Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:00 PM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Big E-Crime Pivot

Criminals have begun to recognize that enterprise ransomware offers tremendous financial advantage over the more traditional tactics of wire fraud and account takeover.

The concept of "the pivot" is well-understood by entrepreneurs, who often set out to build a business or technology and realize they need to shift their strategies. Visually, one foot remains firmly in place while the other turns to reorient the rest of the body. Typically, they don't throw everything out the window and start over. Rather, they reimagine the way they can use the tools at their disposal.

The same can be said about today's sophisticated e-criminals, who are increasingly pivoting and reusing their existing technology for new ways to generate revenue.

For example, malware-as-a-service has been a prominent component of the e-crime ecosystem for the past decade. Criminals built specialized platforms for large-scale credential theft. Malware distributed this way — with names like Dridex, Trickbot, and BokBot — has long been optimized to steal account information using webinjects. That is how it inserts itself into a browser, downloads and installs other malware/tools, captures screens or memory buffers filled with sensitive information, and, in recent years, even steals cryptocurrency wallets.  

The e-criminals behind these malware platforms also built relationships with other e-criminals who specialize in spam, pay-per-install, and exploit kit development to optimize distribution. When your bread and butter is to steal credentials, the name of the game is to get your malware out as far and wide as effectively as possible. Pushdo, Smoke, and Emotet have emerged as some of the malware families/actors that specialize in getting payloads delivered to the would-be victim machines. CrowdStrike has observed the symbiotic relationships between these e-criminals for quite some time, and it has shaped our model of the e-crime ecosystem.

But in recent months, e-criminals have begun to recognize that enterprise ransomware – what we call "big-game hunting" – offers tremendous financial advantage over the more traditional e-crime tactics of wire fraud and account takeover. (We touch on this trend in the "2019 CrowdStrike Global Threat Report.")

This realization is, in part, due to the evolving cat-and-mouse game between the adversary and security practitioner; as new countermeasures are deployed to mitigate wire fraud or account takeover the cost/benefit calculus changes. Another factor is that the competitive landscape for e-criminals conducting these types of attacks has become more crowded. In general, adversaries across the entire spectrum of threat actors prefer to take the path of least resistance, rather than work harder and work smarter.

In short, margins for threat actors conducting wire fraud and account takeover have become tighter. In need of a new way to increase revenue, they are pivoting.

The first indication of the shift to ransomware can be traced back to summer 2017, when INDRIK SPIDER, the adversary CrowdStrike associates with Dridex development, began to deploy BitPaymer in enterprisewide ransomware directed against the healthcare sector. (CrowdStrike Intelligence uses the naming scheme SPIDER to describe e-crime actors.) Approximately one year later, GRIM SPIDER emerged deploying the Ryuk ransomware, a derivative of the Hermes ransomware against a variety of verticals, including financial, government, healthcare, hospitality, legal, and retail.

In March of this year, we reported on a change of tactics by PINCHY SPIDER, the actor behind the GandCrab ransomware that emerged in early 2018 with a partnership program offering a split of the profits to actors who utilized its ransomware to conduct extortion. Also this year, LockerGoga emerged as another enterprise ransomware that was employed against manufacturing and industrial companies, demanding high-dollar ransom amounts.  

Big-game hunting attacks typically begin with deployment of banking Trojans or through a compromise of an external-facing system. Adversaries seeking to deploy ransomware across the enterprise move laterally, escalate privileges, and deploy their payloads. CrowdStrike's 1-10-60 rule is one organizations should strive to achieve: It means aiming to detect an intrusion in under a minute, performing a full investigation in under 10 minutes, and eradicating the adversary from the environment in under an hour.  

The writing is on the wall for e-criminals: There is big money in big-game hunting, and it is disrupting businesses across the globe. Paying the ransom doesn't necessarily resolve the problem either. It is more important than ever that organizations and agencies have the right people, processes, technology, and intelligence to stay ahead of these threats.

Related Articles:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.