The number of ransomware attacks reported to the UK’s Information Commissioner’s Office in 2021 doubled to 654, from 326 in 2020. What isn’t captured are the many more victims who deal privately with the hackers and manage to avoid the attack being made public, writes Satnam Narang, pictured, Senior Staff Research Engineer, at the cyber firm Tenable.
Tenable’s 2021 Threat Landscape Retrospective report determined that at least 38 per cent of all data breaches in 2021 were the result of ransomware attacks, compared to 35pc in 2020. In the healthcare sector, ransomware represented 36.2% of breaches, while it represented 24.7pc of breaches in education. This doesn’t mean ransomware is any less prevalent in other sectors. However, because of the stringent reporting requirements for healthcare organisations in the United States, it is no surprise that the bulk of ransomware attacks are reported in that sector. It’s a lucrative business as, according to Tenable Research, ransomware groups reportedly earned $692m from their collective attacks in 2020 alone, a 380% increase over the previous six years combined ($144m from 2013-2019). So what is driving this escalation?
Honour among thieves
Rather than opportunistic criminals, ransomware is organised crime with its own self-sustaining industry. Modern ransomware groups operate like traditional businesses with various members responsible for developing and testing the ransomware itself, creating and hosting leak websites on the dark web and managing the negotiation process with each victim, as well as other tasks including reverse engineering, administrative work and even human resources or recruitment. Ransomware groups get the most notoriety and attention for attacks because Ransomware as a Service (RaaS) is the “product” being marketed and sold in this equation. RaaS is a service model, just like Software-as-a-Service, where instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks. This has significantly lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditise ransomware.
In 2021, the FBI said it was tracking over 100 active ransomware groups. Ransomware groups like REvil, DarkSide and BlackMatter became more well known recently after notable supply chain attacks against Managed Service Providers (MSPs) and high value targets in critical infrastructure and food processing. More recently, groups like Conti, LockBit.2.0, Hive and ALPHV/BlackCat have risen through the ranks to fill the void left behind as ransomware groups disappeared or were taken down through law enforcement action.
Ultimately, the groups themselves are ephemeral. We have seen multiple ransomware groups disappear over the years, either of their own accord or as a result of government and law enforcement action. We also hear numerous reports that newer groups include members of past ransomware groups.
Raising the barrier to entry
Knowing about these groups provides us with some insight into their activities, such as the industries or geographical regions they target. However, understanding how they ply their trade is far more informative. The most common method for targeting organisations is through spearphishing, whereby attackers send crafted emails to victims that include malicious attachments or links to external websites hosting malware. The malware used in these attacks is not the ransomware itself, but rather a first-stage downloader, a trojan designed to download secondary and tertiary malware components. These additional malware components will ultimately lead to a ransomware payload. Some of the more popular downloaders that have contributed to ransomware attacks over the years include the vaunted Emotet, Trickbot and Qakbot trojans, as well as BazarLoader.
Remote Desk Protocol (RDP) is another popular avenue ransomware affiliates will use to target organisations. Because RDP is publicly accessible, attackers can use scripts to attempt to brute force their way into these systems, targeting weak passwords by using a combination of known default passwords and dictionary attacks. Leaving RDP open to the internet is the perfect scenario for ransomware groups so, if it’s not needed, disable it. If it is needed, make sure strong password requirements are in place.
While ransomware groups covet zero-day vulnerabilities, the majority of ransomware attacks rely on leveraging unpatched, legacy vulnerabilities across a wide spectrum of software solutions. These include vulnerabilities used as part of malicious documents, vulnerabilities found in perimeter devices like Secure Socket Layer Virtual Private Networks (VPNs), as well as a plethora of flaws designed to elevate privileges once inside an organisation’s network. For instance, ProxyLogon and ProxyShell, a collection of flaws in Microsoft Exchange Server have been leveraged by several ransomware groups throughout the last year. Organisations must identify vulnerable assets within their networks and apply available patches. The sooner the better as the window of exploitation for attackers is wide.
Having gained initial access, once inside threat actors will often set their sights on Active Directory. Gaining domain privileges provides attackers the necessary capabilities to distribute their ransomware payloads across the entire network. This includes the use of critical vulnerabilities like Zerologon and PetitPotam. For instance, researchers at the DFIR Report delved into two cases where threat actors were able to launch the Ryuk ransomware across an entire domain within five hours and two hours, respectively, from the initial phishing email, leveraging Zerologon along the way. Organisations must audit existing and newly created user accounts to ensure no misconfigurations are present and the principle of least privilege is adopted. It is also vital to monitor the Active Directory environment and that known attack paths are addressed.
Ransomware has cemented itself as one the greatest threats to global organisations today. No organisation is truly safe from ransomware, as large to small organisations are fair game. But it’s not ‘game over.’ It’s imperative that organisations and government entities prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.
