Ransomware works. That’s the simplest way to explain why incidents of ransomware attacks have sharply increased over the last year — with no end in sight.
The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent this year, downtime is up by 200 percent and the average cost per incident is on the rise, according to a recent report from PurpleSec.
Groups with names such as Ragnar Locker, Ryuk, Egregor, Conti and many others are ruthless, well-funded and willing to target anyone; from COVID-19 vaccine manufacturers, retailers, banks, local governments and schools to get their payday.
Hospitals Hardest Hit by Ransomware
Since the start of the pandemic, hospitals have been particularly hard hit.
The situation became so dire in the fall that the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and U.S. Department of Health and Human Services were forced to issue a bulletin warning about “credible information of an increased an imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Rising ransoms have also helped evolve ransomware from what was historically a basic scam run by ragtag criminals into a professionalized criminal organization with deep benches of top cybersecurity talent.
With the threat of ransomware attacks being ratcheted up every day, Threatpost gathered a panel of ransomware experts together on Dec. 16 to help unpack the current landscape, but more importantly, get ahead of the next, inevitable attack.
“Cybercriminals do what works,” Austin Merritt, cyber-threat analyst from Digital Shadows, told the audience during the webinar. “You know, it works well for them. Pressure tactics are working great.”
Super-fueling the explosion of ransomware crimes is the technical barriers to pull it off are lower than ever, thanks to established players selling ransomware-as-a-service options.
“And you don’t just get cybercriminals doing cybercrime, there are really organized gangs that are added as well and they’re the ones that are causing the biggest trouble,” Limor Kessem, executive security advisor for IBM security and Threatpost webinar panelist, said during the event.
While IT departments will undoubtedly lead efforts to shore up defenses against attacks, including backups, patching, updating and employee-awareness training, our panel of experts agree that preparing a critical-response plan which includes the entire organization — from the executives on down the org chart — is the best way to minimize cost, damage and downtime.
Ransomware Business Intelligence
Critically, organizations can’t discount whether the stolen data might have value for someone else willing to pay.
“It’s actually about the information that’s potentially stolen as well, which a lot of times can be much more costly for the company than the ransom itself,” Mellen said. “What’s interesting about the role of cyber-insurance and ransomware is that ransomware attacks actually accounted for something like 40 percent of cyber-insurance claims filed in the first half of 2020.”
She advises companies not to rely solely on insurance for protection at the expense of investing in security infrastructure, but instead try to strike a careful balance between the two.
“I definitely see the value of cyber-insurance. Absolutely,” Mellen explained. “I think it’s an important part of a strong security strategy, but at the same time, now that these attacks are really more targeted, especially when it comes to these ransomware attacks, my question is, is this the best place to be investing so much of your money, and where’s the limit there?”
All three panelists agreed that cyber-insurance is not a substitute for security, but the consensus was best summed up by Merritt who added, “So, there are a lot of different angles there, but I would not want to be an organization that regrets not having cyber-insurance at the end of the day.”
Paying ransoms aren’t necessarily the answer. Our experts point out that paying the ransom doesn’t ensure your data won’t be sold anyway. Worse, Kessem explains there are rules and regulations prohibiting paying ransoms to operators in countries on the U.S. sanctions list. Besides running afoul of the feds, paying money to fund state-sponsored terrorism isn’t a good look for any company.
Ransomware attacks might be simple to pull off, but they create a tangled mess of complicated questions for organizations. Until we can achieve what Kessen explained as “breaking the business model” of ransomware, a combined technical incident-response plus business-recovery plan for response is the best offense.
“So I really think you have to think of it from a multi-faceted way,” Merrit said. “There’s so many ways they can get in. What can you be doing? How can you be on top of things to avoid getting to that point where you’re saying, “oh my god, do I have to pay a ransom?”
For more, watch the entire Threatpost webinar, What’s Next for Ransomware, recorded on Dec. 16, available free and on-demand here. It features experts Limor Kessem with IBM Security, Allie Mellen with Cyberreason and Austin Merritt with Digital Shadows and hosted by Threatpost’s Becky Bracken.
A lightly edited transcript of the webinar follows.
What’s Next for Ransomware
Becky Bracken: Hi, Everybody. Welcome to Threatpost’s holiday edition of our webinar series. Today we are going to be talking about important topic: ransomware. So, I want to welcome everybody here today. I know it’s been a crazy week. So hopefully this will just be an hour for us to take a breath and look a little bit ahead rather than what’s right in front of us and what we’re weeding through right now.
Before we get started, I want to introduce myself. I’m Becky Bracken, I’m with Threatpost, and I’ll be the host of today’s conversation. Let me introduce Allie Mellen, security strategist with Cyberreason in the office of the CSO. She’s a computer scientist. She spent the last decade working, both for venture capitalist, backed startups, non-profits, and on the research side with roles, with MIT and BU. So, welcome very much to you.
Let me go ahead and introduce Limor Kessem. She’s from IBM Security, she’s a world-class authority on emerging cybercrime threats. And we are thrilled that she’s been able to make it and share her insights. Welcome.
