Sophisticated attacks such as Sunburst and Colonial Pipeline demonstrate the heightened threat landscape organizations are facing. CrowdStrike’s 2021 Global Threat Report showed that supply chain attacks, ransomware (opens in new tab), data (opens in new tab) extortion and nation-state threats are more prolific and sophisticated than ever. In fact, on the heels of unprecedented growth in eCrime over the past year, there is a hidden world of strength, volume and sophistication in the cybercriminal market that rivals the legitimate business world for astute judgements, collaboration (opens in new tab), adaptability and strategic direction.
Adam Meyers is the Senior Vice President of Intelligence at CrowdStrike (opens in new tab).
Ransomware adversaries proliferated starting a few years back and in 2020 the amount of ransomware cases we observed exploded. We saw cyber criminals take the opportunity provided by the pandemic to flex their muscles, and show the honest world of business what sophisticated and corrupt eCrime looks like. CrowdStrike Intelligence observed a number of dramatic changes in targeted eCrime. CrowdStrike has labelled the eCrime groups as SPIDER as they are not affiliated with state-sponsored activity. CARBON SPIDER shifted away from point-of-sale (POS) campaigns in favor of big game hunting (BGH) — ransomware campaigns targeting high-value targets. Ultimately, this led to the group introducing their own ransomware, DarkSide. Established eCrime actors like MUMMY SPIDER, WIZARD SPIDER and CARBON SPIDER continue to drive innovation in the world of malware (opens in new tab) development. Over the year, CrowdStrike Intelligence noted a rise in the use of open source (opens in new tab) obfuscation software and the targeting of virtualization environments pioneered by these adversaries including financial services, manufacturing and healthcare.
Ransomware: the ‘go-to’ threat
The eCrime ecosystem remains vast and interconnected - they are the underground mob families of the cyber world. Access brokers have begun to play a pivotal role in the eCrime ecosystem, supporting those engaged in BGH ransomware. Access brokers are threat actors that gain backend access to various organizations and sell this access to other parties. This eliminates the need for criminals to spend time identifying targets and gaining access.
To take one example, TWISTED SPIDER’s adoption of data extortion tactics was noted in late 2019 as a direction other eCrime actors might pursue to capitalize on ransomware infections. It proved a preview of what would become an explosion (without hyperbole) of such activity moving forward. These eCrime actors were especially attracted to the allure of BGH.
At the same time, BGH trends also disrupted traditional targeted eCrime behavior, as seen by threat actor CARBON SPIDER’s shift away from targeting point-of-sale (POS) systems to join the successful BGH ranks.
Since BOSS SPIDER, the original BGH adversary, was identified in 2016, CrowdStrike Intelligence has observed both established criminal actors (like INDRIK SPIDER and WIZARD SPIDER) and ransomware operators adopting and reimagining BGH tactics. Throughout 2020, BGH was a pervasive threat to all companies worldwide. CrowdStrike Intelligence identified at least 1,377 unique BGH infections.
Steal, ransom, leak
2020 saw a growing trend for ransomware operators threatening to leak data from victims, and actively doing so. This tactic was likely intended to pressure victims to make payment, but is also a response to improved cybersecurity (opens in new tab) practices by companies that could mitigate encryption (opens in new tab) of their files by recovering from backups (opens in new tab).
What marks a departure from previous BGH operations and is truly unique about recent observed behavior is the accelerated adoption of data extortion techniques and the introduction of dedicated leak sites (DLSs) associated with specific ransomware groups. These approaches were adopted by at least 23 ransomware operators in 2020. BGH adversaries took different approaches to the release of data onto a DLS, with many staggering the release of victims’ stolen data, to extend the likelihood of ransom deliveries. TWISTED SPIDER became the most adept at this technique, spacing out releases in percentages of the total exfiltrated dataset.
An alternative approach is to release the datasets in numbered parts, a technique preferred by RIDDLE SPIDER and VIKING SPIDER. CARBON SPIDER developed an automated system that displays a predetermined publication time set by an automated countdown timer.
Less commonly observed is the release of data by type, where the adversary creates datasets for personally identifiable information (PII), financial records, sensitive company data, and information pertaining to partners and customers, and releases these at intervals.
For some victims with high brand recognition, each release can trigger renewed reporting on the incident, which is calculated to embarrass. VIKING SPIDER adopted this approach, as have affiliates of PINCHY SPIDER for some REvil victims. Whichever release method is chosen by the adversary, the intent is to increase pressure on the victim to pay up.
BGH and healthcare targeting
In the years before 2020, under ‘normal operating conditions’, healthcare faced significant threats from criminal groups deploying ransomware. On the night of September 11th, a man died in a German hospital that was under ransomware attack, an attack that caused delays in critical care - although police eventually decided the attack did not amount to legal causation of this patient’s death. Alongside the possibility that such attacks may well cause such terrible real world consequences, there is a secondary threat from ransomware operations that exfiltrate data prior to ransomware locking up systems.
Some tracked adversaries, like TWISTED SPIDER, VIKING SPIDER, GRACEFUL SPIDER and TRAVELING SPIDER publicly announced that they would avoid targeting frontline healthcare entities during the early pandemic. DOPPEL SPIDER said that any unintentional infections would be resolved without requiring payment.
Despite these proclamations, CrowdStrike Intelligence confirmed that 18 BGH ransomware families infected 104 healthcare organizations in 2020. The most prolific was TWISTED SPIDER using Maze, and WIZARD SPIDER using Conti. It appears that some adversaries proceeded to attack pharmaceutical and biomedical companies during the pandemic, regardless.
Know your risk and plan accordingly
Understand the risk to your sector. Although most ransomware operations are opportunistic, Last year, CrowdStrike Intelligence identified the highest number of ransomware-associated data extortion operations in the industrial and engineering sector (229 incidents) and the manufacturing sector (228 incidents). Manufacturing is particularly vulnerable to ransomware operations where a disruption in day-to-day operations can create an enormous cost to the core business.
Look to vulnerable services. The consequential vulnerabilities observed throughout 2020 were characterized by relationships with internet-exposed remote services. These vulnerabilities are attractive because they can grant initial access to target networks. CrowdStrike Intelligence observed repeated exploitation of several different VPN services and web applications such as Microsoft SharePoint (see CVE-2019-0604). These compromises enabled “exploit chaining” with other vulnerabilities for the purposes of privilege escalation and network pivoting.
See it, understand it. Visibility and speed are critical for blocking attackers. This includes cloud environments, just as with on-premise systems. The combination of cloud-native technology and a single, lightweight agent make CrowdStrike an effective and efficient solution without compromising speed or performance.
Create a culture of cybersecurity. While technology is critical in the fight to detect and stop intrusions, the user remains a crucial link in the chain to stop breaches. Awareness programs will help to combat the threat of phishing and related social engineering techniques.