The Latest in Ransomware: A Path of Cyber Destruction

As the curtains start to close on 2022, ransomware attacks have left a path of cyber destruction indiscriminately targeting victims across a variety of industries, organizational sizes, and geographies. Governments big and small recognize the pernicious nature of ransomware and have begun taking steps to disrupt operations, but this daily threat continues to plague organizations of all shapes and sizes on a global scale.

The rapid evolution of ransomware-as-as-service (RaaS) means that increasingly greater numbers of criminals can deploy malware for ransom payments and extortion campaigns. And a sure sign that ransomware is an enduring threat is more established threat actors, like Conti and REvil, have morphed into new affiliates like Black Basta with similar techniques, tactics, and procedures (TTPs).

A Look at the Current Ransomware Ecosystem

The ransomware criminal market is a thriving ecosystem with many types of threat actors fueling attacks. Despite law enforcement and governments efforts to crack down on cybercriminal activity, there are several groups that have significantly disrupted their victims’ organizations throughout 2022.

Most recently, Hive has made headlines as a significant threat to network defenders. According to Cybersecurity and Infrastructure Security Agency (CISA) Alert (AA22-321A), Hive ransomware actors have victimized more than 1,300 companies raking in approximately $100 million U.S. dollars from June 2021 to November 2022. Hive ransomware follows the RaaS model in which developers create, maintain, and update the malware while affiliates conduct the attacks. The initial intrusion method depends on which affiliate conducts an attack, but observed tactics include things like bypassing multifactor authentication, using single factor logins via Remote Desktop Protocol (RDP) and virtual private networks (VPNs), distribution of phishing emails with malicious attachments and exploiting the following vulnerabilities against Microsoft Exchange Servers:

• CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability

So why is Hive currently deemed a high-risk ransomware threat? Why does it warrant a CISA alert? A few things to consider. Extortion – Hive actors run a Tor site called ‘HiveLeaks’ that stores exfiltrated data from victims that do not pay the bitcoin ransom demand. And Hive actors have also been known to redeploy ransomware, both Hive and other variants, in the networks of victims that restored operations without making a ransom payment.

Distributed Denial of Service (DDoS) attacks are another common tactic amongst ransomware groups in 2022. ALPHV (BlackCat) and Black Basta have both been observed launching DDoS attacks to pressure victims to issue a quick ransom payment to get their sites up and running again. Not only is Black Basta a powerful ransomware gang, but in early November, Sentinel Labs security researchers revealed evidence that it very likely has ties to FIN7 (aka Carbanak). You can expect a double extortion campaign if you are unlucky enough to have an encounter with these groups or those like them.

In terms of targeted locations, recent research shows that North America and Western Europe are the most targeted geographic areas for ransomware attacks in Q3 as seen below.

Further to that, manufacturing and technology have reigned supreme for industries incurring the most ransomware attacks in Q3 with healthcare coming in as a distant third, but no industry is completely safe.

Can Ransomware be Stopped?

Sometimes it may seem like too little too late, but governments and international governing partnerships alike are making great strides to find actionable solutions to the threats that ransomware presents. In the U.S., CISA manages a #StopRansomware initiative as a centralized source of truth that guides users on all things ransomware including how to report an attack to the U.S. government, alerts, readiness resources, and more. But cooperation to shut down ransomware operators and attacks extends far beyond the U.S. borders.

Ransomware is a global threat that requires an all-hands-on-deck approach across continents to join forces against cybercriminals. The U.S. recently hosted the second International Counter Ransomware Initiative (CRI) Summit bringing together 36 countries and the European Union. During the multilateral summit, CRI partners met with private sector partners to discuss and develop concrete, cooperative actions to counter the spread and impact of ransomware around the world. The CRI is comprised of five working groups that focus on the following counter-ransomware initiatives:

• Resilience

• Disruption
• Counter Illicit Finance
• Public-private Partnership
• Diplomacy

In 2023, CRI partners will build upon these frameworks to develop new actions outlined during the Summit.

Looking through another international counter-ransomware lens, INTERPOL’s first-ever Global Crime Trend report compiled data from 195 member countries to analyze the perceived threat level of ransomware across regions. Ransomware was unanimously identified across all regions as a major cybercrime trend posing a ‘high’ or ‘very high’ threat. More precisely, 66% of respondents ranked ransomware a ‘high’ or ‘very high’ cybercrime threat and second only to money laundering with a 67% ranking. Additionally, 72% of respondents ranked ransomware as the cybercrime threat most likely to increase in the future.

