The continuous evolution of modern ransomware

0


Author: Yossi Naar, Visionary Director and Co-Founder, Cybereason

Ransomware attacks continue to grab the headlines, and for good reason: On average, there is a new ransomware attack every 11 seconds, and losses to organizations from ransomware attacks are expected to reach $ 20 billion over the course of by 2021. This rate translates to approximately 3 million ransomware attacks in a year.

Let it in. We’re not talking about the number of files encrypted or organizations affected, it’s 3 million unique ransomware attacks against organizations.

The Ransomware Threat: 30 Years of Creation

The majority of organizations that have experienced a ransomware attack have experienced a significant impact on the business, including loss of revenue, damage to the organization’s brand, unplanned downsizing, and even the complete shutdown of the business. ‘business.

So far, more than 200 ransomware attacks have made headlines in 2021 – and it is only the ransomware attacks that have been publicly acknowledged. To understand how we got here, we need to look at how the threat has evolved over the years:

1989: the birth of ransomware

Go back to 1989, when the first documented case of ransomware emerged. In December of that year, Harvard-trained evolutionary biologist Dr. Joseph Popp sent 20,000 computer virus-infected floppy disks to people who attended the World Health Organization’s International AIDS Conference. in Stockholm.

Once loaded onto a computer, the virus hid file directories, locked file names, and informed victims that they could only restore access to their files by sending $ 189 to a PO Box in Panama. .

Dr Popp eventually caught the attention of authorities while at Schiphol Airport around two weeks after the attack. Law enforcement subsequently arrested the evolutionary biologist at his parents’ home and extradited him to the UK. There, he faced 10 counts of extortion and criminal damages for distributing what is now called the “AIDS Trojan”.

2007: Variants of Locker Ransomware appear

Almost 20 years later, in the aftermath of the AIDS Trojan incident, the first variants of locker ransomware appeared on the threat landscape. These early versions targeted users in Russia by “locking down” victims’ machines and preventing them from using basic computer functions like the keyboard and mouse, as researchers at the University of Kennesaw State.

After displaying an “adult image” on infected computers, the ransomware instructed victims to call a premium-rate phone number or send an SMS to respond to ransom demands from attackers.

2013: CryptoLocker ushers in modern crypto-ransomware

In 2013, a new ransomware threat called “CryptoLocker” installed itself in the “Documents & Settings” folder of Windows victims and got added to the registry list. After connecting to one of its hard-coded Command and Control (C&C) servers, the threat downloaded a small file to identify its victim and used that file to generate a public-private key pair.

He then used the public key to encrypt the victims’ documents, spreadsheets, images, and other files before displaying his ransom note. This message informed the victim that they had 72 hours to pay a ransom note of $ 300, not even pennies on the dollar compared to the current ransom demands which run into the tens of millions.

Attacks involving CryptoLocker became more common in the years that followed. According to researchers at Kennesaw State University, the FBI estimated that victims had paid CryptoLocker operators $ 27 million by the end of 2015.

2018: Ransomware players embark on the hunt for big game

Starting in 2018, the FBI observed a decline in indiscriminate ransomware attacks. Its analysts have seen these campaigns give way to operations targeting businesses – especially state and local governments, healthcare entities, industrial companies and transportation organizations.

Many ransomware groups have opted for targeting large organizations so that they can encrypt high-value data, undermine the operations of victims, and thus demand an even higher ransom payment. The report Ransomware: The Real Cost for Businesses mentioned above highlights some of the impacts these attacks can have on organizations in the UAE, including:

  • Loss of business income: 63% of organizations in the UAE reported a loss of business (19% more than the global average) as a result of the ransomware attack and 42% reported a significant loss of revenue.
  • Damage to brand and reputation: 54% of organizations in the Emirates reported that their brand and reputation were damaged as a result of a successful attack.
  • C-level talent loss: 50% of organizations in the UAE (19% above the global average) reported losing C-level talent as a result of ransomware attacks.
  • Employee layoffs: Consistent with the global average, 29% said they were forced to lay off employees due to financial pressures following a ransomware attack.

2019: Gang Maze Ransomware and Double Extortion

Towards the end of November 2019, the Maze group had managed to rape a company of security personnel by stealing its information in the clear before encrypting its files. To prove their claim, the attackers sent a sample of the stolen files to the company and disclosed 700MB of data online shortly after.

Other ransomware groups adopted this “double-extortion” technique in the months that followed. In doing so, they have given themselves an advantage over organizations with a data backup strategy. They knew that victims could use their copies of data to restore infected computers, but they couldn’t turn the tide of data theft.

Thus, the attackers demanded two ransom payments from their victims, one for the decryption of their data and the other for the removal of their information from the servers of their operation.

The rise of sophisticated RansomOps

In a recent article, we discussed how today’s complex RansomOps the attacks are more akin to stealth APT-type operations than the older “spray and pray” mass email spam campaigns such as those listed above. The article also dealt with the greater Ransomware economics at work, each with their own specialty.

These players include Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving sideways to maximize the potential impact, and Ransomware-as-a-Service operators ( RaaS) which provide attack infrastructure to affiliates. who carry out the attacks.

This level of compromise puts RansomOps attackers in a position where they can demand even larger ransoms, and RansomOps techniques also typically involve multiple extortion techniques like the double extortion tactic discussed above.

Some groups went further: The Grief ransomware gang had begun threatening to remove a victim’s decryption key if they chose to hire someone to help them negotiate the ransom demand. This follows threats from the RagnarLocker group to release a victim’s data if they notify the FBI or local law enforcement of an infection.

Defending against ransomware and RansomOps

It is possible for organizations to defend against ransomware and RansomOps from the early stages of an attack. Keep in mind that the actual ransomware payload is the very last end of a RansomOps attack, so there are weeks or even months of detectable activity before the payload is delivered where an attack can be thwarted before it is released. ‘there is a serious impact on the targeted organization.

The key to stopping ransomware attacks is to minimize the time period between when a RansomOps attack first enters your environment and when the security team can detect and stop it. This cannot be achieved by using outdated technologies that rely on threat information derived from basic attacks or other “known” attacks.

As a result, many organizations have chosen to adopt solutions capable of detecting unique and highly targeted attacks based on more subtle behavioral signals that can surface these attacks earlier in the chain of destruction. As these solutions prove to be more effective than their predecessors, it will be interesting to see how attackers adapt and continue to evolve their tools and tactics to compensate.


Share.

Comments are closed.