RansomOps: Not Your Parent’s Ransomware

It’s no secret that in recent years ransomware gangs have upped their game. There were over 300 million attacks in the first half of 2021 alone, according to one report, a 151% increase year-over-year.

And payment demands have gone up–last year the average ransom payment was around $570,000, although we did see CNA Financial fork out an unprecedented $40 million to Evil Corp  and one gang asking an audacious $50 million.

So, is this still just the same old ransomware we’re talking about? That low-grade, pesky pop-up stuff of cyber trolls and email spammers? Well, sort of. Once the niche of spray-and-pay spam and drive-by campaigns, you’re now more likely to find ransomware tacked on to the tail end of an elaborately crafted attack sequence we define as RansomOps—ransomware in its most pernicious, pervasive and professional form.

And, as the methods evolve so does the industry. As I pointed out in the RansomOps report, “ransomware purveyors are moving away from high-volume attacks with low ransom demands in favor of more focused, custom attacks aimed at individual organizations selected for the ability to pay multi-million dollar ransom demands.” 

What are RansomOps?

RansomOps describes the entire ransomware operation and multiple players who contribute to these highly targeted attacks, from initial ingress to lateral movement in the network to delivery of the final encryption payload. 

RansomOps take a “low and slow” approach, infiltrating the network and often remaining undetected for weeks as the attackers pivot through the targeted ecosystem, often exfiltrating sensitive data that is leveraged in double extortion schemes to assure payment of the ransom, even if the victim is able to regain access to their systems and data. 

“We now have ransomware cartels—like REvil, Conti, DarkSide, and others—and ransomware is not a piece of malware, but rather comprehensive ransomware operations, or RansomOps, where the execution of the ransomware itself is just the final piece of a much longer attack chain,” states Cybersecurity Insiders. 

These four basic components are what distinguishes RansomOps from ransomware: : 

• Initial Access Brokers (IABs): These infiltrate target networks, establish persistence, and move laterally to compromise as much of the network as possible, then sell access to other threat actors.
• Ransomware-as-a-Service (RaaS) Providers: Which supply the actual ransomware code, the payment mechanisms, handle negotiations with the target and provide other 'customer service' resources to both the attackers and the victims.
• Ransomware Affiliates: These contract with the RaaS provider, select the targeted organizations, and then carry out the actual ransomware attack.
• Cryptocurrency Exchanges: That launders the extorted proceeds.

The evolution of this Ransomware Economy means launching ransomware attacks is getting even easier, where even would-be attackers with limited technical skills can engage in attacks. 

RansomOps is now the modus operandi among even the big players, and it’s changing the game. “The burgeoning Ransomware-as-a-Service (RaaS) industry has also lowered the technical bar for many would-be attackers by making complex attack infrastructure available to low-skilled threat actors,” and big targets are being taken down. 

Remember the Colonial Pipeline attack? It was the result of a Darkside RaaS variant. The prevalence of RaaS platforms makes sophisticated malware campaigns cheap, accessible, and easy to mass carry out–which may explain the spike in numbers over the past 18 months. 

Defend Against Complex RansomOps

Simply put, you cannot defend against RansomOps in traditional ways because it’s not a traditional threat. Enterprise SIEMs miss 80% of detections for MITRE ATT&CK techniques, according to a recent report. And a focus on detecting the ransomware executable alone is risky because that is the tail-end of a longer attack sequence, where the adversary already has unfettered access to your network and may be engaging in data exfiltration. 

Because RansomOps are an entire campaign, defending against the payload alone is like “fighting terrorism by focusing only on the explosive device or waiting to hear the ‘boom’ to know where to focus resources,” as Cybersecurity Insiders states. You need to see the whole of the malicious operation, not just the conclusion. 

“Against this backdrop, 2022 will demand a refocusing of anti-ransomware tactics away from the encrypting malware itself and onto the Indicators of Behavior (IOBs) associated with RansomOps, allowing the defending organization to circumvent encryption entirely,” notes Intelligent CISO.

An effective ransomware prevention plan includes actions like:

• Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
• Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
• Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
• Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
• Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
• Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least once every quarter is recommended to ensure all personnel and procedures perform as expected.
• Evaluating Managed Security Services Provider Options: If your security organization has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
• Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.

Ultimately, your multi-layered approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.