I Want 5 Million Pounds In Unmarked Bills - The current state of ransomware & other modern attack campaigns (Guest blog by VMware)

1989 was a historic year. Margaret Thatcher completed ten years as British PM and that same year declared, along with American President George Bush and Soviet Leader Mikhail Gorbachev, the end of the 40 year long Cold War. Meanwhile the first of 24 GPS satellites entered Earth’s orbit, and in sport British F1 driver Nigel Mansell took second in the British Grand Prix.

In that same year the first instance of ransomware, the “AIDS Trojan”, was released into a world as yet unsuspecting of just how crippling and common this new form of cyber-attack would become.

In the more than three decades since, ransomware has evolved from that first, floppy disk, simple-encryption enfant terrible to a global network of criminal gangs creating, maintaining, and leveraging ransomware attacks at an industrial scale. Today ransomware infrastructure is now available as-a-service, available on-demand to any miscreant with funds sufficient, and morals insufficient. Such ‘as-a-service’ (RaaS), first seen in 2015, now comprises 14% of all ransomware attacks on a global basis [1].  

For many years the go-to, final line of defence against ransomware has been a well architectured and executed strategy toward data and system backups. Any organisation with recent and complete backups could elect to not pay the ransom demand, and instead restore. Of course ransomware gangs adapted to this development by ensuring that their cyber weapons also targeted for encryption any and all backup locations that could be found connected to the network; while we defenders adapted by ensuring that backups are stored in data vaults isolated from the network.

As this game of cat and mouse continues the ransomware gangs have again evolved in two other hugely significant ways. Understanding these latest changes in attacker behaviour is crucial if you are to defend your organisations against the disruption, downtime, and extortion that ransomware delivers.

Firstly; ransom is no longer only demanded as payment before your encrypted data is released. Before encrypting your data ransomware attackers once in your network will lay low, spending time to discover and steal copies of your most interesting and valuable data. The time attackers remain with access to your network is called ‘dwell time’, and attackers will also use it to establish various methods to re-access your network should you initially discover them and kick them out. The longer the dwell time, the more deeply attackers may infiltrate into your systems.

If you refuse to pay the ransom to release your encrypted data (because you assume you can just restore from backup) then the attackers will still hold you to ransom, threatening to release or sell the stolen copy. Regardless of whether you pay at all the attackers can and will sell that stolen data, in effect guaranteeing themselves reward for their criminal behaviour. 40% of all ransomware attacks now involve this “double extortion” approach[2]. Backups are no longer enough!

Secondly; ransomware is no longer only introduced into your environment through phishing attacks, physical media (“Oh look! I’ve found a 64Gb USB stick. Let me put that in my machine to see what interesting files are on it”), or by exploiting vulnerable and unpatched systems. In July of 2021 the ransomware gang known as REvil launched an attack that leveraged software vendor Kaseya Limited’s VSA (Virtual Systems Administrator) solution, and their MSP (Managed Service Provider) ecosystem to push ransomware down to up to 1500 downstream victims. This is an example of an “island hopping” attack; one which steps across multiple, intermediary victims that ultimately lead to the attacker’s ultimate prize. Even your most trusted systems can be a route in for the ransomware gangs.

Each of these evolutions by ransomware gangs require you to adapt your own defensive strategies.

Firstly; you must assume attackers are in your environment and preparing to launch an offensive. Don’t wait for them to pounce. Hunt for the subtle breadcrumbs that attackers leave behind as they look for data to steal and prepare for their next stage of attack. The tools needed in your arsenal for such Threat Hunting include ‘Endpoint Detection (and) Response’ (EDR), ‘Network Detection (and) Response’ (NDR) and the skills and discipline to recognise the attacker’s trail. Critical too is a baseline knowledge of what ‘normal’ looks like in your own network. By understand normal it becomes easier to recognise unusual, more easily recognise attacker behaviour, and reduce the overall length of the attacker’s dwell time.

Secondly; begin today to plan your journey to Zero Trust [3]. Zero Trust is not a single product you can buy nor implement. Any vendor which tries to tell you otherwise should themselves be treated with zero trust. Zero Trust is an architecture (codified as it happens in NIST 800 SP 27). Designing to a ZT architecture requires continual baselining of the security posture of all the endpoints and workloads in your environment, as well as your network architecture, and rethinking how and when you grant user (and API) access to critical data stores and applications. A ZT architecture makes it significantly more difficult for an attacker to gain an initial foothold in an environment, or then move from one machine to another.

Ransomware is here to stay. Criminal gangs both small and large are banking their ill-gotten rewards as they target organisations which have not kept up with the continued evolution in the tools, techniques, and procedures attackers deploy at scale.

The time to evolve your defence is now. When the attacker next demands £5,000,000 in unmarked, untraceable crypto-pounds be ready to say “Not today”.

For any further information please contact Mike Siddon, Cyber Security Specialist for Public Sector at VMware at [email protected]

Authors

Simon Perry

VMWare