Ransomware is a cat and mouse game, but with increased international attention from groups like INTERPOL and CRI, for example, the pace of ransomware attacks may finally begin to decelerate.

Ransomware Can Happen to Anyone

While some industries don’t fall victim to ransomware attacks nearly as frequently as others, it is fair to say that ransomware has become a prolific threat across sectors. The threat of a ransomware attack can strike any organization at any time, and 2022 is living proof of that. A look at organizations that suffered massive data breaches in 2022 shows that targeting is indiscriminate and can impact any type of organization.

• In late October, Pendragon Group, a UK-based car dealership, fell victim to a Lockbit ransomware attack and was allegedly part of a double extortion campaign in which a $60 million ransom was required to decrypt files and not leak them publicly. At the time of the attack Pendragon Group was steadfast in its decision to refrain from making a ransom payment. Shortly after discovering the attack, Pendragon reported the incident to the U.K. data protection office and law enforcement officials. Results from the Pendragon Group IT team investigation showed that only 5% of the database was stolen.

• Late November brought ransomware news of a massive data breach at Medibank, Australia’s largest health insurer. Reportedly, 9.7 million current and former customers are impacted. The stolen data includes names, dates of birth, phone numbers, email addresses, and more. Interestingly, Medibank has publicly stated that a ransom payment will not be paid, based on advice it received from cybercrime experts. Medibank was advised that paying the ransom could have the opposite effect and enable ransomware operators to directly extort customers and make Australia a bigger, more desirable target in the future if it is known to comply with ransom demands. In a nod to Australia’s concern surrounding ransomware attacks the Home Affairs Minister, Clare O’Neil, stated that the Australian government would consider making it illegal to pay ransom demands to hackers.

• In a very public ransomware case earlier in 2022, the Costa Rican government suffered a streak of attacks by Conti ransomware followed by a 670-gigabyte data breach ransomware attack attributed to Hive. Costa Rica has become the first country to declare a “national emergency” in the wake of a ransomware attack. Time will tell which country will be next.

• Hive struck again in October 2022 attacking Tata Power, India’s largest integrated power company based in Mumbai. Hive stole and encrypted various types of sensitive data including employees’ personally identifiable information (PII), salary information, engineering drawings, financial and banking records, and client information.

These are just a few examples of countless attacks driven by hackers that seek to profit from stealing private data and extorting organizations of any type.

The Cyber Insurance Dilemma

The possibility of a ransomware attack has led many organizations to adopt cyber insurance; however, many are starting to fall in the ‘cyber insurance gap.’ In a recent study by Blackberry and Corvus Insurance, key findings indicated that 37% of respondents have insurance, but their policy does not cover ransomware payments. Of those with ransomware payment coverage, only 19% of surveyed businesses have limits greater than the median $600,000 ransomware demand in 2021. This leaves organizations questioning if the increasing policy premiums are worth the ROI or if it is better to set aside a self-funded account in case ransomware strikes. 

Additionally, organizations that are not able to meet certain security requirements, such as endpoint detection and response (EDR), are often denied access to cyber insurance leaving no assistance with ransomware attacks. On the other hand, 41% of respondents brought EDR on board in order to meet the security benchmarks for cyber insurance.

Take Control of Your Ransomware Readiness

Unfortunately, the pace of ransomware attacks follows an upward trajectory as attack surfaces broaden across industries and attack motivations increasingly blur the lines between geopolitical issues and traditional cybercrime tactics. So, what can your organization do to better protect your assets against this dangerous threat?

• Consider starting with penetration testing. Open a strong line of communication with your consultants to understand where the weaknesses lie on your attack surface.
• When your security organization is ready to expand upon the results of pen testing, Red Teaming is the next logical step to gain ground truth on where you stack up against ransomware-focused adversaries. Red Teaming, Purple Teaming, and ransomware emulation can pressure-test your security controls, organizational responses, and physical security against real-world ransomware playbooks to get ground truth on how susceptible you are to ransomware and how to improve.

• Check out these helpful resources to get started on your ransomware readiness journey:

• The Offensive Security Guide to Ransomware Readiness
• Ransomware Scenario Emulation Report with Illumio
• Ransomware Emulations: Pressure-Testing Scenarios for Cybersecurity Defense Teams