Modern ransomware operators are adopting techniques similar to those of advanced nation-state actors, researchers report. Their attacks are quieter and more long-term as they sit on target networks and search for the exact information they need to bring down their victims.
Sophos researchers today published a series of reports detailing the evolution of ransomware and how attackers are finding new ways to extort more money from large enterprise victims. While the range of ransomware still spans low-level to high-level attacks, their analysis mainly focuses on advanced threats like WastedLocker and Maze ransomware.
"In the old days, everybody was hitting desktops for $400, and there were successful groups doing that and nonsuccessful groups doing that," says Sophos principal research scientist Chet Wisniewski. "Now the successful people aren't bothering with that — they've moved on to more targeted, specific [attacks], either extortion or just incredibly sophisticated enterprise ransomware."
Sophos focused on WastedLocker. In a report, director of engineering Mark Loman and principal threat researcher Anand Ajjan explain how it uses Windows Cache Manager via memory-mapped I/O to evade monitoring by behavior-based tools. This allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. Tools used to monitor disk writes may not notice the malware is accessing a cached document.
"The cleverness, the creativity, and the intimate knowledge of these very, very miniscule technical details to craft a bypass like that is almost unseen in criminal malware," says Wisniewski. "It's the kind of thing we expect to see in espionage-style attacks, not in criminal attacks."
Some attackers bypass technical tools by "living off the land," or using legitimate admin tools to achieve goals. Some use software deployment tools to roll out ransomware instead of delivering patches to Windows machines, Wisniewski says as an example. They may abuse PowerShell, other Microsoft tools, or so-called "gray hat" tools like Metasploit or Cobalt Strike.
This behavior isn't new, Wisniewski says. "What is new is that may be the only indication you're going to get that they're in your network." Organizations may notice small, unusual things once in a while, remedy them, and close the ticket without realizing they're part of a larger incident. By the time they do, an attacker has been in their network for weeks. WastedLocker and Maze will "sit there for a month" to figure out the thing that will shut down their enterprise victim.
"I want to make sure I get the most critical asset they own, and I completely incapacitate it to destroy their business," he says of the attacker mindset. They're willing to take time to figure out the business model, which databases have the crown jewels, and how to steal data from them.
Attackers don't need these techniques to target all companies, Wisniewski notes, but they are necessary for top-tier companies with larger cash reserves and better defenses. He points to SamSam, which represents the "midtier" level of ransomware. The group's dwell time was far shorter at about 72 hours, and it didn't need to identify every asset to achieve its goals. It went for firms with lower defenses, hit their servers, and charged $100,000–$800,000 per victim.
While the motivation is different for each advanced ransomware group, the techniques are similar. WastedLocker is more focused on technical exploitation; threats like Maze rely on double extortion: They charge victims to get their data back, and to stop them from publishing it. They're focused on the more social aspect of how they can manipulate their victims, he adds. Maze has invited other groups to publish on its website and in doing so, boost its marketing.
"None of these groups are technically inept, but the special sauce they bring to the table is different," Wisniewski continues. "Each one of these groups has their own signature."
How to Know If You've Been Compromised
While it may tough to know when an advanced attacker is on your network, it's still possible. Peter Mackenzie, global malware escalations manager at Sophos, shares a few key indicators that could tip off businesses to suspicious activity.
One is a network scanner, especially on a server. Attackers usually start recon by accessing one machine and searching for information like domain and company name, the device's admin rights, etc. They then scan the network to see what else they can access. If the business detects a network scanner like AngryIP or Advanced Port Scanner, question admin staff. If they're not using it, an intruder may be.
Businesses should also watch for tools designed to disable antivirus software, which attackers may use to bypass detection. Mackenzie points to Process Hacker, IOBit Uninstaller, GMER, and PC Hunter as examples of legitimate tools that could point to nefarious activity if they suddenly appear. Further, he says, any detection of MimiKatz should be investigated.
"If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft," he writes. Attackers may also use Microsoft Process Explorer, a legitimate tool that can dump LSASS[.]exe from memory.
Even if malicious files have been detected and removed, businesses should watch for any detection that happens at the same time every day, or in another repeating pattern. This could indicate something is happening but hasn't yet been identified.
An attacker may make themselves known in "test attacks," which are smaller intrusions done on a few computers to see if their deployment method will work. If security tools stop the attack, they may shift strategies before trying again.
"It is often a matter of hours before a much larger attack is launched," Mackenzie says.