Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays
Gangs Tap Cheap But Powerful Cybercrime Services, Threaten Further Data DumpingTargeted ransomware attacks continue to increase as gangs seek to obtain bigger ransom payoffs from larger targets, security experts warn.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
While attacks against individuals and mom-and-pop shops persist, today's more prized targets are big businesses with deep pockets, John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, tells Information Security Media Group (see: Ransomware Attacks Growing More Targeted and Professional).
"The news is dominated by larger corporations being breached, and what we see is that they charge a lot more money, so the ransom [demand] is much higher," he says, as is the demand for services that can help attackers gain and maintain access to these networks.
Services Support Cybercrime Economy
These cybercrime services include a host of "adjacent services that form that whole chain to commit cybercrime, or to help facilitate for instance ransomware," Fokker says, highlighting such tools as macro builders, designed to infect endpoints with information-stealing malware; crypting services that compile malware executables to make them more difficult for security tools to detect; as well as precompiled lists of administrator credentials for different businesses that have been stolen by info-stealers.
Some underground actors provide purpose-built tools that have been widely adopted by ransomware gangs. For example, the actor known as "z668" maintains RDP brute-force pen-testing software called RDP Brute, which he says has been very popular with ransomware gangs, for gaining remote access to corporate networks (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).
Of course, there's long been a cybercrime service economy supporting attackers. So, what's changed?
"We've talked about [the] specialization of cybercriminals offering these tools for forever now, but it does seem like they're becoming more common, and they're becoming quite cheap," Liv Rowley, a threat intelligence analyst at Blueliv, tells ISMG (see: From Cybercrime Zero to 'Hero' - Now Faster Than Ever).
"You can buy some of the top-named information stealers right now for $85 .. and that's one of the best ones out there," she says. "So it's definitely becoming a more accessible market."
'Human-Operated Ransomware'
Driven by the promise of a bigger payday, more gangs have been availing themselves of such tools, which help give them easier access to tactics that might previously have been the domain of nation-state advanced persistent threat gangs. Some of these tactics, known as "living off the land," resemble legitimate administrator behavior and may include gaining access to a targeted organization's Active Directory implementation, for example, to give attackers admin-level rights and use this to better move laterally to reconnoiter networks, deactivate anti-virus tools, steal valuable data and eventually, deploy crypto-locking malware, all while avoiding detection (see: Ransomware 2.0: Cybercrime Gangs Apply APT-Style Tactics).
Microsoft labels these more manual, targeted types of efforts - in other words, less happenstance or opportunistic - as being "human-operated ransomware," noting that attackers wielding REvil, Samas, Bitpaymer and Ryuk in particular are using these tactic. But Microsoft says it's also seen them get used recently too by Doppelpaymer.
"The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access," Microsoft's Threat Protection Intelligence Team says in a new report.
In some cases, the initial infection might be opportunistic, such as using Emotet botnets to infect endpoints with Trickbot malware as well as malware such as Ryuk or Emotet, or Dridex to install DoppelPaymer. But even though the ransomware might get installed, it often remains dormant, and only sometimes gets activated, Microsoft says (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).
"In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware," Microsoft says. "In many cases, however, this activation phase comes well after the initial Trickbot infection, and the eventual deployment of a ransomware payload may happen weeks or even months after the initial infection."
Sodinokibi Operators Promise Data Leaking Site
Having access to better toolsets and tactics - for less cost - isn't, however, providing gangs with the payouts they'd like to be seeing.
Spurred on by the tactics being practiced by other ransomware gangs - starting with Maze, before expanding to many others, including DoppelPaymer and Nemty - the operators of the Sodinokibi ransomware-as-a-service operation, aka REvil, have finalized a site to allow affiliates to name victims and dump their stolen data, unless they promptly pay a ransom (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).
DoppelPaymer #Ransomware group published the files of NAQUA (National Aquaculture Group @naquaco).
— Under the Breach (@underthebreach) March 8, 2020
- Largest aquaculture project in the world.
- $142,000,000 revenue according to RocketReach.
- Files include list of employees and lots of budget related documents. pic.twitter.com/o6spKM2Qwh
"We saw it with Maze, REvil, BitPayer: a lot of these bigger ransomware groups are using this as a leverage method and to put pressure on the victim," McAfee's Fokker says (see: Maze Ransomware Gang Dumps Purported Victim List).
The added technical capability involves the groups "using techniques that enable them to extract a victim’s data to a remote server, where it can be processed, read and used however they deem fit," security firm Emsisoft says in a blog post published last week.
Beyond being used as leverage for force payment, stolen information also seems to be getting repurposed to attack new victims. "We’ve now got pretty clear evidence that Maze et al are using exfiltrated data to spear phish other companies," Brett Callow, a threat analyst at security firm Emsisoft, tells ISMG. "The problem is, many companies do not disclose these incidents, so their business partners and customers do not know that they should be on high alert. Bottom line: more companies need to disclose, and to disclose quickly."
Sodinokibi Claims SoftwareOne Hit
According to a Russian cybercrime forum post shared by malware analyst Damian with Bleeping Computer, the Sodinokibi operators have been publicly musing about how to best force payments.
"[We] have some interesting thoughts about auto-notification email addresses of stock exchanges (for example, NASDAQ), which will allow you to influence the financial condition of the company quickly and efficiently," reads a translation of the Russian-language post shared by Damian.
The Sodinokibi operators also promised affiliates - who infect systems, then share a cut of any ransom payment with the operators - the ability to search for valuable data among stolen information, such as Social Security numbers.
Posts to Sodinokibi's data leaking site suggest that the group crypto-locked systems owned by publicly traded Swiss cloud software firm SoftwareOne, and also for New York-based private fashion house Kenneth Cole Productions. In both cases, the leaking site threatened to release more corporate data, including 130,000 Kenneth Cole files, unless each of the victims paid. "Kenneth Cole Productions, you have to hurry," the leaking site read, late last month, according to screengrabs posted by Israeli cybercrime investigator Under the Breach.
REvil Ransomware group just dumped the files of American fashion house, Kenneth Cole. (@kennethcole)
— Under the Breach (@underthebreach) February 27, 2020
-Provided a download link with some information about employees and financial information.
-Claiming to have 60,000 personal data and 70,000 financial and work documents. pic.twitter.com/owmE2CdNPL
More recently, however, the Sodinokibi site suggests that Kenneth Cole did pay a ransom. "Be like Kenneth Cole, take care of your nerves and money," the site reads.
Kenneth Cole didn't immediately respond to a request for comment. SoftwareOne declined to comment.
Data Leaking Return on Investment: Still Unclear
From a cybercrime business standpoint, however, But Fokker says it's still not clear that ransomware gangs' threat to dump data, or following through and actually leaking it, will lead to more reliable or larger ransom payments by victims.
"How this will work? Personally I think it's a very harsh tool, but it will go blunt very fast, in all respects, because when a company files that they've been breached and they go through proper authorities, it kind of loses its leverage," he says. "So I'm curious to see how this will evolve."