We also have Austin Merritt. He is a cyber-threat intelligence analyst with Digital Shadows. Prior to joining Digital Shadows, Austin served in the U.S. Army as a Human Intelligence Collector with a concentration in the Russian language, which no doubt comes in very handy in your work today.
So welcome all of you. Were thrilled to have you.
To get us started, I wanted to go through some of the headlines. We know them. We’ve seen them there everywhere. But just recently, DHS attack in the attacks on the U.S. infrastructure is huge. Hospitals are being pummeled by ransomware attacks and then we’ve got retailers like Kmart. It goes on and on and on. No, industry is immune. No organization is too large or too small. We know this. And so the goal today is to try and get ahead of what the next attack.
To get us started, I would love the audience to answer our poll question. Pretty simple. “Have you dealt with a ransomware attack in the past 12 months?”
Let’s launch this. You should see it on your screen. Just answer yes or no. We just want to know if this is something you’re currently grappling with or are trying to get ahead of us.
Our responses are coming in, And it looks like a sizeable portion of you have not dealt with them yet which is great news so we are right where we need to be.
All right. We’re going to go ahead and close that poll, so if everybody could get their answers in.
All right. So, like I said, 77 percent of our respondents in the audience said no, they haven’t and 23 percent said, yes.
So, that’s a pretty interesting metric.
We’re gonna start today with Alie, who’s going to frame for us why because ransomware isn’t new, ransomware isn’t novel, why is it still such a big deal? Why is it still having such a huge impact on so many organizations right now? Maybe you can kick us off with your thoughts on that.
Allie Mellen: Yeah. I’ll start with the defender side, and then maybe we can jump into the attacker’s as well on the Defender side. Ransomware is still a big deal because it costs defenders a lot of money. When it happens, and we’re not just talking about the ransom payments, although that does cost money as well, but we’re also talking about things like business continuity and just actually not being able to perform the functions that you need to. The. A great example of this that you mentioned, Becky, is hospitals.
When hospitals are hit, people die, and that is a huge, huge toll to take for any type of organization, of course. But hospitals, especially, we also see this with any type of organization that needs, as close to 100 percent uptime as possible, also known as the five nines.
And so, if they are impacted by a ransomware attack, it can cause major issues for them, and for their business, as opposed to just one-time ransomware payment.
Becky Bracken: Austin, do you have anything you want to add to that?
Austin Merritt: I would like to add that, you know, like a lot of cybercrime that we’ve been seeing throughout the years, cybercriminals do what works. You know, it works well for them. Pressure tactics are working great.
And by going after hospitals, like you mentioned, they’re really going after the, I guess, the sweetest spot of what information security is about. I mean the first and foremost thing is we want to make sure that there is no loss of human life, that’s like the top priority before everything else.
So this is where they find themselves, you know, having success and also threatening the things that matter most you.
Limor Kessem: Yeah, I think Allie hit on it with talking about hospitals and just the … pandemic in general. We’ve just seen so many different areas for threat actors to exploit and when they use high pressure tactics. Particularly in a healthcare environment, when you’re talking about a life, you know, life and death situation. You’re putting people in a position to where they, they feel like they have to pay a ransom. And they might not feel like they, they have another option.
And when someone’s life is on the line, unfortunately people are taking advantage of that. And it’s causing huge problems, but not just in the healthcare industry.
We’ve just seen a huge uptick in which we will talk about later just different pressure tactics that we haven’t seen as much as we have this year.
And I think the remote workforce has really given them a great opportunity to exploit many different avenues.
Allie Mellen: Yeah, from the attacker perspective, also like ransomware we all thought ransomware is going to fade away a few years ago or many people did, but in reality, it surged back into more advanced way than ever the past few years. And I think that that’s really because traditional ransomware is about that thing. It’s that immediate initial access and deploying ransomware and then getting the ransom payment moving on, It’s very spray and pray automated, not really worried about who it’s targeting, just wanting to target as many people as possible.
In contrast we’ve seen the average ransomware payments skyrocket over the past few years, and really a shift towards a different type of ransomware, that is not about that big thing. It’s about the slow burn, it’s about getting access to the environment, and then spreading as much as possible moving laterally. And then ultimately also gathering as much important data as it can, and … trading it back to the C2 server.
So it does all of this slow and low quietly before it’s actually deploying the ransomware at the right moment. And once it’s able to do that, it gets a double pay off, because it can go the extortion route, it’s going the ransom route, and it can also just sell it some of that data on the internet.
So, it’s interesting to see it evolving, and kind of, even when we thought that it was going to kind of die out, they just found a different way to make it even more profitable for themselves.
Becky Bracken: Do you want to talk a little bit about this slide where the, the evolution? I think this is a really interesting snapshot of how progression has happened.
Allie Mellen: Yeah, Great. Thank you. As I was saying before, this is potentially much more lucrative. And we’ve also seen that over time, there’s been kind of a specialization between different malware authors.
For example, a great example of this is Ryuk, it’s very good at being ransomware, But it’s actually acting to combine with other types of malware, like for example, TrickBot for actual deployment, because that’s one thing that TrickBot does that very well.
