At first glance, the report this week from cybersecurity software vendor McAfee showing that the incidence of ransomware dropped by half in the first quarter seems like good news to a world that continues to feel the repercussions of the seemingly ubiquitous malware.
However, the 50 percent decline in ransomware during the first three months of 2021 has less to do with cybercriminals finding other modes of stealing data and more because of an evolution away from mass multi-target ransomware attacks that come with low returns to ransomware-as-a-service (RaaS) campaigns that target fewer but larger organizations with more customized ransomware, which in turn deliver more lucrative results.
McAfee researchers addressed the shift in ransomware strategy this week in their McAfee Threats Report: June 2021. In the report, the researchers also talked about how the proliferation of 64-bit CoinMiner applications fueled the 117 percent growth in cryptocurrency-generating coin mining malware as well as an increase in new Mirai-based malware variants that helped drive a 55 percent jump in malware targeting Internet of Things (IoT) devices and a 38 percent increase in attacks on Linux systems.
Ransomware is the Focus
But as it is with much in the cybersecurity world, there was a focus on ransomware in the report. According to Raj Samani, McAfee Fellow and chief scientist, cybercriminals are constantly evolving their techniques in order to get the highest monetary returns with the least amount of risk. The transition in ransomware has been away from trying to extract small payments from millions of individual targets to RaaS campaigns that support many more bad actors in attacks on fewer but larger organizations and extorting them for more money.
While 2021 has been noteworthy for headline-grabbing ransomware attacks like the one on Colonial Pipeline, the trend toward bigger targets had been underway before then, Samani told eSecurity Planet in an email interview.
“This is a number of years old,” he said. “We saw from 2018 Ryuk began targeting organizations, but preceding this was GandCrab and SamSam. It was really GandCrab that embraced the RaaS model. Likewise, circa 2019/2020, we saw the introduction of leak sites. Ultimately, many of these groups copy the approaches from other groups that are proving successful.”
Leak sites are part another relatively new tactic for ransomware groups looking to put more pressure on organizations to pay the ransom. Cybercriminals typically would grab hold of a victim’s data, encrypt it and then demand payment, with the promise – not always fulfilled – that once the ransom was paid, they would send a key to the victims to decrypt the data.
However, bad actors now tend to put another spin on their methods. They will steal data from their victims before encrypting it and threaten to publish the stolen data on the “leak sites” and then alert the media about the attack. The names of the dozens of groups that threaten to leak data include MAZE, AKO, REvil, DarkSide, Ranzy Locker and Ragnarok.
DarkSide in particular has a high profile these days. Most researchers say the Russia-based group was behind the ransomware attack on Colonial Pipeline, a company responsible for much of the gas distribution in the Southeastern United States. The company had to shut down some of its operations, which led to shortages and long lines at gas stations throughout the region. Colonial eventually paid almost $5 million (75 Bitcoins) to the attackers for the decryption key, which turned out to decrypt so slowly that the company had to rely on its own backups to restore service.
According to reports, the group had also stolen about 100 gigabytes of data from Colonial servers before the onset of the malware attack.
Ransomware Subject of High-Level Talks
In their report, McAfee researchers noted that ransomware in general – and DarkSide in particular – “resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.”
Further reading: U.S. Issues Ransomware Guidance, Cybersecurity Executive Order
The McAfee researchers also wrote that while the Colonial Pipeline attack got a lot of the headlines, attacks ransomware groups Babuk, Conti, Ryuk and REvil preceded DarkSide’s campaign, with RaaS schemes that targeted larger organizations, most of whom were hit with custom-created variants of a ransomware family. REvil – which federal law enforcement said was behind the recent attack on JBS Foods – was the most detected ransomware group in the first quarter, according to the McAfee report.
RaaS affiliate networks enable bad actors to reduce the risk of large organizations’ cyber-protection technologies detecting them, which in turn improves the chances of the attacks working and the ransom being paid. Campaigns that use a single type of ransomware to target many victims tend to be “noisy,” which leads to systems eventually beginning to recognize and block them.
Shift to RaaS
This ongoing shift to RaaS also can be seen in the decrease in prominent ransomware types, from 19 in January to nine by March.
