A ransomware infection can have a significant financial impact on an organization. American digital security and data backup firm Datto found that ransomware is costing businesses more than $75 billion a year. Part of that financial impact results from downtime costs.
Govtech also revealed that businesses lost an average of $8,500 per hour as the result of ransomware-related downtime, while Coveware placed the total amount of downtime damages at $65,645 per crypto-malware incident.
Such costs could pose a huge problem to organizations if they don’t have cyber insurance or business interruption insurance. Therefore, organizations need to take the time to prepare for a ransomware attack. With that in mind, it’s important for companies to understand the latest trends that continue to shape the ransomware threat landscape. Here are six ransomware developments that organizations should track for the rest of 2020.
1. Ransomware Leaks Non-Compliant Victims’ Data
Data backups foiled more than a few ransomware attacks over the past few years. Data backups enabled victims to dismiss attackers’ ransom demands and recover their data for free. This preparedness left crypto-malware authors with nothing to show for their work.
That changed in November 2019 when Bleeping Computer received an email from the group responsible for developing Maze ransomware. Attackers informed the computer self-help website that they had executed Maze on the network of a security staffing company that employed more than 200,000 people. The attackers copied the data they had found on the company’s network and exfiltrated it to a server under their control. This happened before they had commanded Maze to begin encrypting the original files still on the network. The malicious actors told Bleeping Computer they would begin publishing the information online if the victim refused to meet the ransom demand. Their intention was to coerce the company into paying a ransom to avoid public exposure of its data assets. In so doing, they created a two-pronged attack that targeted the confidentiality and availability of a victim’s information
Over the next few months, other ransomware families acknowledged the value of circumventing data backups and punishing victims who refused to meet the attackers’ ransom demands (ZDNet compiled a list of strains engaging in this behavior). Those malware gangs followed Maze’s example by threatening to publish and/or leaking the stolen data from a host of victims, including an American for-profit managed healthcare company and a manufacturer for a well-known technology company. This tactic led affected enterprises to classify ransomware attacks as data breaches and to send corresponding notification letters of stolen data, as Bleeping Computer reported in July 2020.
2. Cooperation Grows Between Different Ransomware Families
Maze didn’t just revolutionize the way in which crypto-malware can maximize their profits. That ransomware family also revolutionized the way in which some strains make threats and leak non-compliant victims’ data.
At the start of June 2020, Bleeping Computer reported that security firm KeLa discovered Maze added data from an architectural firm to its “Maze News” data leak website. Bleeping Computer security researchers found that the stolen information did not tie back to an attack from Maze. Instead, the data traced back to an infection performed by the LockBit ransomware-as-a-service (RaaS) platform.
Those who analyzed the data leak contacted Maze for clarification into what was going on. The attackers responded by saying they had decided to partner with LockBit to share their data leaks platform and gain experience with less-established ransomware actors. The Maze gang also revealed they had spoken with other ransomware families who were interested in joining their “cartel” in the future.
The Ragnar Locker ransomware strain joined Maze’s platform just a few days later.
3. Coordination With Other Types of Malware
By working together, ransomware gangs and authors of other types of malware, such as banking trojans and remote-access tools (RATs), found they could conduct more coordinated and evasive attack campaigns.
This cooperation flowed both ways in the first half of 2020. In March, security researchers uncovered a website that claimed to be the legitimate download portal for a system utility that improves the performance on Windows systems. Bleeping Computer noted that the fake software downloaded two files onto a victim’s machine. One of the files, “file2.exe,” dropped a “coronavirus ransomware” payload that encrypted a victim’s data. This threat provided cover for Kpot. Kpot is a password-stealing trojan dropped by “file1.exe.” It stole a victim’s information and then uploaded it to a remote server under the attackers’ control.
This collaboration took another direction in May 2020 when digital security solutions provider Group-IB discovered ProLock, a successor to the PwndLocker ransomware family. This threat used one of two different types of initial access vectors at the time of discovery. Sometimes, it exploited weak credentials to gain access to a target’s remote desktop protocol (RDP) servers. Other times, it relied on weaponized documents to deliver Qakbot. That trojan then drew upon several different tactics, including using explorer.exe to execute a process injection technique, to load the ProLock payload hidden inside of a .BMP or .JPG file.
4. Weaponization of Topical Events
Crypto-malware actors will continue to prey upon topical events to trick users into downloading a ransomware payload. Ransomware families made this intention all too clear in their handling of the COVID-19 pandemic. But, they did so in more ways than one.
Malicious authors created ransomware strains that took the name “coronavirus” as a means of preying on users. They also created ransomware that capitalized on users’ attempts to stay safe during the pandemic. This was the case with CryCryptor, a ransomware strain discovered by Slovakian security firm ESET in June 2020. This particular family masqueraded as an official COVID-19 tracing app to encrypt the files on Android users’ devices.
