One look at all the ransomware attacks from the past few years, and it’s clear that crypto-malware actors are attempting to maximize their financial gain. We’ve observed these threat groups using multiple techniques to profit even more off their victims than in years past. Here are a few tactics that stood out to us.
Demanding Higher Ransomware Payments
Digital attackers are increasingly asking more from their victims. Take the recent attack involving CNA as an example. Indeed, the insurance company’s payment of $40 million was the highest ransomware demand met by a company to date.
It’s not the highest amount ever asked by a crypto-malware group. CNA talked down its own ransom demand from an initial ask of $60 million, reported Bloomberg. A couple of months before that, REvil/Sodinokibi’s ransomware operators asked for more from two of its recent victims.
The issue here is that ransomware actors know that victims will attempt to talk down a ransom payment. They also are aware how many larger companies have cyber insurance policies that will help to cover at least some of a ransom payment. But they still want their money. That explains why these attackers are demanding $50 million to $70 million on average. They aim big, according to Bloomberg, even when they might not receive it in the end.
Conducting Ransomware Attacks in Multiple Stages
Ransomware actors are attempting to further increase their gains by conducting their attacks in multiple stages. Our ICS honeypot environment picked up on this in H1 2020 when it observed ransomware using publicly accessible remote administration interfaces to gain initial access. This involved brute forcing an admin’s account credentials and logging in remotely.
At that point in time, the attackers used a PowerShell script to create a backdoor user called “admin.” This action gave the attackers a means of maintaining persistence while evading detection. With that persistence, the malicious actors logged back into the compromised server and used PowerShell to upload additional attack tools. Those utilities included Mimikatz, a tool which enabled the attackers to steal user credentials and move laterally to the domain controllers. It’s then that the campaign detonated its ransomware.
“This activity points to an interesting trend in ransomware attacks,” we explained at the time that we spotted this operation. “Instead of focusing on a single stage, deploy and detonate approach to ransomware, attackers are using multiple stages to ensure as much financial gain as possible. They not only deploy ransomware, but they also move laterally to affect as many machines as possible and steal credentials before ultimately detonating the ransomware.”
Complicating the Ransomware Recovery Process
Finally, malicious actors are complicating the ransomware recovery process to force victims into paying. Take double extortion, for example. The operators of many ransomware strains are using this technique to steal a victim’s information before launching their encryption routine. The attackers then threaten to release the sensitive data publicly if the ransom demand is not met. Backups can help nullify the need for a decryptor, but they can’t prevent an attacker from publishing a victim’s information on the web. In response, the victim needs to pay some sort of ransom.
Some ransomware attackers have taken this a step further with triple extortion. It’s where those responsible for an infection not only demand something from their victim but also ask for smaller sums from a victim’s customers. Nefarious individuals try to extort these individuals by threatening to publish their information, or they use DDoS attacks and/or media reports to scare them into submission. All of this is designed to put even greater pressure on a company to pay up.
And then there are instances where digital attackers use more than one ransomware strain to encrypt a victim’s data. This usually takes one of two forms: In the first scenario, a malicious actor uses one ransomware strain to encrypt a victim’s data before applying yet another ransomware strain to that encrypted data; the second scenario involves splitting up some data or systems between two different ransomware strains. Either situation makes recovery difficult, especially when victims are forced to use multiple attacker-provided tools that might not function properly. It also makes it costly, as victims must pay for more than one decrypter.
How to Defend Against a Ransomware Attack
The developments discussed above highlight the need for organizations to prevent financial loss and defend against a ransomware attack. They can’t do this with any old tool, however. Traditional prevention strategies are less effective against the threat of modern, multi-stage ransomware.
Next-gen ransomware has evolved to better evade standard defenses, and when deployed as a component of a targeted attack, adversaries stand a high chance of success against underprepared environments.
A behavior-based approach to prevention, detection and response is required for success against ransomware attacks. Specifically, organizations need a mode of ransomware defense that turns away from Indicators of Compromise (IOCs) to Indicators of Behavior (IOBs) as a means of visualizing the entire attack chain. Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