Such RaaS efforts shows that cybersecurity researchers and the IT world as a whole should be looking more at the impact of ransomware attacks rather than the volume, McAfee’s Samani said.
“Whilst the volume of ransomware families may not be at the same prevalence as before, those groups that still remain in operation are finding more innovative approaches to compromise and extort higher payments,” Samani said.
Feds Step Up Response
The federal government has become increasingly involved in pushing back against cybercrime, particularly ransomware. The Department of Homeland Security (DHS) for a couple of years has urged ransomware victims not to pay the ransoms, fearing that the money would help fund even more attacks. In addition, the National Security Council earlier this month sent a memo to U.S. companies urging them to take the threat seriously and outlining steps they can take to protect themselves.
In addition, the U.S. Cybersecurity and Infrastructure Agency (CISA) and FBI issued an alert with guidance based on the MITRE ATT&CK framework for protecting critical and the Biden Administration issued an executive order to review and improve the federal government’s cybersecurity preparedness and response. DHS issued cybersecurity requirements for critical pipeline owners and operators.
Ransomware Isn’t Going Anywhere
Rita Gurevich, founder and CEO of cybersecurity firm Sphere, said businesses can expect ransomware attacks to continue, noting another change in strategy.
“A few years ago, ransomware was primarily focused on targeting consumers, but recently we have seen the switch to the more lucrative corporate arena,” Gurevich told eSecurity Planet, reacting to news of new REvil attacks on clothing firm French Connection and medical diagnostic company Grupo Fluery. “These attacks have become more sophisticated, transitioning from the known phishing strategy using a bulk email approach to a spear-phishing strategy, which are highly targeted, harder to detect and have a much higher success rate. The ease of which ransomware can be conducted is also an issue as ransomware software can easily be purchased on the darknet.”
She also noted that “recent actions by the federal government and corporate initiatives have changed the narrative from one of response to prevention of ransomware attacks. The focus for IT and security professionals is now on ensuring backups are in place, increasing training for users and [leveraging] an effective access governance model. IT and security professionals also need to adapt to their new environment where the skillset they successfully employed a few years ago may not suffice against the sophisticated ransomware attacks of today.”
While the rise of RaaS is the primary driver for the drop in overall ransomware instances in the first quarter, it’s not the only one, according to Samani.
“We see that trend in cybercrime almost every year after Christmas and holidays,” he said. “There is a post-holiday slowdown, then the first quarter shows a ramp up, then a dip during summer as cybercriminals need a vacation, too. Then we see a ramp up again towards the end of the year, perhaps as criminals need money to buy Christmas gifts.”
Top Ransomware TTPs and Defensive Steps to Take
Adversary emulation vendor Scythe this week released a report on the top ransomware tactics, techniques and procedures (TTPs). Below is a table of the MITRE ATT&CK TTPs followed by protection steps recommended by Scythe.
Top 10 ransomware TTPs or behaviors used by Conti, DarkSide, Egregor, Ryuk, and Maze ransomware
|Initial Access||T1078 – Valid Accounts|
|Execution||T1059.001 – PowerShell|
|Command and Control||T1071 – Application Layer Protocol and T1573 – Encrypted Channel (HTTPS)|
|Discovery||T1082 – System Information Discovery
T1057 – Process Discovery
|Privilege Escalation||T1053.005 – Scheduled Task/Job: Scheduled Task|
|Collection||T1074.001 – Data Staged: Local Data Staging
T1560 – Archive Collected Data
|Exfiltration||T1041 – Exfiltration Over C2 Channel (HTTPS)|
|Impact||T1486 – Data Encrypted for Impact|
Scythe’s 10 ransomware recommendations
- Enable multi-factor authentication on all user accounts (Internet first and then internally), especially anywhere requiring privilege access as valid accounts is the main method of initial access.
- Detect and alert on execution of PowerShell, which is the top execution method discovered by ransomware. Tuning will be required to lower the quantity of events due to solutions that leverage PowerShell.
- Implement a proxy for outbound Internet traffic, as HTTPS is the top command and control technique.
- Detect and alert on systems that continually call out to a particular domain, as this is behavior of command and control traffic.
- Monitor the amount of traffic going outbound to detect exfiltration.
- Detect and alert when new scheduled tasks are created.
- Establish and test backup and recovery from offline sources.