So we’re seeing that different types of malware are being adopted to make one even stronger malware. Like almost like a transformer It’s this thing that makes it so that you can actually not have to worry about making those parts yourself Specialize in what you need to specialize in and then gain the benefits from that.
Limor Kessem: So, I think that, you know, if we’re talking about the evolution of it, and, you know, you talked about it in the beginning, about the spray-and-pray attacks and the automation, everything, we still have that. And all those ransomed as a service, stuff that you’d find in any underground forum.
We can find ransomware that can be simply grabbed for free,from some sort of a hacking site. All these automated attacks are just done by would-be criminals, people who dabble in cybercrime, and find it to be something that they can try out.
So, this is where the attack begins as O.K., let’s, you know, infect them with ransomware, but it turns into a targeted attack. You know, it might start as opportunistic in the beginning.
And it turns into, you know, having all the characteristics of a targeted attack were now they’re gonna dig through their network and escalate privileges, we then move laterally until they find you know what they’re looking for. And, eventually, it’s going to be the day when, you know, they’re gonna wait for a weekend or a long weekend, holiday, whatever.
And that’s where they’re going to really just start the entire encryption process at that point.
And you don’t just get cybercriminals doing cybercrime, there are really organized gangs that are added as well and they’re the ones that are causing the biggest trouble.
Those are the ones who are asking hospitals to pay $42 million.
I think that we’ve also seen how much more ransomware-as-a-service is being offered and used. Really just as its own software-as-a-service there. We have these people who are non-technical or who are just really looking to make some money. And they’re able to use these tools to get in on this.
Or, you could develop it within no time. I mean, you know, some people have kind of followed some users in the underground from being zero to hero kind of thing, and they saw that it took them very little time to get up to speed.
Some of these affiliates, you can subscribe for access to the malware like with Egregor ransomware. They might even be able to bypass a vetting process, if a ransomware group just has such a monopoly and can make so much money, the more affiliates they have going out and spreading the ransomware form, the more money.
And on top of that, it just makes attribution so much harder if you don’t have just one organization using it but a variety of different cybercriminals taking advantage of it back to you.
Allie Mellen: I was intending to use this slide to talk about the evolution of ransomware. And the way that we’ve seen it grow from just traditional ransom, payments to this much more lucrative form of data stealing and ransomware payments.
And this timeline just shows some examples of ransomware and the different types of ransomware that have cropped up over the past 20, 30 years.
So it’s not something that I anticipate will go away, even though it may have quiet times. But I’m sure we’ll talk more about this later in the presentation, the different trends that we’re seeing with ransomware and how it’s going to evolve again.
Becky Bracken: OK, well, now we’re going to talk about models, double extortion, dump sites, copycat crimes, DDoS attacks. And what we’re talking about is business intelligence, intelligence gathering, what Allie called that slow burn, hanging out in the network and seeing where the pressure points really are.
Austin Merritt: Yeah. So I wanted to talk about some of the pressure tactics they’re using. and double extortion has been so prevalent this year.
So double extortion involves extracting large quantities of sensitive data before applying the encryption lock from the ransomware event. So the encryption lock is, you know what a victim sees on their screen, the skull and crossbones, saying, hey, you need to pay a ransom. At the same time they’re taking the data that they’ve stolen and they’re putting it on their, their data leak site. So why is this important?
Well, the files are taking our sensitive customer information, it could be proprietary data, personally, identify it, personally identifiable information, anything they can use. They can repurpose, they can sell it or they can even auction it.
So I think before 2020, this tactic was not as popular. I think it really became mainstream late, 2019, early 2020. And, you know, before it was the ransomware operative research, we’re saying, give us some way to get your files back. Now, they’re saying the same thing, but they’re also saying, we will expose your files to the public and they can be used against you.
So, that creates more pressure on a victim organization to give money back.
And it’s not just small-and-medium organizations, even though those are likely to be targeted just because they might not have the robust security infrastructure that a bigger organization may have, but you’re also seeing for example, Garmin was attacked, Carnival was attacked. Garmin ended up paying $10 million. And that’s a big company.
So they’re going after these big companies on the hope that they’ll pay out a big grants and payments.
Limor Kessem: Yeah, and you know what? There are some cases where I’m located in Tel Aviv in Israel, so one of the cases they skip the ransomware altogether. They just said, hey, we’ve got your files, pay up or we’re exposing them on the internet.
The company didn’t choose to pay and they had been exposing a ton of information most recently the CEO’s passport.
They encrypt a lot more data than they’re able to exfiltrate, because it’s probably going to show up somewhere on the network. And tons of information going out. They take the time to do it, so they take some critical stuff or some customer information wherever they can find that would be of value and would put that pressure on companies.
And also, they’re quite aware that pressures can come from regulators from having to pay fines to regulators, from reputational damage, from customers leaving and these kind of strains and churn, and the business can actually cost businesses 30 percent of their income. I mean, this is really a very heavy amount of money to lose. And criminals know that. They calculated.