And, those responsible for several ransomware families sunk to even lower depths. Near the start of the pandemic, Bleeping Computer learned that several crypto-malware families had pledged to not attack hospitals during the COVID-19 outbreak. It was less than a month later when INTERPOL found ransomware attacks against health care organizations were on the rise. A month later, The Wall Street Journal revealed crypto-malware attackers had taken to launching their payloads more quickly on the networks of health care organizations than those of other enterprises. Attackers could target hospitals and other medical care centers with larger ransom demands and expect to get paid if their victims couldn’t afford to waste any time in losing access to their information. Such was the case with most hospitals, as they grappled to provide care to those affected by COVID-19.
5. Growing Arrests Involving Ransomware Actors
Ransomware has been around for years. Individuals responsible for crypto-malware attacks managed to successfully evade authorities. But over the last few years, law enforcement agencies improved their ability to share threat intelligence about digital threats, such as ransomware. This collaboration led to several arrests that made headlines. Those instances included the following:
- In December 2018, local media outlets reported that a federal grand jury had charged two Iranian men with having perpetrated a ransomware attack against a municipality government. The Atlanta Journal-Constitution reported the attack could have costed taxpayers up to $17 million.
- That same month, news emerged on CGTN.com of an arrest of a 22-year-old man. According to the report, the man had implanted ransomware into programming software. This supply chain attack had subsequently infected over 50 applications with ransomware and stolen the information from over 50,000 users.
- Nearly a year later in October 2019, Bleeping Computer covered a story in which law enforcement agencies arrested a 21-year-old man. The individual faced the charges of sending out phishing emails to infect a U.S. company with ransomware.
- A law enforcement agency revealed in May 2020 that it had arrested three hackers associated with an online threat group (Law enforcement authorities arrested a fourth in Moldova.). As reported by ZDNet, the group is believed to have targeted hospitals with ransomware attacks as a means of protesting COVID-19 quarantine measures.
6. Deepfake Ransomware: Ransomware of the Future?
According to Trend Micro, computer criminals continue to show an interest in ransomware, as well as cheap offerings associated with deepfake services on underground web marketplaces. Malwarebytes noted that malicious actors could ultimately combine these two threats together into “deepfake ransomware” attacks.
The security firm drew on the work of author and scholar Paul Andrei Bricman to discuss what this threat might look like. In one scenario, deepfake ransomware actors could use video and audio samples from public websites to create a deepfake video of the target in a compromising position. They could threaten to release the video to the public unless the victim pays a ransom within a specified time period.
Alternatively, Malwarebytes notes that malicious actors could pose as a contact and warn the target that found a video of them. The target could find themselves redirected to a website that used a short deepfake video to distract the victim from ransomware being executed in the background. The security firm noted threat actors had used similar tactics back in 2015.
Malwarebytes revealed it had not seen any evidence of this attack type in the wild at the time of reporting. Even so, it observed “the potential for this campaign to destroy a target’s reputation is exceedingly high.”
How to Defend Against a Ransomware Attack
Organizations need to focus on preventing a crypto-malware attack. Detecting an attack that’s in progress is just not enough. Organizations should implement the following best security practices:
- Gain visibility over their assets. Organizations can’t hope to monitor for a ransomware attack if they don’t have the proper visibility over their environments. In the absence of oversight, malicious actors could abuse a number of known security vulnerabilities to gain access to and move laterally across the network.Organizations can combat this threat by using passive asset management tools to first discover all their connected hardware and software. They should then use artificial intelligence tools in combination with network monitoring solutions to watch over the network for ransomware-like activity.
- Invest in building a security-aware culture. Many ransomware infections begin with a phishing campaign or other attack vector that weaponizes human error to its advantage. The only way organizations reduce these risks is by educating their employees about digital security. They should specifically train them to spot different social engineering techniques, as well as bolster their familiarity with common and emerging phishing tactics.
- Complement employee training with robust controls. Even trained employees can fall for a phishing attempt if the attack email looks legitimate. That’s why organizations need to back up their investment in building a security-aware culture with proper controls. Those security measures should include anti-spam solutions that automatically flag email-borne threats, such as suspicious links and malicious domains. Additionally, organizations should consider implementing procedural/administrative controls to codify secure behaviors and make them a regular flow within the business.
- Have an incident response plan. Ransomware actors are constantly inventing new techniques to slip by organizations’ defenses. This means organizations could still suffer an infection despite focused security efforts. Organizations should have a team responsible for responding to security incidents within the organization. They should also have an incident response plan in place and regularly test this strategy to ensure team members can quickly respond to an incident if and when it occurs.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...