Ransomware is nothing new. But the tactics, techniques and procedures (TTPs) leveraged by threat actors have reached new levels of sophistication over the last few years. And with that growth has come an increased difficulty in protecting networks against costly attacks such as the recent DarkSide one on the Colonial Pipeline.
Initially, threat actors solely used ransomware-related malware to restrict access to user data by encrypting files on individual or organizational devices. In return for the decryption key, victims were required to pay a ransom in Bitcoin. The malware at the time typically spread via malspam, also known as malicious spam. Malspam is a prevalent and effective method for delivering emails in bulk containing a malicious link or an infected document. Once a victim has opened the file, a macro runs in the background and infects your devices with a piece of malware designed to encrypt files. If you don’t pay the ransom or don’t have a set of backups, you lose all data on the device. A well-known example of this is the Necurs botnet used to distribute Locky Ransomware via Malspam campaigns in 2016.
Since then, we have seen an evolution in ransomware attacks affecting corporations, hospitals and government agencies. And because some victims refused payment, threat actors began to develop ingenious ways to infect more devices. For example, instead of relying on malspam and tricking someone into clicking on a link, they started using exploits to compromise and infect devices with vulnerable remote misconfigurations. A well-known example of this is the WannaCry ransomware attack in 2017, which targeted Microsoft Windows machines via a vulnerability in the SMB protocol, enabling threat actors to infect and worm their way across networks, infecting more than 200,000 computers worldwide.
And once again, since some victims had adequately trained their staff or refused payment because they took precautions and had backups, threat actors began to develop additional ways to put added pressure on their victims. In 2019, ransomware groups DopplePaymer and Maze did just that by doubling down and exfiltrating victim data. Thus, if victims decided not to pay the initial ransom because they had backups, they were threatened with the release of sensitive financial, customer or personnel data. Unfortunately, this type of double extortion has become more frequent over the last two years, primarily because threat actors view exfiltration as a backup plan in the event their victims decide not to pay for decryption keys.
Consider the recent ransomware case involving the D.C. Metropolitan Police in which threat actors who call themselves Babuk claimed to have stolen more than 250 GB of data, which they said they would release if they were not paid. Babuk even posted screenshots of the ransom note, including sensitive information about the department, which cybersecurity researchers - and then the media - picked up. This data was later taken down by Babuk, reflecting a good faith effort during negotiations. Unfortunately, the data was re-uploaded to the site after negotiations failed.
The same strategy was taken in the recent REvil attack on Apple supplier Quanta Computer, in which threat actors threatened to leak files if Apple didn't pay a ransom. It then posted diagrams of upcoming Apple laptops and threatened to publish more secrets if Apple didn't pay. That information has also been taken down, suggesting some negotiations may also have taken place to end the threat of additional leaks.
Today there may be close to a dozen or more ransomware groups on the dark web that leak sensitive files to prove that data was stolen. The leak is often amplified when the media picks up on it, and the world soon learns about the latest ransomware victim. In the case of Apple, a journalist wrote an article about what devices were coming out based on leaked content, creating extreme pressure on Apple to protect its intellectual property. This raised the question about whether a journalist who covers revealed information is helping threat actors to apply pressure on the victim.
To make matters worse, we now see an added complication to ransomware – a triple extortion threat – exemplified by ransomware group Avaddon. Not only does your data get encrypted and exfiltrated, but if you do not respond to the original threat for payment or the threat of a data leak, attackers may then launch a DDoS attack against your services as a way to bring you back to the negotiation table.
DDoS has traditionally been associated with only one form of extortion, Ransom Denial of Service (RDoS). This is a type of attack where threat actors launch a DoS attack against a victim's network and then demand a payment in Bitcoin to stop. But piggybacking this with ransomware, as with Avaddon, is relatively novel. It confirms the growing underground economy in that threat actors can now inexpensively rent attack services or keep affiliates on the payroll for additional pressure when required.
So, what can we do to prevent additional layers of pressure by ransomware groups? Not much, to be honest. Eventually, due to resistance of the threat actors’ current TTPs and failure to pay, ransomware groups will find new ways to pressure their victims into paying. There is too much profit involved for threat actors to walk away. In the beginning, you could survive a ransomware attack with adequate backups. But then the exfiltration of data made backups alone inadequate. Now, even if you believe you can withstand the public exposure of your sensitive data, you must also be able to protect your network against a DDoS attack. What’s next?
Today's threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world. No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world.