver.
For example, a joint alert coauthored by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in December found that not only did ransomware attacks against schools go up in 2020, but they expanded significantly in the weeks and months leading up to the new school year, as many states were scrambling to put new online learning models in place. In August and September, 57 percent of all ransomware attacks reported to the MS-ISAC were against schools, demonstrating how criminal groups were intentionally targeting the education sector while many were in the vulnerable and uncertain positions.
Allan Liksa, an intelligence analyst at Recorded Future who focuses on ransomware, told SC Media that school systems have unique characteristics that make them more vulnerable than other sectors. For most businesses, many of the direct impacts from a successful ransomware attack are largely limited to that particular enterprise.
“We’ve seen the occasional company have to shut down…but for the most part when an organization gets hit with ransomware, people switch to pen and paper, work for a few days, and then things get back online [and] everybody goes back to work. There’s a disruption but it’s kind of self-contained,” said Liksa. “When you talk about a school being hit with ransomware, the school itself is disrupted, but it also affects the lives outside of the school system. When they shut down – now that disrupts parents who have to go and find daycare for their kids. So the effects are far outside of that.”
In addition, Liska said schools hold reams of personal, sensitive data for one of the most vulnerable population groups: young students. Leaking a manufacturer’s business data is one thing; threatening to do the same thing for disciplinary or medical records of students is another. Young victims also lack the credentials and paper trail of adult, meaning it could take years before they even realize they’re the victim of identity theft or spot other malicious uses of their data.
These attacks have generated outrage among cybersecurity experts, members of Congress and other groups precisely because they intentionally target vulnerable groups. A group of democratic senators have called for the Government Accountability Office to review how federal agencies have lent cybersecurity assistance to K-12 school systems, particularly for ransomware as school districts have largely shifted operations online this year, and examine whether more can be done.
“We are concerned about the extent to which K-12 schools are adequately protected from cyber threats as they expand or revise operations during the pandemic and beyond,” wrote Senators Maggie Hassan, D-N.H., Jacky Rosen, D-Nev. and Kyrsten Sinema, D-Ariz.
By targeting them during particularly fraught periods, like right before the start of the school year, ransomware operators are hoping to catch school districts while they’re off-kilter, desperate and most likely to pay up. The fact that many schools already lack funding for basic supplies and are reliant on funding from state and local governments that are suffering massive budget shortfalls this year make it even more cruel.
That same logic applies to hospitals, many of whom faced the perfect storm in 2020: a raging pandemic, a lack of personal protective equipment and an overextended staff that needed to be on standby 24/7 in a months-long effort to save lives. Early reports that a ransomware attack had led to the death of a patient at a German hospital turned out to be exaggerated, but many worry it’s only a matter of time before that line is crossed as well.
“In general, we tend to loathe people who prey on the weak or weaker if you will. Ransomware actors going after banks; yes it’s bad, but the banks are well funded. They can take care of themselves,” said Liska. “When you’re going after hospitals, when you’re going after school systems – we’ve seen ransomware actors go after food banks. You’re targeting the weak, people who can’t defend themselves.”
Of course, hospitals, schools and other industries have been relentlessly targeted regardless of promises, and ever since the NotPetya and WannaCry attacks wreaked havoc in 2017 attacks against critical infrastructure have exponentially increased. Joint research from Dragos and IBM’s X-Force team tracked at least 194 confirmed ransomware attacks against such systems and supporting entities (like managed service providers and telecommunications firms) between 2018 and Oct. 2020, a 500 percent increase over the prior years. Nearly half (45 percent) of those attacks were against North American organizations and manufacturers -- a sector particularly vulnerable to ransomware – accounted for more than one-third of the reported total. The threat hunters believe ransomware will continue to be a “a major threat” to industrial operations going forward.
“Despite efforts to improve security hygiene across multiple business sectors, poor security practices including improper segmentation between enterprise and operations networks will enable the infection and propagation of ransomware across business and ICS systems,” write authors Selena Larson, a Dragos intelligence analyst and Camille Singleton, a senior strategic cyber threat lead at IBM. “Additionally, attacker behavior is adapting to corporate ransomware security efforts and expanding behaviors to include data theft and extortion.”
Earlier this year, Cybereason set up a honeypot designed to mimic an electricity company with operations in North America and Europe. It was almost immediately attacked by multiple ransomware actors seeking to steal data or credentials and move laterally across victim networks. Israel Barak, the company’s chief information Security Officer, told SC Media that the willingness of victims and insurers to pay the ransom, the number of companies unable to mount a meaningful defense and a larger shift by ransomware groups to an operational model of business are all creating a toxic feedback loop that only encourages more of the same.
“I think all these trends combined lead us into a very reasonable assumption that we will see more of these multistage ransomware operations or campaigns going into next year,” said Barak.
A limited toolbox for law enforcement and defenders
The FBI, which has hosted summits the past two years seeking to bring stakeholders from different sectors together around the topic, largely views ransomware as a collective problem that necessitates a collective response from government, business and other affected organizations. Each brings the capability to provide a unique role, insight or contributions that others lack. For example, the bureau may struggle to recreate the analytic capabilities of the private sector, but it has access to nonpublic information from ongoing investigations, other forms of intelligence and the authority and credibility to amplify that good research to the broader public.
