When ransomware strikes, security teams and business leaders are immediately faced with a flurry of questions, including:
“Is the vulnerability patched?”
“Does my vendor/supplier/customer’s compromise affect me too?”
“What are the implications?”
“How can we prevent this going forward?”
This scenario was top of mind for the American Dental Association and its 161,000+ members and associated businesses after it was attacked by the Black Basta ransomware group just last month. Initially, the ADA took multiple systems offline – a common step in incident response to reduce potential spread while investigations are underway. According to reports, the organization engaged third-party security services as well as law enforcement support and sent emails to members to keep them aware of the emerging situation.
Within hours, Black Basta began leaking stolen information which included details on financial forms as well as member data. This attack on the ADA is yet another indicator of an emerging trend among ransomware actors – creativity. Rather than the typical ransom request for data restoration that has become commonplace, criminals are increasingly expanding their radius.
Ransomware actors are pursuing a concerning trend. They are now taking a multi-faceted approach beyond ransoming the primary victim, which should be a concern for the ADA and its members. Secondhand victims, including dental practices and insurance providers, could be potential targets based on the data obtained in the primary ransomware attack.
In May of 2021, Ireland’s public health system, the Health Service Executive, was victimized by a ransomware attack that had significant reverberations.” In the following days and weeks, multiple hospitals connected to the public health service experienced service outages and financial losses, in addition to facing increased risk to patient data safety and access to care.
These facts point to a concerning global trend that extends the negative impact of a ransomware attack.
It’s clear that threat actors want to maximize the opportunity for payout beyond the initial ransom and potential sale of valuable data. Now, they are using the stolen information and access they’ve gained through the initial exploit to target and extort the victim’s customers, be it individuals or companies. For downstream organizations, one of the first questions when a large organization is breached is, “Will this affect me?” While the primary victim conducts initial response and investigation efforts, potential subsequent victims should focus on prioritizing actions to keep up to date on threat intel and incident response findings, in addition to proactively addressing gaps within their environment.
Targets & Techniques
When a threat actor identifies additional extortion capabilities or credentials to breach another organization, they may choose to sell this information or leverage it for their own future initiatives. In addition to monitoring for breaches within a supply chain and corporate relationships, organizations should monitor for any data being sold on the Dark Web or released in data breach dumps. Services such as “HaveIBeenPwned” can help alert when your employee credentials are exposed in a breach.
Over the last several years, the rise of the once-niche Initial Access Broker market has incentivized the resale of compromised accounts and credentials. These black market vendors are not generally the ransomware operators themselves, but a third party who sells their access to a ransomware gang and thereby accelerates the pace of the ransomware gang’s operations. When a compromise takes place, the opportunity for “pay-for-decrypt” profits, as well as data or credential/access resale, leads to double- or triple-extortion ransomware.
- Single extortion: Attackers encrypt data to extort payment in exchange for unlocking files (which is often unsuccessful). In the case of single extortion, strong backup practices are the best defense. However, criminals know backups are a common option to avoid payment and will attempt to corrupt backups. This underscores the need for offline backups and “out of band” incident communications, since any system connected during the incident, such as email, most likely can’t be trusted.
- Double-Extortion: An attacker attempts the “pay-for-decryption scheme,” but also threatens to – or follows through with – selling sensitive data/intellectual property on the dark web. Even if pay-for-decryption is avoided, brand reputation can be damaged, and organizations can be subject to fines and penalties. Before data theft can be prevented, it must be understood where data lives. Implementing solutions that allow for near-real-time alerts when sensitive data is saved, transferred, or stored insecurely is the foundation for prevention.
- Triple-extortion: This combination of single and double occurs when an attacker threatens to DDoS a corporate website or pursues specific customers and threatens to release stolen information unless payment is made. In 2020, this is exactly what occurred in Finland when more than faced requests for several hundred euros each under the threat of sensitive mental health data being released.
Diligence & Awareness
The most important takeaway from this ransomware evolution is that organizations with business connections to a breached organization, such as the ADA in this scenario, should be closely monitoring official update channels, identifying what (if any) of their own data may be at risk, and focus on threat-informed defensive measures.
The ADA attack and others like it underscore the importance of being aware of who a company does business with and ensuring that security events with possible downstream impact are being closely monitored. This may include vendors, partners, customers, etc. In today’s interconnected business landscape, there must be a plan for responding to external incidents that may have intended or unintended fallout. This requires preparation, and an understanding of trends in threat actor tactics, techniques, and procedures (TTPs).
After an attack, educate staff on the risks of phishing and encourage them to report suspicious calls, texts, or e-mails immediately. Even when systems are not directly connected, attackers may use data found in the initial breach to develop social engineering campaigns making downstream companies a target.
Additional proactive measures include changing any reused passwords that may be associated with the ADA’s systems and verifying any information or communication received regarding the breach comes from a legitimate source at the ADA rather than compromised emails that may seem official but are fraudulent.
Facing the Future
With the evolution of the strategy and tactics used by ransomware actors, it is essential that organizations have a big-picture perspective for defense, detection, and response and recovery.
Early detection of an attacker’s presence and exfiltration attempts requires understanding “normal” behavior within the environment to establish a baseline to alert against any anomalies so they can be flagged and investigated further.
While this baseline approach seems simple, it can be very complex. Achieving this holistic view of your environment requires real-time context and the ability to assess dynamic risk as new devices enter the network, employees on/off-board, and new vulnerabilities emerge. Recovery should go beyond “wipe and reimage” to include thorough checks that can identify residual signs of compromise and, wherever possible, clearly determine initial access points to avoid reintroducing the attack vector during recovery efforts.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Melissa Bischoping is Director, Endpoint Security Research Specialist at Tanium, a converged endpoint management platform company.