The technology of ransomware has evolved in sophistication and the business models of the criminal groups behind it have as well. The result: The threat from ransomware has reached pandemic proportions.
This post provides an executive level overview of the nature of this threat. This post is part of the OODA Cybersecurity Sensemaking series and is designed to be read as an introduction to our accompanying post on how to mitigate the threat of ransomware to your organization.
Background on the Threat
Here are some of the indicators of the prevalence and impact of ransomware:
- In 2020 over 2400 US based organizations, including governments, hospitals, schools and businesses were victims. This trend continues in 2021. The most famous, to date, is the attack on the Colonial Pipeline, which made global news and underscored the real world impacts that ransomware can have.
- Victims have been forced to pay millions. The estimated amount victims paid in ransom in 2020 is $350 million USD. This will probably reach $500 million in 2021. The biggest to date is the March 2021 CNA insurance ($40M). The average payment by an organization is $312,500.
- The average downtime due to ransomware attacks is 21 days. The average time it takes a business to fully recover from an attack is 287 days.
- An important trend to recognize is the use of double-extortion (stealing data and demanding a second payment or else will release it). At the start of 2020 only one major ransomware group exfiltrated data for a second extortion. By the end of 2020, 17 other groups adopted that method.
Who is doing this?
While it is possible for an individual to orchestrate an attack, this is rare. Today there are three basic kinds of attackers:
- Nations: Russia and DPRK have been noted using government resources to create ransomware campaigns. China has the capability and has used malware and Trojan horses to extract data, and many researchers have noted ransomware attacks coming from China that have the sophistication of a nation state, but these could actually be from sophisticated non-state actors with behavior condoned by the state.
- Criminal Organizations: Many criminal groups have the capability to orchestrate campaigns that target an organization, get access, plant tools, spread ransomware, control it, and then request payment. Most of these operate with protection of nations like Russia so they are hard to reach by law enforcement.
- Criminal Ecosystems: This is a collective of multiple actors and organizations using modern business models to interact for their mutual self benefit. Individuals and small groups specialize and do business with each other. This is currently the most productive, capable and agile threat actor today.
How the Criminal Ecosystem Attacks:
The agility of the criminal ecosystem has resulted in several new business models, including one called ransomware as a service. This model leverages a wide range of specialties, including technical developers, marketers, financial experts and criminals skilled at gaining first access to an enterprise. Experts at operations and orchestration are also used. After mission success, profits are split.
The Technologies of Ransomware
The technologies used in ransomware attack include the malicious code used to encrypt data as well as technologies for gaining access to infrastructure and controlling the malware remotely.
- The malicious code itself consists of many strains. Ransomware names that have made the news over the last decade include Cryptolocker, WannaCry, Petya, NotPetya, Ryuk, and Darkside. There is a high degree of sharing between criminals involved in ransomware and it is common that new strains of ransomware are modifications of an existing strain.
- The command and control infrastructure used by ransomware criminals is based on a foundation of the Internet itself, with added layers of encryption. The anonymity services of the TOR network are used to aid in obsfucation. Computer servers managed by adversaries are used to store and manage encrypted data and encryption keys. Cryptocurrencies are used to facilitate transfer of funds.
The Darkside Example
As an exemplar of how capable ransomware has become, here is how the Darkside malware works:
- The malware is written to avoid detection using a variety of commonly used techniques, including encrypting its core code so it will not trigger detection during the various stages of its activity.
- Initial access to a victim network can come via multiple paths, which may be a phishing attack, exploiting legitimate remote monitoring and management tools (like AnyDesk and TeamViewer), exploiting a trusted relationship, or logging in with valid accounts and credentials. In the example of Darkside, the business model is one where affiliates can use the Darkside code so really any group that can get access can use this malware.
- Once access to a victim network is gained, the malware collects information about computers to learn about the environment. It then determines what files to encrypt, since it does not want to leave the computer unusable, it just wants to find data to hold for ransom.
- The malware spreads in two general ways, it can be placed by criminals who have access to give it a strong foothold, and it can replicate itself using common enterprise network protocols.
- The malware looks for any backups that are on the same computer and renders them unusable, then searches for backups and common backup programs that store data elsewhere on the network to attempt to encrypt or render them unusable.
- When triggered, the Darkside code encrypts data it finds and also pulls data from the enterprise back to adversary servers. During later stages of the attack, the Darkside code harvest credentials stored in files, in memory and on domain controllers. The software will also use file shares to distribute attack tools and store file archives. The code will relax permissions on file shares for easier harvesting of data. Near the end of the attack the code deletes all backups it can find and a special file is left behind displaying information on what happened and how to pay.
Organizations Can Defend Against Ransomware
The next post in this series provides a guide to executives focused on how to mitigate the threat of ransomware. This guide was produced with inputs from four experienced practitioners (Junaid Islam, Bob Gourley, Matt Devost, Bob Flores) with decades of experience in thwarting dynamic cyber adversaries and in optimizing enterprise technology design for functionality and security.
OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.
You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.
Related Reading:
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: OODA Cybersecurity Sensemaking
From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims. The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed. See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities
This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See: Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities
