We all know that old expression about working hard. Your dad probably used it on you a few times. It goes: If at first you don't succeed, try, try again.
Unfortunately, cybercriminals were told the same, and they're using that can-do attitude to perfect ransomware attacks, according to Adam Kujawa, director of Malwarebytes Labs.
"One group tries part of the technology using Trojans and maybe it doesn't work at the time," Kujawa says. "Then a few years later someone improves on it and says, 'We are going to do it better.'"
Overall, the goal of ransomware remains largely unchanged: to block access to a victim's data unless a ransom is paid, says Brent Johnson, chief information security officer at Bluefin.
What's different is the how.
"With early attacks relying on P.O. boxes and prepaid cards, newer attacks demand payment through cryptocurrency and utilize mixing techniques or privacy-based coins like Monero, making payment very difficult to track," he says.
What has also changed, according to Johnson, Kujawa, and several other researchers we spoke with, is who is being targeted with ransomware. Once more commonly used to attack the personal machines of consumers in the hope of a small payout from many victims, attackers have shifted its focus to businesses, with the goal of one big payday.
"Businesses are more likely to submit to the demands of the ransomware," says Sivan Nir, threat intelligence team leader at Skybox Security. "The driver behind this is simple: They're scared of the regulatory fines that they will have to pay if any data gets exposed – regulations like the GDPR and other similar measures in force across all 50 US states. So they pay out. Ransomware does still impact individuals, but criminals are seeing far greater yields from targeting business."
Doxxing and Extortion Take the Cake
As Nir points out, doxware is "a new horse" in the ransomware race. This has largely been observed with Maze, also known as ChaCha, a ransomware first noted in May 2019. By November 2019, the Maze ransomware authors began publicly outing their campaign victims by posting the names of the companies that had not agreed to pay.
"Doxware adds a new threat level that wasn't there before," Nir says. "While the profits associated with successfully attacking a large organization were compelling enough for malicious actors, the ability to threaten the exposure of sensitive data gives attackers more leverage. The more fear they can incite, the higher the payout."
Maze ransomware is often part of multiprong attack strategy. It appears in the second or third step of an attack, as opposed to an initial access technique. And it is being used by a range of sophisticated criminal groups.
"Threat actors ranging in expertise and funding, from criminal groups to sophisticated nation-state operations, not only encrypt victims' data, but first steal a copy of the data and threaten to sell it or dump it if they are not paid a very high ransom," says Adam Darrah, director of intelligence at Vigilante. "On that same theme, we have seen nation-state intelligence operators throw their hats into a ring that was once solely a criminal enterprise to fund sanctioned regimes or embarrass large corporations and governments seen as adversarial. A fight that once stayed in the shadows is now public."
Maze is already responsible for many attacks seen throughout late last year. Victims included staffing firm Allied Universal and cable manufacturer Southwire. In both, millions of dollars were demanded in exchange for keeping stolen data out of the public's eyes. Releasing it is now made possible because the data stolen was yanked before it was encrypted, says Troy Gill, manager of security research at AppRiver.
"This added wrinkle, where data is stolen before encryption, is yet another example of how attackers are always looking for angles to increase their returns," Gill says. "We're already seeing more ransomware actors adopting this approach of exfiltrating data to use as ransom payment leverage."
New Dirty Strategies for the Future
Of course, one of the pillars of any lucrative enterprise is diversification. And the criminal underground that works in ransomware is no different. New techniques are already being tested out, and researchers expect them to become more common this year.
"One new technique that emerged earlier this year is the abuse of online backups. The general advice for backups is the '3-2-1 rule,'" says John Shier, senior security expert at Sophos. "Keep three copies of your data, use two different storage types, and keep at least one copy offsite and offline."
The abuse, he says, happens in the storage part.
"Many organizations choose cloud backups as one of their desired storage types. This satisfies the requirement of using a different storage medium, but also makes the process of backing up and restoring files very convenient," Shier says. "In this attack, the criminals will compromise credentials for the backup software and will restore the backups to servers under their control. Then they will delete the backups and finally encrypt the files on the network. We can expect techniques like this and other clever misuses of legitimate software to continue and evolve over the next year."
AppRiver's Gill says while traditional email-based threats will continue, other new strategies, like using Remote Desktop Protocol (RDP) to gain full access to a system by sending a malicious request to a victim's computer, are being watched.
Kujawa says he expects to see more ransomware groups using the kinds of tactics employed by nation-state attackers.
"It's only going to continue to evolve," he says. "Whenever we see nation-states attacking, there is lots of planning involved. They are heavily funded and want to be successful. The ways they find an in are usually more involved."
That persistence and planning is expected to yield big returns, so businesses should be preparing for the worst and evaluating their own defenses against an increasingly sophisticated set of ransomware attacks.
"Targeting specific businesses may require a lot of dwell time on a victim network, spending anywhere from days to months trying to identify a chink in the armor that they can exploit," Skybox Security's Nir says. "Attackers don't want to waste their time on ransomware that isn't delivering on profitability. As ransomware becomes more sophisticated, the chances of its success increases. When criminals are confident that they can profit from organizations with deeper pockets than your average PC user, you bet they're going to give it a shot. And that's exactly what's happening now."