Ransomware has transformed significantly over the past several years, and it is forcing security to evolve with it. These complex and highly targeted ransomware operations–or RansomOps™–seek to infiltrate entire networks in order to extort multi-million dollar ransoms from targets.
“Ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model ...with an increasing level of innovation and technical sophistication,” according to a recent report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy.
RansomOps are less like the old “spray and pay” methods and a lot more like stealthy nation-state APTs. What sets them apart is their technical sophistication, data exfiltration for double extortion, specialized players and attraction to big-name targets.
RansomOps purveyors often leverage the stolen data by threatening to leak it publicly in order to further pressure victims into paying–and when they’re asked to pay, it’s usually an astronomical demand.
“Ransomware gangs have made a strategic shift to targeted attacks against organizations that have the ability to pay multi-million dollar ransom demands, fueling the rise in attacks in 2021,” said Lior Div, and that has business leaders more than concerned.
Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape, and the publicized RansomOps attacks this far, you can see why.
The DarkSide was responsible for the infamous Colonial Pipeline attack that boldly targeted America’s critical national infrastructure and shut down the East Coast oil supply for several days. Believed to be “likely former affiliates of the REvil RaaS [ransomware-as-a-service] group,” DarkSide leans heavily on the double-extortion trend; exfiltrating your data, encrypting it and threatening to make it public if you don’t pay up.
DarkSide targets organizations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations and government agencies. No doubt that code of conduct is an effort to establish a level of trust and confidence in victims to enhance the likelihood that they’ll pay.
“Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations,” Tech Target shares, supporting the premise that RansomOps might be out for political and social disruption as much as for money. They had also targeted several German oil companies.
Having attacked the “telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries” among at least six countries, it was called 2021’s most sophisticated ransomware.
Interestingly, it is built in Rust (an unusual language for ransomware) and is not above triple-extortion techniques. Believed to be a descendent of BlackMatter and targeting no less than 60 organizations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert.
The Conti ransomware group has caused a great deal of damage in a relatively short period of time—making headlines around the world. It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware.
The FBI released an alert around Conti in February of this year, warning that “attacks against U.S. and international organizations have risen to more than 1,000.” This prodigious threat pulls many of its former members from the TrickBot ranks, and is known for not only infecting machines, but spreading through the network via SMB and encrypting remote files as well.
Raking in over $25 million since 2020, NetWalker earned a global remediation attempt by the US Department of Justice. Per court papers, the group operates a “so-called ransomware-as-a-service model,” or RaaS, in which developers write the malicious code, affiliates find and attack victims, and the two parties split the proceeds.
According to the Cybereason threat research team Nocturnus, “NetWalker encrypts shared network drives of adjacent machines on the network” and presents a HIGH threat, already having been “employed in attacks across a variety of industries around the world.”
U.S. and Bulgarian authorities had seized the data-leaks website used by the NetWalker ransomware gang to doubly extort its victims. A court in Florida also charged a Canadian national suspected of helping to spread NetWalker in connection with this takedown.
“On April 20, 2022, a user named BlackBasta posted on the underground forums XSS[.]IS and EXPLOIT[.]IN a post intended to buy and monetize corporate network access for a share of the profits.” While still a new strain of ransomware discovered just this past April, the group struck hard and fast, claiming nearly 50 victims within the first three months.
Their post on hacking forums suggested they targeted English-speaking countries only, and their Linux variant goes after VMware ESXi virtual machines running on Linux servers. Connections are drawn to Conti, given the feel, web design, and negotiation style–which includes leaking data as punishment for organizations taking the attack public or seeking for help.
It’s possible for organizations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices.
When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.
Defenders can flag resources that are attempting to gain access to other network resources with which they don’t normally interact, and discover attempts to exfiltrate data as well as encrypt files.
Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organization.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.