They look at how much a company makes, and they’re planning it so they can pressure them in with an amount that would kind of maximize what they can get from them, and still make it worse for them to pay, rather than not.
Becky Bracken: So, it’s an extraordinary aspect of their ability to pinpoint the price that, you know, is just enough, you know, lower than the price, just to make it just a bit less painful to pay. Can you talk a little bit about that? The ability of them to set these very pinpointed prices.
Limor Kessem: The ransoms when we’re dealing with organized crime kind of criminals that are like Austin mentioned, you know, get a big company to pay $10 million. That is, you know, your everyday people. These are people who are just as intelligent as their counterparts on the better side of the of the screen.
They’re looking at what are companies making? What kind of revenues are they looking at? What kind of fines will they have? How much data are they able to get from them that will actually cross the threshold of having them find a certain amount?
They’re looking at all these things. These are highly intelligent people. We look at the codes they develop, we look at the work they do, they have so much operational security and so many other aspects of the attack are so sophisticated that this just stands to reason. You know, I can see how they’re just sitting there looking at it.
Becky Bracken: OK, Austin. Let’s talk a little bit about copycats.
Austin Merritt: So when we think when we think of copycats, there’s quite a few different things that are being copied by other ransomware groups. And we saw a lot of groups copying Maze, because Maze had such a foothold earlier this year in the in the ransomware field. But we had a number of groups going to the double extortion method, and ransomware-as-a-service model.
Yeah, with the ransomware-as-a-service model, we saw so many ransomware groups just trying to do exactly what a big group might do. Because they’ve been the most successful. They’ve earned the most money. They’re like, “how can how can I model that behavior and earn more money?
And so one of the things that that Maze did, which was kind of interesting, was called data leaking as-a-service at their height, before they went defunct back in November (or they claimed they were but then Ragnar Locker ransomware group started posting some of their information on their site). And, the way that this worked was by hosting their leaked data on Maze news, they gained more notoriety because their strain, may or may not have been, as well known as Maze. And Maze was making money off of this. And, because it worked, Ragnar Locker said hey, we could do this too.
But we’ve also seen the auction platform took place on Maze, which is basically taking this stolen data and auctioning off to other cybercriminals. And the site called Happy Blog they were doing the exact same thing. They were actually auctioning off data on celebrities earlier this year.
So, yeah, it’s, it’s, it’s just pretty amazing to see, how they’ll model their behavior after one group, just because of the amount of success that they’ve had, they’re working to publicize these dump sites, right. They want everybody to know, to troll and to continually chat, right?
Becky Bracken: Because it’s about drawing those consistent eyeballs on this compromised data, right?
Austin Merritt: Yeah, it is, because depending on what the intention of the ransomware operator is, the more attention they can attract to either the victim organization to pay the ransom, or to other cybercriminals out in the field that may be interested in this data, to repurpose it. That’s good business for them.
So they know that this is just one other way to get people to pay up.
They were posting the majority of organizations data on their sites compared to other groups. The other ones were relatively similar. Maze decided that they were going to shut off the site, It’s still up, but they haven’t been posting other organizations’ data on there.
Becky Bracken: But what do we think has happened in there?
Austin Merritt: So what we’ve seen inQ4 2020, the Egregor ransomware variant kinda filled that void. As of December, they accounted for 41 to 41 percent of the incidents that we’ve taken in.
So that’s accounting for a lot of organizations. And a lot of security researchers think that the Egregor ransomware could just be the same operators, the Maze operators. One of the reasons being, the obfuscation techniques that they’re using are similar. The ransom note that Egregor is using is similar to Maze, and the news and the data leak site follows a similar naming format.
The timing kind of makes sense. Why would Maze just stop posting things and then Egregor immediately fills that void and post just as many organizations if not more.
Becky Bracken: Allie do you want to talk about single-stage ransomware?
Allie Mellen: Yeah. These slides are just meant to show what we’ve been talking about here with the difference between traditional ransomware and current, more modern and evolved models so to speak.
So you can see here, single-stage ransomware really starts with that initial access. Sometimes they’ll look to gain persistence. Sometimes they won’t. Before ultimately, after detonating the ransomware, they immediately look to get the ransom paid.
And if you go to the next slide, you can see that comparison with multistage ransomware, which has additional steps, which here are highlighted in yellow, showing that credential stealing and lateral movement, and then actually selling that data, or using it for blackmail, so it’s kind of just a way to visualize what we’ve been talking about.
We have an elite research team at Cybereason called Nocturnus and their whole job is to do research into the latest and greatest threats that we’re seeing. And this is one example of that, the goal is really just to share with the community and also, of course, make our own products better. This one in particular is called Anchor.
It is a hacking operation that’s targeting financial services industries. Specifically point of sale systems. And it was able to impact the U.S. and Europe.
I think we saw this in December of 2019, so just about a year ago today.
If you can go to the next slide, this is a timeline of the attack, so that people can actually see what’s going on in each stage.
But it starts with initial access, of course, through a phishing e-mail and is able to download and inject TrickBot into the existing machine.
