Ransomware attacks have evolved from the “spray and pray” methodology popular several years ago to highly sophisticated operations that leverage an arsenal of tools to pressure victims into paying. New research from Sophos illustrates why these type of attacks are continuing to evolve and become ever more deadly.
“Criminals have always tried to evade antivirus or bypass firewalls,” says principal research scientist at Sophos, Chester Wisniewski. “But the level of sophistication that they’re getting with bypassing tools and hiding and disguising and obfuscating themselves – often as legitimate things within the network – is just at a new level.”
Rather than “script kiddies” – who deploy amateurish automated tools – the people behind today’s high-profile attacks are increasingly carrying out reconnaissance beforehand. They’re learning about what kind of company their target is, what it does and what type of information it finds valuable. “The theme is there’s more and more human involvement, hand crafting attacks to best exploit the given victim,” says Wisniewski.
The research finds that attackers steal and then encrypt data to “double extort” the company. “‘You’ve got to pay the ransom if you want to get the keys, but you also need to pay us to keep quiet or we’re going to tell the regulators and you’re going to have a GDPR violation or a CPC a violation in California or HIPAA’ – whatever type of organisation it is.”
Wisniewski says this is because attackers assume that while they might be able to extort $1 million for simply thieving data and locking up files, they could perhaps get $5 million after pointing out how calamitous the hack will be to the company’s customers, shareholders and regulators.
“There’s been a real stratification in the criminal underground,” says Wisniewski. While cyber criminals used to use largely the same tools and methods, now there are very skilled people operating at an entirely different level. “The unskilled people are still out there trying to hit computer desktops for a couple hundred dollars apiece, or cryptomining if they can break in,” he says. “But the ones that have skills have started taking notes from the nation-state playbook.”
These more talented criminals have understood how state-sponsored attacks are executed – “here’s how a nation state or a spy phishes the victim to get in. Here’s how they move laterally around the network to identify assets that they may want to steal as a spy,” Wisniewski says. In-depth reports that describe techniques and tactics, such as how the United States and Israel worked to plant Stuxnet in Iranian centrifuges, “criminals take those as blueprints for doing their own attacks,” he says.
In the new report, Sophos researchers tracked case studies of ransomware attacks, and found that criminals are increasingly using social pressure in order to manipulate the victims. In one case, attackers started calling the employees of the company they had hacked at their desks, to tell them what personal information they now held about them. They told them that if they didn’t want it publicly disclosed, they should pressure their bosses to pay the ransom.
“Then the whole company received an email exhorting them to persuade their senior executives to pay the ransom, which by then stood at $8m,” the report reads. “Finally, the attackers started to phone the by then worn-out IT team, telling them to read their email and pay.”
In this case, the attackers had encrypted 90 per cent of the company’s servers, causing the business to grind to a halt. The attackers had gained access to the company’s critical financial systems. However, the company steadfastly refused to pay. The attackers eventually dumped three loads of company data online, yet the company is still in business today.
Wisniewski says that companies can protect themselves from this kind of ordeal by applying the best protection technologies that leverage AI combined with human intervention.
“It may be that you see MimiKatz in an environment – even though nothing’s happened yet so a protection technology may not even have been triggered – and the human investigator can see these indicators and can jump into action,” says Sophos chief product officer Dan Schiappa.
However, the most effective thing would be if organisations stopped paying the ransom. Sophos’ latest report indicates that companies actually spend the same amount recovering from the attack whether they pay the ransom or not. The average incident costs about three quarters of a million US dollars to recover from.
Wisniewski says he thinks many companies are surprised that after paying a ransom, they still have to pay a huge amount to get back on their feet – something which might deter organisations from paying in future. “I don’t see ransomware going away unless we stop paying, and the only way we’re going to stop paying is if we arm ourselves with facts and we do a better job of defending ourselves and making it too difficult for attackers.”