Ransomware has clearly moved on since the days of “fire-and-forget” indiscriminate attacks, but post-intrusion ransomware remains a crime of opportunity. Yet much of the language used about ransomware today portrays organizations as passive victims of carefully plotted and targeted attacks. It also fundamentally misrepresents what happens during the early stages of a ransomware attack.
I have an issue with the popular, yet wrong, idea that most attacks today are targeted. That paints a terrifying picture of an eagle-eyed predator spotting and selecting particularly juicy, tasty victims and then single-mindedly chasing them until it brings them down.
So, when BlackMatter, GOLD WATERFALL’s successor to DarkSide and a recent entry on the ransomware scene, says it is “targeting” organizations with turnovers of $100 million or more, small and medium-sized enterprises might consider that they are off the hook because they don’t provide rich enough pickings.
Unfortunately, that’s not how ransomware attacks happen.
Many ransomware attackers use the services of specialists known as initial access brokers or IABs. Offers of access brokering on underground forums has become widespread. Both ransomware-as-a-service (RaaS) groups and their affiliates, and private ransomware groups use brokers.
It’s the job of IABs to look out for poorly protected organizations. They often use publicly available scanning tools to identify vulnerabilities and then indiscriminately exploit those flaws. They then carry out basic discovery once inside the system.
When a ransomware group decides to buy access to an organization from a broker, it will probably know the victim’s sector and country. It will know the initial access vector on offer, for example RDP, or VPN. It might have an idea of revenue. It won’t necessarily know the specific organization until it agrees to purchase.
It’s only after purchase and after it has exploited the initial access that a ransomware group will decide whether to infect the organization, based on the perceived maturity of the organization’s controls, revenue, and sometimes sector. Groups may select victims based on initial discovery, but they do not target them.
In other words, ransomware groups aren’t eagles. They are vultures.
Yet a Google search for “targeted ransomware attacks” brings up thousands of hits, many from cybersecurity organizations that should know better. Organizations aren’t targeted because of their sector, their turnover, or their profile. They are targets because opportunistic initial access groups have the ability to find insufficiently protected systems.
Organizations get taken because their defenses are weak. And, just because the sleekest, fattest vulture doesn’t want to feast on the spoils, it doesn’t mean that another smaller, less discerning vulture won’t.
So, that small or medium-sized business might not get attacked by BlackMatter, but its access will still be for sale, probably for a few hundred dollars, and it will probably get purchased by another, less selective ransomware group. It may not have been “targeted” by BlackMatter, or indeed anyone else, but its unpatched server that’s open to the internet, or its failure to implement multi-factor authentication, or its lack of network traffic and endpoint monitoring means that it’s open to attack.
However, if the organization actively chooses to strengthen its defenses, then the vultures will stay away because the initial access broker either can’t make the attack or will get discovered in the attack’s earliest stages.
It’s no accident that sectors with multiple, overlapping, security compliance regimes are less likely to become ransomware victims. For example, data from Fitch Ratings and Coveware show that the heavily regulated financial services sector only experienced 4.4% of ransomware attacks in Q1 2020. In contrast, the three sectors most impacted by ransomware attacks were professional services, healthcare, and the public sector. Together, they accounted for nearly 50% of attacks.
That isn’t to say that targeted attacks don’t happen. Organizations that are of interest to hostile state-sponsored advanced persistent threat groups may well fall victim to targeted cyber-espionage attacks. Those attacks are comparatively rare. Ransomware attacks are not rare, and they are becoming more common all the time.
Any organization that does not take an active role in protecting itself to the best of its abilities against opportunistic attacks by improving its security basics and monitoring to detect attacks at their earliest stages chooses to turn itself into ransomware prey.
There’s no magic to preventing ransomware attacks. The means of doing so are well known. Attacks happen through the scan-and-exploit of internet-facing systems, credential abuse against single-factor authenticated internet-facing systems, or commodity malware infections. Patching, multi-factor authentication, endpoint and network traffic monitoring and detection are how to fight back.
So, let’s stop talking about passive targets. Adopt the language of active defense, it’s the first step to action.
Jane Adams, information security research consultant, Secureworks