From there it goes to the discovery stage is performing reconnaissance activity. It’s looking to connect to the C2, and it’s gaining more information, like, what operating system version.
This is on, seeing if this is a high value target, or if there are others that it should target, before really jumping into that interactive hacking. And this is where we’re saying, it’s really important that this is the type of attack that you see, when an attacker is really targeting specific organizations or specific individuals. This is not the type of automated spray-and-pray ransomware that is really that single-stage version. But what’s interesting here is the attacker uses this to access the domain controller, really move laterally implant some other types of malware like CobaltStrike and then just exfiltrate as much data as it can.
Once it’s done that, it deploys the ransomware.
So this is a real live example of something that we actually saw in environments that we monitor of a multistage ransomware attack, and of each part of that, and really that hacking operation that ends with ransomware.
Becky Bracken: OK, well now we’re going to get into something I think is really interesting and really forward-thinking, and this is something we touched on before, which is the pricing of ransomware, but also this rising role of cyber-insurance in discussions about paying ransom and how to deal with these attacks. So, let’s start another poll, which I think is an important one.
We want to know, do you have cyber-insurance, does your organization carry it now? And is this something you’re considering right now? So go ahead and take a minute and answer that.
And it’s interesting that there’s already a huge number of you who are saying, Yes, we do, or no, but we’re considering it.
So, this is something that most businesses in most organizations are having too, think about, and we want to help provide you with a little bit of expert advice on the best way to think about it.
So I’m going to go ahead and close this poll.
What we came up with was 45 percent of you, responded that yes, you have cyber-insurance. Currently, 16 percent of you say no, not not, but we’re considering it.
So, that’s a sizable number, 39 percent of you say no. So, I really want our panelists to unpack this and to talk about what you really need to think about in terms of cyber-insurance.
Allie Mellen: Yeah, so as I mentioned earlier, the average ransom payment has skyrocketed and ultimately, this is due to a couple of things. It’s not just as we’ve mentioned, it’s not just about the ransom. It’s actually about the information that’s potentially stolen as well, which a lot of times can be much more costly for the company than the ransom itself. What’s interesting about the role of cyber-insurance and ransomware is that ransomware attacks actually accounted for something like 40 percent of cyber-insurance claims filed in the first half of 2020.
So it really is something that a lot of people are using in the context of ransomware attacks that they’re being hit with, But my question, like I definitely see the value of cyber-insurance. Absolutely.
I think it’s an important part of a strong security strategy. But at the same time, now that these attacks are really more targeted, especially when it comes to these ransomware attacks, my question is, is this the best place to be investing so much of your money, and where’s the limit there?
Because potentially, if you know one organization has cyber-insurance and you know that they’re more apt to pay out the ransom, because of that, would you really make these organizations? Would that make them a more compelling and appealing target?
Or, is that something that, that may be you, when you think about your security strategy, you’re considering implementing less controls, and putting more money towards cyber-insurance? Because that’s the situation where I think it would really be a negative and a detriment to security teams. But I know Limor and I were talking earlier, and she had some great thoughts on this, so I’d love to pass it over to her.
Limor Kessem: Sure, though, I think, First of all, I agree with you, I don’t think attacker’s know who has cyber-insurance or not, but they probably could use that in the negotiation. Or, you know, how there are some companies that negotiate the ransom payment for companies.
They could throw in, hey, if you have cyber-insurance or include that in the mix of how they want to convince and pressure companies to pay. But, you know, when we look at cyber-insurance, although it became a very popular and, you know, seemingly, just like that, everybody has it, know the payouts for it, and maybe not as evident because, you know, insurance ultimately will look to cover themselves. They’re not out here to make enormous payments now for every attack, then that’s just escalating. That’s not good business.
So, they’re looking for, you know, who’s a co-operator, how much you’re gonna pay out, how much you’re not going to pay out, where can you not pay at all? And so on insurance, I don’t think it’s something to lean on, per se.
And cyber-insurance is definitely coming to the table as one more layer, or one more layer in decisions to perhaps pay, or how to pay for costs for recovering.
Let’s say, if the company does not want to pay, it’s still costing them a ton of money to recover from the attack, they might want to try to cover that from their insurance company.
And so this is definitely becoming a part of the whole ransomware overall game plan. What to do. How to recover. Do we pay do we not pay?
And I think it’s an important thing, but like you said, I don’t think it comes as a replacement for security or for security controls.
I know that insurance, as a rule, you know, has a role within the security program as a transfer of liability, you know, if I have a certain risk, I don’t want to accept the risk. How would I transfer that liability and a transfer the risk to mind? Sure.
So, again, I hope to see companies invest more in their security, then insurance, although it is an important layer to have there as well.
Allie Mellen: I think it’ll be really interesting to see how big a role it plays, because one thing I was reading about, of course, SolarWinds and everything that’s going on there. And one of the key points that an individual writing about it made was that potentially one of the reasons that SolarWinds was such an appetizing target is because they advertise all of their customers or many of their high-profile customers on their website. And so, my question is, maybe as cyber-insurance gained prominence, we will see the same thing there. Where ransomware authors will take a look at those customers of cyber-insurance in particular and see if they maybe would be willing to pay out more, but I agree, it is potentially too early to see if that actually comes to fruition.
