The relationship between attackers and victims in the cyber threat landscape is evolving rapidly. As cybercriminals grow their technical capabilities and attack techniques, organizations are forced to advance their defenses at the same pace, only to see threat actors evolve their methods yet again. As we have seen in over two thousand investigations across many types of cybersecurity incidents over the past few years, ransomware has become a dangerous accelerant in that evolution.
During the early years of Crypsis’s ransomware investigative work, analysts observed and responded to numerous indiscriminate ransomware attacks where threat actors attempted to strike a large number of targets in a single campaign. Initially, hackers targeted any organization they could reach, taking a “quantity-over-quality” mass-distribution approach to their attacks and ransom collections. We have observed during our work assisting clients in the negotiation phase of ransomware incidents that this mass-distribution approach came part and parcel with lower ransoms and a cybercriminal willing to negotiate, as the wide range of organizations included victims that were unable or unwilling to pay high ransoms. Crypsis’s data indicates that, using malware like Dharma and LockCrypt, ransom payments averaged $17,000. These attacks were widely successful and quickly became profitable, encouraging more threat actors to get into the game.
Beginning in 2018, threat actors began to quickly adopt new malware variants designed to specifically target larger enterprise environments, including Ryuk, Sodinokibi, and BitPaymer.
Believing that large organizations could pay a higher ransom, threat actors started to raise ransom demands. From 2018 to the end of 2019, ransom demands rose 200% in our data set, with the average payment totaling nearly $115,000 per incident in 2019. As a result of the intensifying threats and rising costs, some organizations began to aggressively respond, building up their defenses by:
- Investing in secure and resilient infrastructure to prevent new attacks
- Backing up data and systems to recover quickly from intrusions
- Implementing comprehensive cyber risk management programs, including establishing employee and executive trainings to prevent successful phishing attacks or business email compromise
- Partnering with cyber industry leaders to employ best practices in managing security
- Adopting cyber insurance policies to help mitigate financial risk
Faced with more fortified and prepared victims, we are seeing a shift: attackers are adopting a more targeted approach to identify victims and attempt to collect higher ransoms.
Threat actors are spending more time researching their victims to understand their financial state, employees, IT infrastructures, and existing cybersecurity programs. Previously embracing a quantity-over-quality approach, attackers, in their determination to be paid, are targeting victims they know can afford higher ransoms. Once inside the victims’ network, threat actors are taking new steps to ensure they receive payment.
In 2018-2020, Crypsis observed the threat actors utilizing Ryuk, Sodinokibi, and BitPaymer destroy system and data backups and volume shadow copies in efforts to thwart recovery efforts. During their reconnaissance, cybercriminals discovered the backups living on the same network or elsewhere unprotected before the victims could detect the intrusion. In 2019 – 2020, Crypsis also observed attacks where threat actors exfiltrated sensitive company data as they unleashed the ransomware in an attempt to blackmail victims into paying. As seen in recent attacks conducted by the actors behind Maze ransomware, attackers are evolving to have contingencies if their initial ransom isn't met. Crypsis has observed Maze actors exfiltrating client data and then threating to share the data on a shaming website. In one case, Crypsis observed Maze actors posting client data publicly when a ransom was not paid—a trend that these threat actors have continued.
Equipped with knowledge about their victims and these sophisticated tactics, adversaries are now less likely to negotiate ransom amounts—and will even cite the company’s annual revenue or market cap as justification for not accepting a lower dollar payment.
While the cyber threat landscape is unpredictable, threat actors show no sign of slowing down their exploitation of victims. Organizations should take steps to prevent or quickly remediate a ransomware attack including:
- Understanding where sensitive data lives and creating strong access control to that data that can be monitored and audited granularly
- Regularly taking and testing backups; ensuring the backups are stored off network and are protected so threat actors cannot gain access and destroy the backups to prevent recovery
- Forming an internal information security practice that empowers leadership to effect change; owning protection of all internal data, assets and supporting infrastructure
- Adopting account administration best practices across the organization including:
- Requiring unique and complex passwords that are at least 15 characters in length so they cannot be easily brute forced
- Integrating multi-factor authentication for all remote access and business email accounts to greatly reduce the organization’s attack surfaces
- Limiting the use of privileged accounts and not reusing local administrator account passwords to prevent initial access by attackers and lateral movement across the network
- Disabling any direct external Remote Desktop Protocol (RDP) access:
- Ensuring all external remote administration is conducted through an enterprise-grade multi-factor VPN
- Segregating networks, leveraging secure VLANS and moving away from flat networks
- Leveraging external logging to lengthen the amount of log data available
- Upgrading from SMBv1 to limit adversaries from using the inherent file sharing protocol to move laterally within systems
- Instituting a robust employee security awareness culture and training program that is tailored to employee roles and responsibilities
- Conducting employee and leadership security training bi-annually to ensure continuous security awareness
- Make it incrementally harder to train on more sophisticated tactics
- Go beyond phishing and spearphishing to include other social engineering tactics and techniques
- Have a tested and comprehensive Incident Response and Remediation Plan (IRRP)—be ready to respond with a well-defined IRRP; test the plan and review it regularly, so that you know what to do and who to turn to should an incident occur.
- Consider Managed Security Services to assist in plugging security skills and capabilities gaps if needed