Ransomware groups are getting smaller and smarter
The night had been quiet in the offices of Colonial Pipeline. While most Americans slept, this network of pipelines was quietly pumping large amounts of oil along the eastern seaboard of the United States. By the end of the day, more than 2.5 million barrels should have been dumped at gas stations, factories and power plants – a process that came to a screeching halt in the early hours of May 7, 2021.
The cause of the shutdown was quickly established by a ransom note that appeared on an IT technician’s computer screen at 05:00: “Your computers and services are encrypted,” it read. “Backups are deleted.”
Colonial called the FBI for help. Quickly establishing that the pipeline had been disabled by ransomware from DarkSide, a Russia-based cybercriminal gang, the Bureau demanded the company pay the ransom. It was a short-lived triumph for DarkSide. Within months, the FBI had collected most of the ransom and disabled the gang’s operations.
DarkSide’s demise, however, was more than the collapse of a single criminal operation. In time, it would become clear that the era of impunity for ransomware groups was over, as a wave of arrests in Europe and Russia triggered a shutdown event among the largest and most notorious.
Since then, a new breed of ransomware gangs has emerged from its ashes. Comprised of five or six people, these groups keep a low profile and mimic Western syntax to trick employees into downloading malware, and are barely hesitant to use zero-day vulnerabilities to dig into cloud storage and access certain of the largest computer systems on the planet. In short, they are more ambitious, more technically proficient, and more dangerous than ever.
Smaller ransomware groups are forming to evade law enforcement
By the end of 2021, high profile groups such as REvil, Conti and Blackmatter had joined DarkSide only to crumble under the weight of scrutiny from international law enforcement. All that was left of these networks, says Advanced Intelligence’s head of research, Yelisey Boguslavskiy, “was the operational side.”
Those who have worked as gang affiliates for a while are the ones who have weathered the storm, adds Allan Liska, intelligence analyst at Recorded Future. “They know the operations from start to finish,” he says. “They know how to conduct negotiations. They know how to make code tweaks and all that other stuff. So they are fine without a large coordinating group to support them.
These criminals, in turn, became the leaders of a new set of ransomware groups, including groups like Hive, which allegedly include Conti hackers and became infamous for extorting healthcare providers. Hive exemplifies the new breed of gangs, which are smaller, “more efficient and more visible when it comes to targeting,” says Boguslavskiy.
Their new prey, Liska says, are cloud providers and large corporations, which use attacks that place much greater emphasis on the psychological manipulation of key employees within corporate structures. “That’s where ransomware goes next,” he says. “More than a technological innovation, it is an evolution of social network analysis.”
For many of these gangs, adds Boguslavskiy, skillful use of psychological manipulation is an easy way forward. “As one actor said during internal communications,” he continued, “We can’t win the war on the tech side because we’re competing against companies that have budgets in the tens of billions. of dollars. We can never win that, but we can win the social side of things.
Ransomware groups – especially those operating from Russia – are also paying more attention to the need to adopt “Western” standards of behavior to more easily trick employees of US, UK and European companies into these phishing campaigns. “If you want to militarize the social aspect of the western community, you have to talk like a westerner,” says Boguslavskiy.
The Russian-based gang, Black Basta, has been particularly good at such operations, in some cases accessing company systems using fake DocuSign attachments. Operating since April this year, the group has had nearly 50 casualties in the US, UK, Canada, Australia and New Zealand.
New ransomware gangs, new tactics
That’s not to say that this new breed of cybercriminals lack technical acumen. In some ways they are more dangerous than their predecessors. “All of these groups focus on targeted attacks, extremely well-developed phishing campaigns with very clear methodologies for infecting, distributing and using custom malware,” Boguslavskiy says.
Western companies are better at backing up their own data and plugging holes in their defenses. But ransomware gangs have also found new ways to undermine these efforts.
The increasing use of zero-day attacks, exploiting vulnerabilities that have no patch, indicates the growing sophistication of this new generation of cybercriminals. A report by security firm Crowdstrike found that in 2021, Chinese threat actors were wisely exploiting null vulnerabilities on platforms such as Atlassian’s Confluence and ManageEngine, among others.
One such actor called DEV-0401 is described by Microsoft as a China-based lone wolf who became an affiliate of LockBit 2.0, another ransomware gang. This actor has been discovered targeting internet-connected systems using exploits such as Log4Shell.
Hackers may also start attacking cloud storage for sensitive data, says a ransomware report by Unit42, the research arm of the Palo Alto security platform.
“The majority of attacks on cloud workloads are known vulnerabilities. This is why it is essential to ensure that vulnerabilities are fixed and misconfigurations, such as privileged containers, are corrected before and during runtime,” the report explains. “Given the amount of valuable data in the cloud, it’s only a matter of time before we see ransomware groups targeting cloud environments.”
Domination of data extortion
Initially, ransomware gangs ply their trade by encrypting files and demanding money for the encryption key. As ransomware became more popular, other extortion techniques became common, but ultimately didn’t last, says Boguslavskiy. “Data encryption is too technically messy. It could still go wrong and corrupt the data instead of encrypting it,” he explains.
Now, ransomware gangs focus on stealing data before extorting targets. In June, CISA and the FBI issued a joint advisory on Karakurt Lair, a gang whose data extortion attacks were typically accompanied by ransom demands of between $25,000 and $13 million in Bitcoin. In May, the group released several terabytes of data that allegedly belonged to victims across North America and Europe, naming and humiliating recalcitrant targets who had refused to pay and giving instructions to participate in “auctions”. of their company secrets.
Implementing extortion-only tactics can be another way to avoid law enforcement, Liska agrees. “I think there’s a lot of interest in extortion just as a tactic because it’s easier. You don’t have to do as much work and there’s less chance of getting caught. It appears that law enforcement is currently not paying close attention to extortion-only groups versus those that actually deploy ransomware.
A new era of ransomware
There are still ways for companies to strengthen their defenses against this growing risk of ransomware. Keeping abreast of patches, for example, will prevent systems from becoming low-hanging fruit. It’s also possible, though more difficult, to prevent staff from succumbing to the social engineering evident in many of the latest attacks.
These include “breaking the loop” of ransomware attempts, according to Kaspersky, where an employee directly contacts the source of an exciting or disturbing email rather than responding in the thread. They can check the source of the URL or email to see if it’s trustworthy, or just ask for proof of the sender’s identity.
While these may seem like simple responses to attempted subversion, getting employees to respond in this way requires rigorous training. But with the technology skills shortages plaguing employers, thorough training on how to detect and appropriately deal with social engineering attacks can be nearly impossible to implement successfully. As such, businesses around the world should prepare for a new era of ransomware – one that is more dangerous and unpredictable than the last.