Austin Merritt: Just gonna say, like Limor said, there’s no substitute for improving your security, but you don’t also don’t want to be an organization that wishes you had cyber-insurance after an attack. So, I think putting emphasis on security should be at the forefront, especially like hardening. Maybe having outside penetration testers testing that security infrastructure, those firewalls.
Because if you’re just doing it in an in-house penetration test to test your security or a vulnerability scanner, you might miss something that an outside experienced hacker could actually exploit and find on their own. So, there’s a lot of different angles there, but, uh, yeah, I would not want to be an organization that regrets not having cyber-insurance at the end of the day.
Becky Bracken: OK, let’s move on to emerging tactics and trends. Limor this is your bit here, so start walk us through what we’re going to be seeing.
Limor Kessem: Although our poll showed that not a lot of our participants today have experienced a ransom attack, we do see that it’s becoming the bane of security nowadays. It started somewhere in 2016 to really pick up speed, and at this point, we’re just seeing it across networks. And unfortunately, I think it’s still gonna get worse as long as it works, as long as we don’t break that business model, and we don’t find ways to do it by pulling in law enforcement, by pulling in whatever we can.
In order to break that profit model for cybercriminals, are probably going to see it just getting worse. And more companies getting targeted by these attackers are probably less experienced. Attackers also going after lower hanging fruit. And going after small to medium businesses, you know, they don’t have to ask for $42 million. Maybe they can ask for $1 million from smaller businesses, which can still be very impactful. So we’re seeing that ransomware and cyber-extortion have become one and the same, and instead of dying down getting worse.
On my slide that you’re looking at, you can grab a few words on what we’re seeing from experts actually, that ransom demands are obviously increasing. Yeah. It works. They’re going after bigger companies, when they ask for that $42 million. One went after a whole hospital chain.
So it wasn’t just one hospital, there was actually a bunch of them grouped together, which, you know, total income still makes for more money. We’re seeing that business is booming for these. Ransomware is like if we’re talking about …, know, Austin was saying how they have been publishing stuff and selling and auctioning stuff off.
Their most recent claim is that they got data on President Trump’s spiritual advisor. They want to go and publish that person’s data. So God only knows what’s in there and how many confessions. But, you know, it’s going good for them, they have data to sell, it could be interesting. Now that’s not the first time that President Trump’s data was being captured by cybercriminals.
And we’re seeing that attackers are finding schools and universities to be a good target for them. And this is quite obvious, when you have an organization with so many people in it, you need security awareness. It’s completely different from a company.
Being a CISO for a university is a lot harder than being the CEO of a company, where your security program is or should weigh in. Here, you have students working from different places, and coming into the network from everywhere now, with the coronavirus, it’s everywhere, but for the universities it’s always been like that. So I think that this is another reason where criminals are looking to interrupt what’s going on in universities and school and everything.
Yeah, of course, attacks on healthcare, this is the most obvious thing.
You always have to think like a criminal. Obviously, we would go after the organizations that are most sensitive to downtime that are most sensitive to business continuity, that cannot afford to either lose tons of money or lose human lives.
So this, this kind of stuff we’re seeing, it’s not different, I think, as a community, as a security community, this the kind of stuff we’re all seeing, obviously, because customers are coming to us to receive advise of what to do, or to get incident response, and so it’s not surprising that it’s all the same stuff.
The most important and most critical part of this whole ransomware game is the incident response.
So incident response, you know, when ransomware attack is discovered, this is when every second counts, because if it goes on interrupted, time becomes the ally of the attacker, and the more time passes, the more data and files are getting encrypted, more devices are being infected, they’re moving through the network, maybe through network shares, or whatever other warming capabilities they bring up. And they’re driving up the cost and the damage the company’s eventually going to have.
So the more immediately the discovery and the response process begins, and the more methodical it is, the easier it’s gonna end up being later to recover.
So, the response process usually begins with the detection of attack. First, somebody has to figure it out. And there are ways to figure it out. It could be, you know, a lot of activity on a network share, a lot of changes in file that’s going to come up through the theme or something else.
Or maybe something pops up on the computer, saying, hey, you know, we’ve encrypted all your files, and they come to the IT guy. So there, there are a couple of ways to figure this out.
And the most sensitive issue is to identify what’s going on and started identifying the infected machines. And then, you know, trying to contain it as a first step. It’s kind of like, OK, let’s take these ones off the network, maybe hibernate them or even shut them down. The advice is, of course, not to restart them, because if there is persistence which most malware as a rule has, then it’s just going to reload itself and restart the encryption process and all the same places.
So the best thing is to take these endpoints off the network and put them in hibernation or shut them down until something is decided about what’s going to be done.
So the next thing is to identify the malware and to have a first shot at maybe attributing. So, yeah, most malware, how it gets identified without even going further into, you know, analyzing the malware, is just seeing what extension is being used on the files that are being encrypted. Those extensions are very telling of which group it is. And so, at that point, they can know if we’re dealing with a real attack.
