Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:00 PM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The Big E-Crime Pivot

Criminals have begun to recognize that enterprise ransomware offers tremendous financial advantage over the more traditional tactics of wire fraud and account takeover.

The concept of "the pivot" is well-understood by entrepreneurs, who often set out to build a business or technology and realize they need to shift their strategies. Visually, one foot remains firmly in place while the other turns to reorient the rest of the body. Typically, they don't throw everything out the window and start over. Rather, they reimagine the way they can use the tools at their disposal.

The same can be said about today's sophisticated e-criminals, who are increasingly pivoting and reusing their existing technology for new ways to generate revenue.

For example, malware-as-a-service has been a prominent component of the e-crime ecosystem for the past decade. Criminals built specialized platforms for large-scale credential theft. Malware distributed this way — with names like Dridex, Trickbot, and BokBot — has long been optimized to steal account information using webinjects. That is how it inserts itself into a browser, downloads and installs other malware/tools, captures screens or memory buffers filled with sensitive information, and, in recent years, even steals cryptocurrency wallets.  

The e-criminals behind these malware platforms also built relationships with other e-criminals who specialize in spam, pay-per-install, and exploit kit development to optimize distribution. When your bread and butter is to steal credentials, the name of the game is to get your malware out as far and wide as effectively as possible. Pushdo, Smoke, and Emotet have emerged as some of the malware families/actors that specialize in getting payloads delivered to the would-be victim machines. CrowdStrike has observed the symbiotic relationships between these e-criminals for quite some time, and it has shaped our model of the e-crime ecosystem.

But in recent months, e-criminals have begun to recognize that enterprise ransomware – what we call "big-game hunting" – offers tremendous financial advantage over the more traditional e-crime tactics of wire fraud and account takeover. (We touch on this trend in the "2019 CrowdStrike Global Threat Report.")

This realization is, in part, due to the evolving cat-and-mouse game between the adversary and security practitioner; as new countermeasures are deployed to mitigate wire fraud or account takeover the cost/benefit calculus changes. Another factor is that the competitive landscape for e-criminals conducting these types of attacks has become more crowded. In general, adversaries across the entire spectrum of threat actors prefer to take the path of least resistance, rather than work harder and work smarter.

In short, margins for threat actors conducting wire fraud and account takeover have become tighter. In need of a new way to increase revenue, they are pivoting.

The first indication of the shift to ransomware can be traced back to summer 2017, when INDRIK SPIDER, the adversary CrowdStrike associates with Dridex development, began to deploy BitPaymer in enterprisewide ransomware directed against the healthcare sector. (CrowdStrike Intelligence uses the naming scheme SPIDER to describe e-crime actors.) Approximately one year later, GRIM SPIDER emerged deploying the Ryuk ransomware, a derivative of the Hermes ransomware against a variety of verticals, including financial, government, healthcare, hospitality, legal, and retail.

In March of this year, we reported on a change of tactics by PINCHY SPIDER, the actor behind the GandCrab ransomware that emerged in early 2018 with a partnership program offering a split of the profits to actors who utilized its ransomware to conduct extortion. Also this year, LockerGoga emerged as another enterprise ransomware that was employed against manufacturing and industrial companies, demanding high-dollar ransom amounts.  

Big-game hunting attacks typically begin with deployment of banking Trojans or through a compromise of an external-facing system. Adversaries seeking to deploy ransomware across the enterprise move laterally, escalate privileges, and deploy their payloads. CrowdStrike's 1-10-60 rule is one organizations should strive to achieve: It means aiming to detect an intrusion in under a minute, performing a full investigation in under 10 minutes, and eradicating the adversary from the environment in under an hour.  

The writing is on the wall for e-criminals: There is big money in big-game hunting, and it is disrupting businesses across the globe. Paying the ransom doesn't necessarily resolve the problem either. It is more important than ever that organizations and agencies have the right people, processes, technology, and intelligence to stay ahead of these threats.

Related Articles:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...