Mar 18, 2024
Decrypting Ransomware
Revealing Tactics and Mastering the Art of Liberation
From the desk of Juan Vegarra
Ransomware has emerged as a pervasive threat to organizations worldwide, characterized by its escalating sophistication and detrimental impact. To effectively combat this menace, it is paramount to comprehend its intricate mechanics and deploy resilient defense strategies.
This musing, presented by The Security Agency, endeavors to demystify ransomware, providing an insightful exploration of its tactics while furnishing invaluable tips to fortify your organization.
Our virtual Chief Information Security Officers (vCISOs) possess a profound understanding of regulatory frameworks, coupled with extensive expertise in information security systems, services, and implementing best practices. See our webinar on the new compliance requirements that have recently been established for more information.
Our overarching objective is to help you position cybersecurity as a strategic enabler, thereby contributing to the overall success of your company.
Brief Overview
Ransomware, a malicious software variant, encrypts a victim's files, rendering them inaccessible. Subsequently, attackers demand a ransom to restore access to the encrypted data. Over time, ransomware attacks have evolved in complexity and scope, transitioning from targeting individuals to infiltrating entire organizations and governmental entities.
Ransomware has consistently ranked as the most prevalent cyberattack form over the past decade. Recent incidents have underscored the severity of this threat, with attackers targeting critical infrastructure and government entities. Notably, the 2021 Colonial Pipeline breach in the United States spotlighted vulnerabilities within corporate IT systems, resulting in the execution of incident response plans that sought to isolate the breach from the critical OT pipeline operations and which ultimately led to fuel shortages after management tool the decision to shut down pipeline operations. This indirect impact from a ransomware incident emphasizes ransomware's potential to disrupt essential services and affect national security.
The Evolution of Ransomware Tactics
As ransomware continues to evolve, it poses a formidable challenge to governments, organizations, and individuals globally. Complicating matters further, attackers employ sophisticated tactics, such as leveraging "living off the land" where malicious payloads are passed to "trusted" binaries and scripts, thereby utilizing non-malicious tools for malicious intent and evading some forms of antivirus (signature-based anti-virus programs as opposed to next-gen antivirus agents that are behavioral-based).
Tactics have also begun to include an extortion element to the attack. The threat actors exfiltrate the company data before encrypting it and use the possibility of releasing it for sale on the dark web as an additional motivation for company's to pay the ransom.
The extortion play can also include enlisting the services of botnets of compromised servers and devices to bring a DDoS (Distributed Denial of Service) attack against the victim organization, further disrupting the ability of the company to maintain "business as usual" until the ransom is paid.
Understanding Ransomware Attacks
A typical ransomware "attack chain" follows a meticulously orchestrated seven-phase cycle. Beginning with reconnaissance, attackers gather intelligence about the target organization, including identifying vulnerabilities and profiling employees. Subsequently, attackers gain initial access to the target system, leveraging acquired intelligence to exploit vulnerabilities or execute successful phishing attacks against employees.
Attack Chain Phases:
Reconnaissance - scanning and research
Weaponization - creating code to exploit a vulnerability
Delivery - email, websites, social engineering etc.
Exploitation - running weaponized code on victim devices
Installation - the actual encryption of files
Command and Control - pivoting to new assets
Actions on Objectives - signal delivery of the ransom note
The Top Ransomware Actors
Lockbit
LockBit, operating on a Ransomware-as-a-Service (RaaS) model, stands out as one of the most prolific ransomware variants globally. Leveraging affiliates and partners, LockBit perpetrators conduct ransomware attacks utilizing sophisticated malware tools and benefiting from a well-established infrastructure and distributed expertise. Increasingly these ransomware gangs will work with initial access brokers, botnet operators and other specialist functions. Gone are the days where everything is performed by a single "gang."
ALPHV (BlackCat)
The ALPHV ransomware group, colloquially known as BlackCat, has emerged as a noteworthy threat actor, targeting organizations across diverse sectors, including healthcare, finance, manufacturing, and government. Only a few years ago there was a sort of "gentlemen's agreement" that ransomware gangs would not target critical infrastructure, hospitals or schools. But this "honor among thieves" has since gone by the wayside as indiscriminate spraying of exposed assets of any industry or sector now occurs constantly.