Chances are, this is going to be an expensive attack. It’s going to be by a very sophisticated group. A very well known group. It’s going to be probably impossible to reverse or break.
Not saying we shouldn’t try, but, you know, most of the time, it’s pretty sophisticated, So kind of trying to figure it out. At that point, What are we up against? What are we going to do if we know we’re up against ransomware-as-a-service?
In some cases an incident responder can break the encryption, but that’s very rare.
Maybe a quick root cause analysis is also in order here. In order to figure out,where did this come from? An email? Did it come from a browser vulnerability, something that just dropped on the computers or user endpoint? Or did it come maybe from a different vulnerability? What door should we be closing here or paying attention to in order to prevent eradicating the write back?
And then eradication could be very lengthy. Whatever got hurt, whatever, got impacted, and the process of removing the malware from all the infected hosts.
And then, I think the more meaningful chunk even begins. Because, up until now we’ve had our technical teams working on things. But now, we’re at the recovery point where we’re saying, OK, are you checking patches or checking if the encryption could be broken? You know, all these technical steps are being taken.
Now, it’s time to look at what do we have to notify? Did we notify law enforcement? What about the regulators? Who do we have to tell them within 48 hours, 72 hours? A clock starts ticking and a lot of things that are happening. Our executive team has to have a response.
We might have third parties already leaking the information, just talking about it. “Hey, there’s something going on at this company.” We have to already have a response. So all these things are starting to happen in tandem with all the technical things that are happening at the same time.
And also, at the recovery point, this brings us right back to organizations considering to pay. They come to a point of saying, OK. We can restore this data, and we can restore this data, but how about this data here that we cannot restore? What do we do? How much is it worth to us? And they start doing a risk assessment. Should we pay? Should repay the attackers? What if they leak the data? What happens then? What do we pay then? Start calculating all these things, and do a risk estimation of whether or not they should pay and bring in the whole insurance thing into the picture.
But this is also where other considerations are coming into the picture. Paying a ransom does not absolutely guarantee recovery. It doesn’t mean that the criminals are going to do it. Most of the times they do it because they want to keep getting paid, but it’s not necessarily always the case.
Another thing is it does not equal instant recovery. They’ll give you the keys. It’s still going to take even months until everything is back in order, so it does not mean that that’s going to, you know, bring you right back up to where you were before and everything’s going to be awesome.
Also, cybercriminals continue to strengthen their business models by getting paid. If they’re getting paid, they’re doing well, they’re going to continue doing it. Others are going to continue doing it. More actors going to come into that field targeting that company that got hit and paid. What if the next time it’s another gang, and they’re going to pay again. And it can happen. It’s not farfetched to think that in 2021 we’re going to see these types of cases.
And now one of my favorites, unfortunately, is paying a ransom can be a federal offense in the United States. To pay a criminal in a country on the U.S. sanctions list is considered a federal crime that removes a ton of countries like Iran and North Korea and other parts of the world where this is going to be a problem.
So a company can say, well, I didn’t know it was these hackers, because we didn’t have the attribution, because attribution is tricky, or a bunch of other excuses. But what’s going to happen at the end of the day? Are they going to get fined, or are beginning to get into trouble with it being a federal offense.
So all of these things come into play with incident response, which I think is the biggest thing in the ransomware game for companies. And I talked a lot, so I’m going to let my co-panelists talk about it as well.
Becky Bracken: There was a lot of excellent information, and a lot to think about. Yeah, so Austin, there’s a lot to unpack there, but what does that do you want to pick up on, and what other trends you think we’ll see. It really does seem like it’s a big lift education-wise for IT teams, to get the attention of already-busy departments, and get them to think about this kind of stuff. And Austin, what do you think about that?
Austin Merritt: So pick up on the last thing she said about paying ransoms, that’s potentially sponsoring a group that is like a state-sponsored cyberterrorist group, which is a terrifying prospect.
North Korea’s Lazarus Group, they usually conduct espionage, but they conduct ransomware attacks on the side, to make money. And there’s been reports that the money could be funneled back to the North Korean regime for malicious purposes. So it’s something to think about in the big picture.
But when you’re talking about so many different aspects that ransomware can affect, at Digital Shadows were all about detection, mitigation and prevention and early response. A lot of the ways that these ransomware groups can get initial access is by spear-phishing. But they’re also selling this initial access on the Dark Web. Which, who knows how long they could have had this for and then, but they won’t actually name of victim organization, because they don’t want to be caught.
So a lot of what we do is we’ll go out there and find information. What they’ll do is they’ll post the revenue of a company and the post the sector that it’s in. And so that’s just, like, one of the ways that you can pick up if there is a ransomware group targeting a technology company in the United States with a revenue of $1 billion dollars. That can be a lot of different groups, but sometimes it can be very specific. So that’s just one of the ways of early detection.
But yeah, it’s it really is affecting so many different aspects. And when they keep using so many different pressure tactics combined. One of the things we didn’t touch on was DDoS, distributed denial of service, attacks. So if they don’t get you one way, they might get you another way.
