Paul McLellan

Community Member

Blog Activity
Options

Evolving Maturity in Ransomware

6 minute read

I recently attended a Black Hat seminar titled The Evolving Maturity in Ransomware Operations. It was scary. A high-level summary would be that ransomware has become more targeted, more professional, and more lucrative. I am using the word "professional" without any implication of "better". For example, if you read this whole post, you will come across a company that is providing ransomware-as-a-service (RaaS). One thing I have been hearing a lot in 2021 is the notion of cybercriminals having a business model. For example, see my post from a few weeks ago Stopping Online Fraud. It contains a section "How Can We Keep Up with Cybercriminals' Evolving Business Models".

Before I go further, let me explain what ransomware is, in case you don't know. Here's an example from 2017 that was high enough profile that you might have heard about it.

The British National Health Service (NHS) had about 70,000 devices bricked. Computers, obviously, but also "MRI scanners, blood fridges, and operating theatre equipment." The attackers commit to decrypt all the files that they have encrypted on payment of a ransom in Bitcoin. It is unclear whether any ransoms were paid or whether the NHS just ended up with an estimated $100+ million IT bill. The ransom demand was only £300 but that is per device, so multiply that by 70,000. If you want to know how the attackers got in so easily, according to the (London) Times, "The ransomware exploited a vulnerability in Microsoft Windows XP. This operating system is largely obsolete but is still widely used in the NHS." Perhaps more surprisingly, if less important for this topic, the NHS is the biggest user of fax machines in the world.

Advanced Persistent Threat

One term that is used in security is APT, which stands for Advanced Persistent Threat. This is when an attacker has admin access to your environment, and there are multiple persistence mechanisms (making it hard/impossible to clear them out completely), and they probably stole business-sensitive data such as intellectual property. The perpetrators are teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons, but it is more than just competence and financial backing that distinguishes APT from threats that are easier to deal with. Note that although all sorts of business-sensitive information may have been stolen, the perpetrators are not trying to shut down your business or create other harm.

APT Ransomware, on the other hand, has all of that except that all your IT infrastructure is down, and your business cannot function. Even in a ransomware attack, the bad guys don't want to cause a lot of damage—they just want to get paid.

The seminar was presented by Mitchell Clarke and Tom Hall, who are security consultants at Mandiant in Australia and UK respectively. They looked at two specific examples in depth, not because they are all that special, but as examples of two different business models for how these APT threats are executed.

They started discussing general trends:

  • Moving away from being self-propagating (worm) to "manual detonation"
  • Much more targeted deployment as opposed to "spray and pray"
  • Two business models—partnership business models and self-managed

REvil/Sodinokibi

REvil provides Ransomware as a Service. It was first seen in May 2019, operated by a person or organization called UNKN. They have an affiliate model. Multiple threat actors use REvil RaaS. The affiliates are vetted and buy in. They seem to get 60-75% of the payout. In return for giving REvil their cut, each affiliate gets access to the RaaS platform which automates malware generation, handles ransom demand and payment service, handles communication with the victim (negotiation), and handles coin laundering.

How affiliates use the platform varies with the affiliate, with some deploying in hours and others up to four months. Some affiliates seem to have a backlog of victims. In fact, one thing that came up a couple of times in the seminar was that one limitation is the lack of qualified people to run the attacks compared to the number of defenseless targets.

I won't go into all the details of deployment described. I'll put a link at the end of this post so you can watch the presentation if you want to dive deeper. But typical things that get done are to delete file backups, delete archives, delete virtual machine snapshots. They might disable antivirus across the whole site. They might exfiltrate all the data for later blackmail. They then encrypt all the files. Then (and they even have pretty graphics!):

Then open negotiations. Your business is almost certainly completely down, there is no way for IT to restore everything unless there are offline backups that are unreachable, and probably all the tools you would need to clean up the mess are unavailable because you cannot even log in.

QAKBOT and DOPPELPAYMER

This is more of a partnership model and has historically been deployed as a banking trojan. In 2020, the partnership model was seen:

  • Ransomware developers are provided with access to a compromised environment with QAKBOT
  • Negotiations for payment are handled by the ransomware developers themselves
  • Presumably, a license for getting access to the compromised environment is paid

In early 2020, QAKBOT campaigns used unsophisticated phishing campaigns. (If you don't know what phishing is, then see my post Black Hat: Phishing on Gmail.) Basically, a modular backdoor allows an attacker to select the capabilities required.

The DOPPELPAYMER part changes all the passwords on the local machine, and then, sort of like a cuckoo, copies a legitimate service and replaces the original with a copy of itself. Then the boot configuration database is compromised. The system is then rebooted. At that point, DOPPELPAYMER starts encrypting the files on the system, and since the passwords have been changed, nobody can easily stop it.

It has been hugely effective, sometimes with one organization a day being attacked in 2020.

Conclusion

  • Everything is increasing
    • Payouts
    • Number of victims
    • Damage to organizations
    • Extortion for stolen data
  • With so much profit, so many victims, the trend is only upwards
  • Ransomware is now a boardroom risk and starting to appear as a risk item in financial disclosure documents—often the #1 one

The bad guys are also getting better:

  • Less noisy and more stealthy so harder to notice
  • Tooling improvements, with less reliance on standard pen test tools that security systems can spot
  • Faster to domain admin
  • Improved ransomware deployment methods
  • Increased effectiveness at deleting backups

What's Next?

  • Continued focus on mass exploitation of edge devices
  • Limiting factors for the attackers are too many victims and not enough operators
  • There will be no downward pressure until there is law enforcement intervention
  • The best that organizations can do is improve security and improve resilience...and don't use Windows-XP like the NHS

You know this is a truly serious problem when the best that the world's security experts can come up with as a defense is a generic "improve security". However, this is where the semiconductor and IP industries are involved, since any improvement in security is going to need to start from a hardware root of trust, which means inside a chip. More on that another day.

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.