Ransomware: How Adversaries are Upping the Ante

Computer screen showing a skull on top of purple source code as an act of ransomware

Share

All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near." – Sun-Tzu, The Art of War

Deception has been used for thousands of years in ancient warfare and is still used today in modern warfare including in the cyber realm. During the last few years, no other cyber threat has dominated headlines as much as ransomware, with SANS even declaring 2020 and 2021 “the years of ransomware”. This claim to infamy aligns with findings from the European Union Agency for Cybersecurity, which observed a 150% increase in ransomware attacks between April 2020 and July 2021. Sadly, current trends seem to indicate that things may be about to get worse.

These trends include increased usage of ransomware as decoys, the rise of ransomware-as-a-service (RaaS), and the growing incidence of ransomware attacks targeting supply chains. We’ll discuss these trends in more detail in the following sections.

Ransomware as a Decoy

The motive behind ransomware has been clear and consistent ever since the last 80s when it was first born. Thus, when an organization learns that they are under a ransomware attack, there is often an assumed motive of profit, but as seen in more recent attacks that’s not necessarily always the case.

Deploying ransomware makes for an easy and effective red-herring deception. Causing chaos to distract victims, attackers’ true motives and behaviors can fly under the radar in parts of a network where the victim may not suspect. Those motives might be to persist on the victim's network longer term for intelligence-gathering purposes, or to leverage that access to attack a partner’s network more easily, or actual destructive outcomes.

Ransomware is increasingly used as a decoy in cyber warfare, state-sponsored attacks, bank heists, and other nefarious acts. This deceptive tactic works because ransomware variants have gained so much notoriety as highly disruptive threats once they lock files up, organizations tend to throw all their resources to resolve the issue as soon as they detect one.

NotPetya, WhisperGate, and even WannaCry followed this MO, and were actually wiper malware disguised as ransomware. These wipers tricked victim organizations into believing important files were being encrypted and that those files would be decrypted as soon as ransom was paid. In reality, the wipers were already destroying those files under cover of the ransomware threat.

Those pseudo-ransomware variants mentioned above, which mainly attacked Ukrainian systems (but eventually spread to other countries across the globe), are believed to have Russian origins and deployed as part of Russia’s cyberwarfare. Russia is also believed to have unleashed a ransomware named HermeticRansom and a wiper named HermeticWiper ahead of their initial offensive against Ukraine earlier this year. In that attack, HermeticRansom served as decoy while HermeticWiper did the damage.

A similar tactic was used in the 2017 heist on the Far Eastern International Bank (FEIB) in Taiwan, wherein the Hermes ransomware was used to distract authorities while the hackers attempted to wire $60 million to various accounts in the US, Sri Lanka, Cambodia, and other places abroad.

Ransomware as a Service (RaaS)

In the past, only technically advanced cybercrime groups were capable of launching ransomware attacks. Today, any cybercrime outfit that wishes to wreak havoc on an organization can now initiate an attack by purchasing or leasing ransomware from operators through what is known as Ransomware-as-a-Service (RaaS). The availability of RaaS puts ransomware into the hands of potentially any threat actor – ranging from sophisticated nation state to even those with relatively low skillsets.

RaaS has significantly reduced the barrier to entry to a ransomware campaign and, in turn, accelerated the proliferation of this menacing threat. There is no longer any doubt that models predicting the cost of ransomware would exceed $265 billion in the next decade will be proven right. The emergence of RaaS has already ensured that.

Similar to how cloud customers pay for software-as-a-service (SaaS) applications, RaaS customers, known as affiliates, pay a monthly or annual subscription to access a RaaS software and its accompanying tools, services, and resources such as customer support, documentation, penetration tests, victim analysis, negotiators, and others. Yes, you can contact customer support if something goes wrong with your RaaS tool. Imagine that. Some SaaS providers can’t even deliver that level of service.

With most of the technical and “back-end” aspects of ransomware campaigns already handled by RaaS operators, affiliates can simply use the “front-end” tools to launch ransomware attacks and earn payouts. Several ransomware families, including Locky, Cerber, REvil, GandCrab, Ryuk, and DarkSide have already been used in RaaS campaigns.

Supply Chain Attacks

While no organization is safe from a ransomware attack, ransomware gangs have a greater incentive if their target: 1) can’t afford to suffer an extended period of downtime and, hence, would easily succumb to paying ransom, and 2) is highly profitable and, therefore, has the capacity to pay a sizable ransom.

Supply chains perfectly fit this profile, and with success, attackers can target all of the suppliers’ business partners. More business equates to more money up for grabs. Many supply-chain companies such as Maersk (who was greatly impacted by NotPeya in 2017) and CMA CGM have been enjoying record-setting revenues and profits due to the pandemic. At the same time, these companies cannot afford to have their systems go offline, due to the high demand the logistics industry is experiencing. Thus, if a ransomware locks up their systems, there’s a good chance they wouldn’t need a lot of persuasion to pay up.

As demonstrated through our examples of prominent companies that were hit by ransomware below, supply chains have become a major target. And with the prominence of RaaS, these threats won’t be going away anytime soon.

Ransomware Attacks on Supply Chains since May 2021

What Can Businesses Do?

Ransomware, whether used for extortion or for distraction, is a serious threat. With ransomware threat actors now upping their ante, it’s time to rethink the way we face these adversaries.

Most experts agree that prevention is the best approach to combating ransomware, making ransomware readiness an essential for today’s enterprises. The challenge is: technology can only take us so far. The latest ransomware exploits bypass traditional controls, use authorized credentials, and insert malicious code into legitimate processes. Despite advancements in prevention technologies such as NGAV, application control (allow-listing/deny-listing), detection and response (EDR, XDR, and SOAR) and IR frameworks like MITRE ATT&CK, ransomware attacks continue to escalate.

Instead, more organizations need to implement offensive security methodologies like ransomware simulation programs because it is one of the only ways to try and eventually shut down these nefarious attacks. Detection alone is never going to do that. Mapping attack surfaces, red teaming, and continuously identifying exploitable vulnerabilities and weaknesses in the perimeter are proactive measures that will give ransomware less and less of a chance to operationalize over time.

As you aim to get your organization aligned on ransomware readiness, consider the following key questions:

  • Do you know how and where you’re vulnerable to a ransomware attack?
  • Which discovery methods can you employ to determine your greatest areas of exposure?
  • When it comes to options–penetration testing, red teaming, purple teaming, or tabletop exercises– which will work best for you?
  • What can you expect to learn from these programs? How do you leverage lessons learned to enhance security on a continual basis?
  • Which open-source tools can you use to start a program on your own? How do they function, and what are their use cases?

For a deep dive on how to build a ransomware-ready security program, download our eBook, “An Offensive Security Guide to Ransomware Readiness.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Trevin Edgeworth

About the author, Trevin Edgeworth

Red Team Practice Director

Trevin Edgeworth is the Red Team Practice Director at Bishop Fox, where he focuses on building and leading best-in-class adversary emulation services to help customers of all sizes and industries strengthen their defenses against current and emerging threats.

Trevin has over 20 years of security experience; he has built and overseen red team programs for several Fortune 500 companies, including American Express, Capital One Financial, and Symantec Corporation. Other accomplishments include leading a security organization as Chief Security Officer (CSO) for a major security company. Trevin has led a variety of security functions in his career, including cyber threat intelligence, hunt, deception, insider threat, and others.

Trevin is an active member of the security community. He has presented at several industry conferences and been interviewed by leading publications on topics such as red teaming and threat intelligence.

More by Trevin

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.