But you don’t always have to pay the ransom. You want to make sure that you have your data backed up and you should always be sure. You know, all these software companies, they’re constantly putting out patches and software updates that I think a lot of companies, they just forget, or they ignore, and we’ve seen it a lot in the healthcare sector, where they operate on a legacy IT system. And ransomware operators know that, and because their security posture is so poor, they haven’t updated to the latest version. That’s just another way for them to get in.
So I really think you have to think of it in a multi-faceted way. There are so many different ways they can get in. What can you be doing? How can you be on top of things to avoid getting to that point where you’re saying, “oh my god, do I have to pay a ransom? Am I helping sponsor terrorists?”
Becky Bracken: OK, I’m going to power through here to the Q&A section because we’ve got a lot of really good questions, and I want to make sure we’re using our time for them.
So the first one is from Dan. “What methods are currently being utilized to assure that once ransom is paid the information is not being sold by the threat actor?” Good question, Allie what do you think about that?
Allie Mellen: You don’t know. I mean the best option is just to monitor on an ongoing basis for any of your company accounts or passwords that are made publicly available on a blog, I guess. Yeah, but yeah, ultimately by paying the ransom, by being struck with a ransomware attack, by having that data exfiltration, you’ve kind of lost control of that. That situation is as it stands.
Limor Kessem: I agree, and also, as a reminder, I mean, you’re dealing with criminals now. There is no honor among thieves. Companies might be monitoring dark web, or other markets and maybe underground markets, but data can be sold very privately to a competitor, to someone else who’s willing to interact with them.
Becky Bracken: OK, here’s another one. “How do we devise a business-continuity plan? Keep in mind that the ransomware attack is device disaster recovery, give me the device and disaster recovery plan in line with this.”
What do you guys think about that? Disaster recovery plan, business continuity? It seems like this is a whole business conversation, more than just an IT one, right?
Allie Mellen: It is, it is. I think that when it comes to ransomware and to what has been going on with it, this is where business continuity and disaster recovery have joined hands and become almost like a meshed program in order to help organizations find what they can do.
If they back up their data and they had all their homework, and they were excellent with everything, that’s still does not prevent the attackers from releasing their data for free online or selling it. It’s like you’re saying, it’s a, it’s an entire business thing, where we have to look at risk as a whole. And what do we do?
In that case, business-continuity plans and disaster-recovery plans have to change according to this new threat. It’s also very important just to make clear to the executives and the company that it can happen. You need to test your business continuity plans and your disaster recovery plans with the executives in the company and with the stakeholders in the company, and if they’re not prepared for it to happen, then you’ve got a lot more problems going on than just the ransomware attack.
Becky Bracken: Here’s another one, from Mike. “Is there any evidence that having a cyber insurance might make an org more of a target?” We touched on this, but it’s worth revisiting. Austin, what do you think?
Austin Merritt: Yeah. Again, we go on these sites quite often. We don’t really see them talking about, “we’re specifically targeting an organization that has cyber-insurance,” there’s really no way of knowing. If that’s really advertised or how they would get access to that kind of information, I’m not really sure. And I think you touched on that sort of earlier, that, that could potentially emerge as an issue.
Limor Kessem: Yeah, I mean, ultimately, again, not with the spray-and-pray kind of mentality, but if you are doing reconnaissance on an organization, you’re gonna look for these types of things. That will be a priority and you can meet, potentially find out on their website. If you are one of the companies that they have a logo for on their website, for example, you could be targeted, but we haven’t seen specific examples of it yet.
Ultimately, it’s just another way that attackers can really just validate whether or not you’re a valuable target. It’s just typical reconnaissance-gathering before an operation.
I’m going to be doom-and-gloom here, but it’s not smart to put customers on the website of an insurance company, so I doubt they would do that. But let’s not forget their supply-chain attacks, and, you know, criminals who get a foothold in one of those insurance companies, even through the Dark Web. Somebody’s sold them that access for $20, and now they’re moving laterally there and finding all kinds of stuff.
They can know who their customers are, and a lot more. And, ultimately, you’d think that would be the same thing with SolarWinds, so they wouldn’t put the logos of the DoD or different organizations on their website.
But, that’s where we’re at.
Becky Bracken: Alright. That’s the end of our hour. Unfortunately, we have a lot more questions that we didn’t have a chance to get to. So I would implore you all to go ahead and use our email addresses and follow up with anything additional you have.
The presentation will be sent to your inbox, along with a couple of handouts, a white paper from both Cybereason and from IBM. So, those might be great resources for you.
Again, I want to thank you so much for spending this hour with us. I know everybody is at a very busy time right now. I hope it was time well spent.
And please, I want to encourage all of you to check back with Threatpost’s, regular news coverage, interviews, webinars like this one, podcasts, we’ve got it all. So it’s a good source for you all, looking for answers on these topics.
Again, thank you so much Limor, Allie and Austin, for your insights and your valuable information. We so appreciate it.
And that, we’ll catch you again next month. Thank you, again.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!