The cyber-criminal groups behind some of the most notorious and damaging ransomware attacks are using the same tactics and techniques as nation-state-backed hacking operations – and they’re only going to get more sophisticated as they look for even bigger pay days.
One of the key reasons why ransomware has become such a common cyberattack is because it’s the easiest way for malicious hackers to make money from a compromised network.
Previously, cyber criminals might have focused on stealing information that could be used or sold on, but by encrypting the network, they can make a large sum of money from demanding a ransom in a shorter amount of time than it would take to make from exploiting stolen credentials or financial information.
And now the skills of ransomware gangs are catching up with the Advanced Persistent Threat (APT) groups associated with nation states.
“Ransomware attackers are essentially just a couple of years behind the tradecraft we’ve seen ATP crews adopt. This is still a growing problem, it’s not going to go away,” Mitchell Clarke, principal incident response consultant at security company FireEye Mandiant, told ZDNet.
Researchers at Mandiant presented analysis of how ransomware – and the cyber-criminal gangs behind it – has evolved and matured in recent times during a presentation at Black Hat Europe 2020, demonstrating how the cyber-criminal groups running these campaigns are increasingly conducting full-scale network intrusions similar to those seen in nation-state attacks.
Ransomware groups like DoppelPaymer and REvil have been highly prolific this year, encrypting networks and making millions. Part of the reason for the success of these campaigns is because they’re highly targeted.
Cyber-criminal hackers uncover vulnerabilities on networks then spend months laying the groundwork to compromise the systems with ransomware before finally unleashing the attack and encrypting the network.
This is similar to how APT groups hide for months or even years without being detected, although their goal is surveillance or stealing sensitive data rather than making money with ransomware.
“If we look back to older cases of ransomware, it was largely opportunistic. Attackers would land on a corporate environment and advance into a small subset of a wide organisation. The transition from opportunistic crime into APT-like campaigns is just a realisation that it’s more profitable to completely cover an organisation with ransomware,” said Clarke.
“The attacker has taken their time to step through that APT process, to understand the victim environment and to move across it as quietly as possible and with as much privilege as they’re able to get. Then when it’s time to deploy ransomware, to cover a whole organisation.”
But that isn’t where the evolution of ransomware campaigns stops; there’s the risk that as these groups gain more experience with successful attacks, the time between initial compromise and an attempted full encryption of the network will become much shorter – meaning there’s even less time to potentially detect suspicious activity before it’s too late.
“We’re seeing a gap from initial compromise to a ransom event being in the months – it’s in that period before a ransom that organisations can implement changes to be able to detect,” explained Tom Hall, principal incident response consultant at FireEye Mandiant.
“But as they get more sophisticated, we’re going to see that window dropping from months to weeks and weeks to days. If organisations don’t grasp the problem of being able to catch them when they’ve got months, there’s no hope when we’re down to shorter time periods,” he added.
However, one of the key reasons why cyber criminals continue to be successful with ransomware attacks is because they’re able to exploit vulnerabilities that are simple to protect against – but organisations have failed to do so.
Applying the security patches that fix security vulnerabilities shortly after they’re released prevents cyber criminals being able to exploit issues that have been fixed, while applying two-factor authentication and preventing the use of default passwords on the network can also go a long way to protecting against ransomware and other attacks.
“It’s not like these situations couldn’t have been prevented. It really highlights that a solid patch-management programme would have solved having vulnerabilities exposed that kicked off the entire breach,” said Clarke.