What changes have you observed in the ransomware landscape?
About the Author
John Fokker is head of cyber investigations for McAfee Advanced Threat Research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project.
At the start of the year we made a prediction that in 2019, synergistic threats will multiply, requiring combined responses. For context, attacks are usually centred on the use of one threat, with bad actors concentrating their efforts on iterating and evolving one threat at a time for effectiveness and evasion – once an attack has been detected it is then classified (e.g. Ransomware) and defences are put in place, at which point, the attack’s success rate is reduced. However, if an attack uses various attack vectors synergistically working together, this makes the defence panorama more complex, acting as a smokescreen and making the ultimate objective of the attack unknown or difficult to identify.
Unfortunately, our observations are holding true, with cybercriminals purchasing toolkits from dark web markets to make their attacks more sophisticated in the pursuit of greater profits and efficiency.
We have also noticed new ransomware players taking cues from successful iterations of the past. For example, Ryuk reusing Hermes source code or using each other’s ransom notes - as an example, a slightly modified Ryuk ransom note can be observed on certain strains of LockerGoga.
What is Ransomware as a Service and why has this been a field of growth in recent times?
Ransomware as a Service (RaaS) has been gaining traction for some time amongst cybercriminals in underground markets. It is possible to buy into affiliate schemes with ransomware strains such as GandCrab where cybercriminals gain a percentage of the profits extorted from victims in exchange for distributing the malicious code.
In the world of ransomware, the recently defunct GandCrab had a worrying reputation for always paying their debts, much like the Lannisters in Game of Thrones. These affiliate schemes often fall down due to a lack of trust in the community, however, GandCrab seemingly turned the tables on this by coming across as dependable when handling their customer relationships.
We have seen that targeted ransomware models have been used in conjunction with network vulnerabilities such as poorly secured RDP (Remote Desktop Protocol) access in order to achieve highly successful under-the-radar schemes. In this scenario, attackers will try to find a system with a weak RDP, gain access and propagate through networks, taking advantage of a weakly secured active directory. Once full control is obtained, the deployment of the ransomware would follow across the complete network, with resulting paralysis of the organisation in question. In fact, we have observed conversations that the author of the GandCrab RaaS-based model was working on automated internal propagation methods. In many ways, using RDP is not a new approach, as we previously observed it with SamSam last year.
It is worth keeping in mind that it was just last year that the McAfee Advanced Threat Research team found that it was possible to buy RDP access keys to a major international airport’s security and building automation systems for the fee of just $10USD.
Can you give an example of an industry initiative to challenge ransomware?
No More Ransom has been one of the most successful cybersecurity projects of its kind in terms of public-private sector collaboration, serving as the bridge between law enforcement and cybersecurity companies in the fight against ransomware and enabling victims to retrieve their encrypted data without having to pay up to cybercriminals. If you ever fall victim to ransomware, it is a great resource to turn to find help. However, prevention is better than the cure; I would advise browsing the site to educate yourself about how ransomware works and how it can be prevented in the first place.
What tips would you give to organisations in order to prevent ransomware infections?
Having a holistic approach to cybersecurity with adequate security hygiene plays a key role in preventing these infections. As part of this, it is important to lock down known attack vectors such as RDP access, making sure that your network is segmented with robust identity management in place. Back-ups should also be a priority item within every organisation’s security strategy – put them in place and ensure that they are tested on a regular basis. Unfortunately, ransomware is flourishing, demonstrating that security hygiene is often poor and too many IT teams and C-suites only wake up in the face of crisis.
A little bit of planning can often go a long way, and as Baden-Powell’s Scouting motto goes: be prepared.
How can organisations mitigate damage caused by infections?
If infected by ransomware, always seek professional advice. The general consensus is that it is better not to pay the ransom – not only is there no guarantee that you will recover your files, but it also further reinforces the message that ransomware works and is a profitable avenue for cybercriminals. The No More Ransom portal can provide incredibly valuable advice on what to do once infected. If a free decryptor is available, then it is recommended to make a back-up copy of the encrypted drive so that you have something to fall back on in case the decryption process goes wrong.
Businesses have a very difficult job on their hands when ransomware does strike downtime comes with a crippling cost and paying a ransom may be seen as a quick solution. But when an organisation gets hit by targeted ransomware, they have to remember that the ransomware is this is just the final stage of a full-scale breach. Getting rid of the ransomware is then only a small component of a much bigger security problem.
John Fokker is Head of Cyber Investigations for McAfee Advanced Threat Research
- The best antivirus service of 2019