CL0P
The CL0P ransomware group, renowned for its sophisticated techniques, including the aforementioned double extortion strategy, targets organizations across sectors such as healthcare, education, finance, and retail. Having never targeted Russian organizations, it is believed that CL0P operates in collaboration with Russian government agencies. Their use of Cobalt-strike for post-exploitation activities and further monetization of compromised assets, identities and organizations through a TOR (The Onion Router) data leak website.
PYSA (Mespinoza)
The PYSA ransomware group, also known as Mespinoza, primarily targets sectors such as healthcare, education, government, real estate and manufacturing. Employing robust encryption techniques, PYSA ransomware perpetrators lock files and frequently exfiltrate sensitive data prior to encryption. The group studies the compromised assets with an above average degree of discipline (rather than just a "smash and grab approach often seen with "run of the mill" organized crime operators) by searching for sensitive filename patterns such as "SSN," "passport" or "I9" which have a larger impact if leaked online.
BianLian
Attributed to the WIZARD SPIDER threat actor group (another Russian-based cybercrime group), the BianLian ransomware group targets organizations within sectors such as healthcare, energy, finance, and technology. The interesting aspect of this group is that some security researchers believe that a portion of the membership might not actually know that they are employed by a criminal organization. As the recruiting and "customer support" functions of these gangs approaches regular business practices as was revealed in the leaks of the Conti Ransomware group in 2021 when a disgruntled affiliate leaked a cache of internal Conti documents.
Earth Krahang
The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage. Earth Krahang abuses its presence on breached government infrastructure to attack other governments, builds VPN servers on compromised systems, and performs brute-forcing to crack passwords for valuable email accounts.
The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities, such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel). By exploiting these flaws, they deploy webshells to gain unauthorized access and establish persistence within victim networks.
Alternatively, they use spear-phishing as an initial access vector, with the messages themed around geopolitical topics to lure the recipients into opening the attachments or clicking on the links. Once inside the network, Earth Krahang uses the compromised infrastructure to host malicious payloads, proxy attack traffic, and use hacked government email accounts to target its colleagues or other governments with spear-phishing emails.
Mastering the Art of Liberation
Addressing the escalating threat of ransomware necessitates a multifaceted defense strategy, encompassing threat intelligence, email protection capabilities, multi-factor authentication (MFA), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR).
The combined effect of utilizing these proactive measures empower organizations to stay ahead of the ever-evolving ransomware landscape. At the end of the day, however, the ability to refuse to pay a ransom on your organization is most effectively mitigated by having backups of your data and configurations.
But keep in mind that there is a saying from the area of disaster recovery: "Backups are useless, restores are golden." Which means that you must regularly test and verify that your database and files hare backups are able to be restored successfully. And if you do have a few "VIP" laptops that are used by senior leadership or members of the legal or HR departments, it can be a good insurance policy to install a cloud-based backup agent on those devices and avoid the need to engage with the ransomware gang entirely.
The Role of Education and Awareness
Education and awareness constitute pivotal components of a robust ransomware defense strategy. At The Security Agency, we are committed to educating businesses and organizations about ransomware prevention strategies. By fostering a deeper understanding of ransomware tactics, organizations can fortify their defenses and respond effectively to emerging threats.
If your organization does not yet understand the dire nature of business disruption that ransomware attacks can create, or naively believe that they will not be targeted by such attacks, we can help by providing an executive table top exercise. Our scenarios will help demonstrate just how important your incident response procedure and technical capabilities to withstand ransomware attacks can be.
As you can hopefully now see, ransomware attacks pose a significant and evolving threat to businesses and organizations globally. Understanding the tactics employed by ransomware groups and implementing robust defenses are imperative steps toward ensuring organizational safety and continuity.
At The Security Agency, we are dedicated to aiding businesses, public sector agencies, non-profits and institutions of higher education as they navigate these challenges. Our vCISOs offer strategic direction and operational management of your company's information security systems projects and initiatives. Together, we can forge resilient narratives of opportunity and success amidst the evolving cyber threat landscape.