Characteristic US and European cops, prosecutors and NGOs recently hosted a two-day workshop in The Hague to discuss how to respond to the growing scourge of ransomware.
“Only by working with key law enforcement and prosecution partners across the EU can we effectively combat the threat ransomware poses to our society,” said the Deputy Attorney General. American Kenneth Polite, Jr, in a canned statement.
Earlier this month, at the annual RSA conference, this same topic was on the minds – and on the lips – of cybersecurity professionals.
Ransomware and other cybercrimes in which criminals extort money from organizations “still account for the vast majority of threat activity we see,” Cyber Threat Alliance CEO Michael Daniel said in an interview. at the safety event.
Increasingly, however, cybercrime networks are still being tracked as ransomware operators mainly turn to data theft and extortion – and skip the encryption step altogether. Rather than scrambling the files and demanding payment for decryption keys and everything in between to facilitate that, just exfiltrating the data and demanding a fee for not disclosing everything is all as effective. This change has been in the works for many months and is now virtually inevitable.
The FBI and CISA this month warned of a lesser-known extortion gang called Karakurt, which is demanding ransoms of up to $13 million. Karakurt does not target any specific sector or industry, and the gang’s victims did not have any of their documents encrypted and held for ransom.
Instead, the crooks claim to have stolen data, with screenshots or exfiltrated file copies as proof, and they threaten to sell or release it publicly if they don’t receive payment.
“Multifaceted Extortion”
“This is exactly what happens to a lot of the victims we work with,” said Mandiant Intelligence Vice President Sandra Joyce. The register. “We call it multifaceted extortion. It’s a fancy way of saying data theft associated with extortion.”
Some of these thieves offer discounted ransoms to companies to encourage them to pay sooner, with the requested payment increasing the longer it takes to cough up the cash (or Bitcoin, as the case may be).
Until it’s the lucrative business it is today, it won’t go away.
Additionally, some criminal groups offer “scaling payment schemes”, Joyce noted. “So you pay for what you get”, and depending on the amount of ransom paid “you get a control panel, you get customer support, you get all the tools you need.”
As criminals delve deeper into extortion, they’re relying on other tactics to force organizations to pay – like leaking stolen confidential data from Tor-hidden websites and devising other means of attack. publicly humiliate companies to pay ransom for their slipped documents, Joyce added. . “Until it’s the lucrative business it is today, it won’t go away.”
This echoes what Palo Alto Networks Unit 42 incident responders also see. Scammers are posting, on average, details of sensitive information stolen from seven new victims a day on these dark web leak sites, according to Unit 42 research published at the RSA conference.
“The cyber extortion crisis continues because cybercriminals have steadily introduced increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this digital crime frenzy. world,” wrote Ryan Olson, vice president of threat intelligence for Palo Alto. Networks who runs Unit 42.
More sophisticated marketing campaigns?
Indeed, much has been made of the growing ransomware-as-a-service market, where malware developers rent out their code to less-sophisticated fraudsters to deploy on victims’ networks, once access is gained by purchasing credentials. stolen or leaked login details. or pay someone else to intrude, or similar.
Indeed, internal Conti communications leaked earlier in the year highlighted how these ransomware gangs operate like software-as-a-service startups.
And on top of that, the way these criminal groups are using marketing and public relations campaigns indicates a whole new level of sophistication, according to Ryan Kovar, who leads the Splunk Surge research team.
In March, Kovar’s security firm published a study of how long it takes ten of the major ransomware families – including Lockbit, Conti and REvil – to encrypt 100,000 files. They found that Lockbit was the fastest – in fact, the reason the team undertook this analysis in the first place was because this ransomware gang claimed on its Tor website to have the “fastest ransomware”.
“They’re at the point where someone said, ‘We’re losing ground to other ransomware families. And we actually need to create marketing materials to better position our ransomware as the pick du jour,” Kovar said in an interview on the RSAC sidelines.
“It’s fascinating,” he continued. “The sophistication shows there’s a competitive aspect to this beyond just ‘we’re good at converting ransoms into Bitcoin’.”
But still hitting the same unpatched vulnerabilities
Malefactors may have moved on to newer extortion techniques and more sophisticated business models, but they are exploiting the same known vulnerabilities, simply because they still work and do not require a heavy load from operators. malware. They are profit-seeking criminals, after all, looking to keep costs low and profit margins high.
“The way ransomware actors succeed…is often through these known exploitable vulnerabilities,” NSA Director of Cybersecurity Rob Joyce said during a panel at the RSA conference.
Companies can reduce their risk by patching these known actively exploited bugs, he added. “That has to be the base,” Joyce said. “Everyone has to get to that base level and take care of the unlocked doors that [cybercriminals] arrive today.”
In a separate interview on the show, Aanchal Gupta, who heads Microsoft’s Security Response Center, confirmed.
“Companies sometimes think they have to do something unique about ransomware,” she said. The register. “And I would say no, you don’t have to do anything unique about ransomware. All you have to do is protect, detect, respond.”
Protecting means patching your systems, and detection requires network visibility, Gupta added. “Because they all come across known vulnerabilities that have been disclosed, and there are fixes available 99% of the time.”
Typically, these for-profit scammers don’t break into networks through zero-day exploits, she said. “They’re not going to buy a zero-day for half a million dollars to do a ransomware attack,” Gupta noted.
Gupta and others have encouraged organizations to hold tabletop exercises so they are ready if or when an attack occurs.
Tell the truth. Even if it hurts
Public reaction to an intrusion must be transparent if it is to be helpful, even if it is embarrassing. That includes writing a ransomware press release beforehand, noted Dmitri Alperovitch, president of security-focused think tank Silverado Policy Accelerator.
“Write a press release that you will issue in the event of a data leak or ransomware attack,” he said. “Have this ready because oftentimes, inevitably, it takes people days to figure out what they’re going to say publicly, and they involve way too many lawyers. Eliminate that early on so you can just fill in the details. “
And don’t lie. Eventually, businesses recover from ransomware attacks, especially if they have good backups.
But they may not regain customer trust if they aren’t transparent about what happened, said Mike Sentonas, CTO of CrowdStrike. The register. His company was hired to help with incident response after a “well-known media company was hit by ransomware,” Sentonas said.
CrowdStrike advised the company to tell the truth, “and they went and did the opposite, said it was a sophisticated adversary and no one could ever have stopped it,” Sentonas said. In fact, “it was a really basic attack,” he noted. “And you look a bit silly through this process.” ®