“What we are really trying to do…is build the broadest coalition of partnerships that we can in the FBI and other parts of government, and between the government and our partners in the private sector,” said Stapleton. “Because we know that’s really where were going to find the best threat intelligence, out there in the private sector and we know that in many ways we can have a complimentary relationship in which the private sector can inform what we as the FBI are targeting.
The increasingly complex relationships among ransomware operators bolsters the effectiveness of each group’s tools, but they also create more complex relationships that investigators can trace and exploit.
“We had to evolve our approach from working a single incident to trying to work a particular variant and the whole ecosystem that surrounds that: infrastructure, communication…the financial piece of it,” said Stapleton.
He laid out four stages of ransomware operations where the FBI can either disrupt ongoing activities or leverage them in investigations: targeting the individuals who develop the malware, monitoring dark web forums and communications as groups attempt to recruit new members, working with companies like Microsoft to disrupt existing infrastructure such as Trickbot, and deanonymizing, tracing and seizing the cryptocurrencies used to process most ransom payments.
Determining how and when to best execute these actions, choosing the right sequence that can maximize impact against ransomware operations, is something that the bureau is learning “through practice.”
The official position of the U.S government and many cybersecurity firms is that companies should never pay the ransom. That view has been criticized as unrealistic in some quarters, but underneath it is a more nuanced message. One that does take into account the pressures that executives face to protect their data and business interests in the wake of a compromise.
In comparison to losing your data or having it leaked to the public, rebuilding your network from scratch or dealing with years of post-breach litigation and reputation management, paying a one-time fee to avoid that nightmare can seem trivial. For hospitals overwhelmed with COVID patients or a power company providing heat and electricity during a cold winter, such decisions can have live or death implications.
While paying does fatten the pockets of ransomware groups and fund their future operations against new businesses, it is (mostly) legal and ultimately “a business decision” Stapleton said.
“We’ve provided the best overall policy from the administration of justice standpoint, and that is not to pay the ransom. However, we do understand that might be the only real option for some entities that are affected by this,” said Stapleton. “What we don’t want to see happen is for a company to feel that because they have decided that their only choice is to pay the ransom, that they then cannot work with law enforcement because of that choice.”
A new paradigm
The increasing volume of attacks against critical infrastructure are consistent with what law enforcement has seen over the past three years as hospitals, 911 call centers and emergency responders have seen their work disrupted. In fact, FBI officials like Stapleton worry attacks against hospitals or school systems are actually becoming so common that they no longer sufficiently shock and may actually lull the public into deeper complacency as a steady drumbeat of new attacks push the old ones further into the background.
The relevant question for 2021 is whether such attacks will become more common or less. On the one hand, a number of ransomware gangs seem to understand, even if only on a public relations level, that going after either critical infrastructure or organizations that serve vulnerable, sympathetic victims is not good for their long-term business interests. On the other hand, those promises did nothing to shield the dozens and dozens of hospitals and healthcare organizations who saw their devices and data locked up this year.
It’s not clear what more law enforcement can do, especially as most ransomware groups operate in countries outside the reach of U.S. law or extradition. Stapleton struggled to think of any new tools or authorities that law enforcement doesn’t have already that he might want. “I don’t have an answer to that yet. If I did, I would have already tried to implement it.”
The Institute for Security and Technology has banded together with 18 organizations – including Microsoft, McAfee, Citrix, the Global Cyber Alliance and the Cyber Threat Alliance –to form the Ransomware Task Force that will work to “assess existing solutions at varying levels of the ransomware kill chain, identify gaps in solution application, and create a roadmap of concrete objectives and actionable milestones for high-level decision-makers.”
Nevertheless, it’s clear that the twin pillars that underpin our collective defense -- increased resilience and law enforcement – have not made a meaningful dent in the global crime spree.
Some have called for ransomware gangs who target critical infrastructure and put lives at risk to be treated less like cybercriminals and more akin to terrorists or other national security threats. While such rhetoric can be problematic from a legal or moral perspective, it does speak to the frustration some feel about the inadequate response from government and industry thus far and the way ransomware has become a potential vector not just for cybercrime but other malicious actors in a way that can easily blur the line.
“You can see countries or nations like North Korea running ransomware operations. You can see cybercrime organizations working on behalf of nation-states and state sponsored operations. You can see cybercrime organizations lending their services to anyone willing to pay for it,” said Barak. “The boundaries between these different categories of attackers have really become blurry and it’s much harder to attribute an attack to someone because of that blurriness.”
At the very least, the real-life impact of ransomware may lead to more involvement from agencies like U.S. Cyber Command, which took part in an October operation with other agencies and Microsoft to take down command and control infrastructure for Trickbot, a notorious botnet and malware that serves as an early-stage intrusion vector for many ransomware groups. The success and impact of that operation is much debated and the underlying rationale given by Microsoft and government officials was not curbing ransomware but protecting U.S. elections.
However, some believe it represents the first, important steps toward recognizing that the problem has evolved beyond the criminal realm and other instruments of national power should be brought to bear.
“Even if it wasn’t completely effective at taking down [Trickbot], I think that it was significant because it signaled that the government is willing to take some kind of action against the operators of these ransomware families,” said Nickels. “And my hope is that in 2021 we’ll see increased public/private cooperation. I think that’s absolutely necessary because the government can’t do this along and the private sector can’t do it alone.”