Google FeedBurner is phasing out its RSS-to-email subscription service. While we are currently working on the implementation of a new system, you may experience an interruption in your email subscription service.
Please stay tuned for further communications.
Get email delivery of the Cadence blog featured here
I recently attended a Black Hat seminar titled The Evolving Maturity in Ransomware Operations. It was scary. A high-level summary would be that ransomware has become more targeted, more professional, and more lucrative. I am using the word "professional" without any implication of "better". For example, if you read this whole post, you will come across a company that is providing ransomware-as-a-service (RaaS). One thing I have been hearing a lot in 2021 is the notion of cybercriminals having a business model. For example, see my post from a few weeks ago Stopping Online Fraud. It contains a section "How Can We Keep Up with Cybercriminals' Evolving Business Models".
Before I go further, let me explain what ransomware is, in case you don't know. Here's an example from 2017 that was high enough profile that you might have heard about it.
The British National Health Service (NHS) had about 70,000 devices bricked. Computers, obviously, but also "MRI scanners, blood fridges, and operating theatre equipment." The attackers commit to decrypt all the files that they have encrypted on payment of a ransom in Bitcoin. It is unclear whether any ransoms were paid or whether the NHS just ended up with an estimated $100+ million IT bill. The ransom demand was only £300 but that is per device, so multiply that by 70,000. If you want to know how the attackers got in so easily, according to the (London) Times, "The ransomware exploited a vulnerability in Microsoft Windows XP. This operating system is largely obsolete but is still widely used in the NHS." Perhaps more surprisingly, if less important for this topic, the NHS is the biggest user of fax machines in the world.
One term that is used in security is APT, which stands for Advanced Persistent Threat. This is when an attacker has admin access to your environment, and there are multiple persistence mechanisms (making it hard/impossible to clear them out completely), and they probably stole business-sensitive data such as intellectual property. The perpetrators are teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons, but it is more than just competence and financial backing that distinguishes APT from threats that are easier to deal with. Note that although all sorts of business-sensitive information may have been stolen, the perpetrators are not trying to shut down your business or create other harm.
APT Ransomware, on the other hand, has all of that except that all your IT infrastructure is down, and your business cannot function. Even in a ransomware attack, the bad guys don't want to cause a lot of damage—they just want to get paid.
The seminar was presented by Mitchell Clarke and Tom Hall, who are security consultants at Mandiant in Australia and UK respectively. They looked at two specific examples in depth, not because they are all that special, but as examples of two different business models for how these APT threats are executed.
They started discussing general trends:
REvil provides Ransomware as a Service. It was first seen in May 2019, operated by a person or organization called UNKN. They have an affiliate model. Multiple threat actors use REvil RaaS. The affiliates are vetted and buy in. They seem to get 60-75% of the payout. In return for giving REvil their cut, each affiliate gets access to the RaaS platform which automates malware generation, handles ransom demand and payment service, handles communication with the victim (negotiation), and handles coin laundering.
How affiliates use the platform varies with the affiliate, with some deploying in hours and others up to four months. Some affiliates seem to have a backlog of victims. In fact, one thing that came up a couple of times in the seminar was that one limitation is the lack of qualified people to run the attacks compared to the number of defenseless targets.
I won't go into all the details of deployment described. I'll put a link at the end of this post so you can watch the presentation if you want to dive deeper. But typical things that get done are to delete file backups, delete archives, delete virtual machine snapshots. They might disable antivirus across the whole site. They might exfiltrate all the data for later blackmail. They then encrypt all the files. Then (and they even have pretty graphics!):
Then open negotiations. Your business is almost certainly completely down, there is no way for IT to restore everything unless there are offline backups that are unreachable, and probably all the tools you would need to clean up the mess are unavailable because you cannot even log in.
This is more of a partnership model and has historically been deployed as a banking trojan. In 2020, the partnership model was seen:
In early 2020, QAKBOT campaigns used unsophisticated phishing campaigns. (If you don't know what phishing is, then see my post Black Hat: Phishing on Gmail.) Basically, a modular backdoor allows an attacker to select the capabilities required.
The DOPPELPAYMER part changes all the passwords on the local machine, and then, sort of like a cuckoo, copies a legitimate service and replaces the original with a copy of itself. Then the boot configuration database is compromised. The system is then rebooted. At that point, DOPPELPAYMER starts encrypting the files on the system, and since the passwords have been changed, nobody can easily stop it.
It has been hugely effective, sometimes with one organization a day being attacked in 2020.
The bad guys are also getting better:
You know this is a truly serious problem when the best that the world's security experts can come up with as a defense is a generic "improve security". However, this is where the semiconductor and IP industries are involved, since any improvement in security is going to need to start from a hardware root of trust, which means inside a chip. More on that another day.
Sign up for Sunday Brunch, the weekly Breakfast Bytes email.