Ransomware Part One: A Growing Threat

Stephen DeAngelis

November 3, 2021

If data breaches aren’t frightening enough to keep CIOs awake at night, ransomware attacks must surely do the trick. “In an analysis of publicly reported ransomware attacks against health-care providers, municipalities and schools, The Washington Post found that ransomware attacks in the United States more than doubled from 2019 to 2020.”[1] Drew Adamek (@Drew_Adamek), Senior Editor at Financial Management magazine, observes, “Ransomware is on the rise. Every month seems to bring new headlines of massive attacks on businesses and governments. In May, a ransomware attack shut down America’s largest fuel pipeline. In June, another crippled the world’s largest meat processor. And in July, a single coordinated attack [impacted] over 1,000 businesses.”[2] According to the Washington Post article, “The costs of such attacks add up. Some experts conservatively estimate that hackers received $412 million in ransom payments last year.” Unlike hackers who breach databases in search of personal data, ransomware hackers understand the inherent value of corporate databases and deny companies access to those databases until they get paid to release them.

 

Anatomy of a Ransomware Attack

 

Gerry Glombicki, a CPA and director in the insurance group at Fitch Ratings, explained to Adamek that ransomware hackers have myriad points of entry to exploit. “Endpoint security is basically all the devices that connect to the internet,” Glombicki explained. “That’s my laptop. That’s my cellphone that can actually connect in via its VPN to the actual company’s email systems. It’s the VPN on my laptop connecting to the systems. All of these things create entry points to the network, which is convenient to me, but also is a security risk to the company.”

 

The Players

According to the Washington Post article cited above, “One of the largest cybercriminal gangs operating today, known as Conti. The organization, which researchers believe is based in Russia, has an unknown number of hackers working together in a hierarchical structure, operating almost like a legitimate business. It has developed a malware that can crawl through computer systems and lock down files, and it employs representatives to communicate with victims.” Other groups making headlines include REvil, DarkSide, Fin7, and BlackMatter. Conti isn’t the only group operating like a legitimate business. Journalist Robert McMillan reports, “A criminal organization believed to have built the software that shut down a U.S. fuel pipeline has set up a fake company to recruit potential employees, according to researchers at the intelligence firm Recorded Future and Microsoft Corp. The fake company is using the name Bastion Secure, according to the researchers. On a professional-looking website, the company says it sells cybersecurity services. But the site’s operator is a well-known hacking group called Fin7, Recorded Future and Microsoft say.”[3]

 

In early September, Peter Fretty (@pfretty), technology editor at IndustryWeek, reported, “Although highly publicized ransomware gangs REvil and Darkside recently dropped off the radar, other ransomware as a service (RaaS) groups have starting surfacing to take their place. The new group BlackMatter is the one garnering interest from people within the cybersecurity space.”[4] Little over a week later, Fretty reported, “Signs are pointing to the ransomware gang REvil resurfacing.”[5] Just when it looked like REvil was once again going to be menace businesses, tech journalist Dev Kundaliya reported, “REvil ransomware gang was itself hacked and taken offline … in a coordinated operation that involved law enforcement agencies from multiple countries. Three private sector cyber specialists working with the US law enforcement agencies and one former official told Reuters that cyber experts working with intelligence agencies were able to breach REvil’s computer network infrastructure and seize control of at least some of their servers.”[6]

 

In a previous article written when REvil went dark the first time, Kundaliya wrote, “Experts suspected the Russian government had forced the group to cease operations, to show the world that it was working with the US government.”[7] Chris Sedgwick, Director of Security operations at Talion, told Kundaliya, “Hacker groups disappearing when things heat up is something we have seen frequently in the past, with cases like Emotet or Anonymous. When groups do disappear, it is generally to buy some time and take the limelight off them from law enforcement agencies, and it rarely means they are disappearing for good. On the assumption that this is indeed the same threat group operating the infrastructure, we would expect to see a new ransomware variant from the group in the near future, but with a much more carefully selected victims to keep the media and Government attention off them as much as possible.”

 

The Attacks

“Ransomware can infect a computer in a variety of ways,” explains, Anton Lucanus, Founder and CEO of Neliti. “Some attackers can target the weakest link in a company’s digital supply chain to create a supply chain attack. This form of cyber attack involves an attacker packaging ransomware into the distribution method of trusted software, so that customers unthinkingly download the ransomware alongside the desired program. This can often lead to huge numbers of people being affected.”[8]

 

As Lucanus observes, the easiest way to carry out a ransomware attack is to get an employee to be an innocent co-conspirator by clicking on an email attachment. Lucanus writes, “Cybercriminals try to trick victims into opening infected attachments and links via email using phishing spam, one of today’s most common methods. Phishing technique entails sending decoys using emails and making them appear to come from a trusted source or a notable brand to a recipient who is then tempted to enter valid credentials on a fake website or download an infected file because they appear to be authentic.”

 

An even more duplicitous method, according to Lucanus is “malvertising.” He explains, “The use of drive-by downloads or malvertising is another popular method of infection. In this case, malware is distributed via online advertising, with little to no user interaction required. Users can be directed to criminal servers without clicking on an ad.” Regardless of the method used, Lucanus notes, “Once the malware has taken control of the victim’s computer, it may do several things, but the most common is to encrypt some or all of the user’s files. A mathematical key known only by the attacker must decrypt files at the end of the process. Unable to access files, the user is informed by a message that they must send an untraceable Bitcoin payment to the attacker.”

 

The Aftermath

“Basically what happens,” explains Glombicki, “is one day you’ll wake up to find that you don’t have access to your systems. There’s variance to this as well. [Emsisoft reports] how some of the threat actors are double encrypting your system. … They may encrypt half the system with one method and they may encrypt the other half with a different method. They might actually encrypt it with the same method twice and make you pay twice. They could be just after certain files. They might just do a certain subsegment of your network. It causes basically a big business interruption and continuity risks, but also it matters if it’s a risk to your supply chain.” Regardless of the method attackers use when they encrypt your files, they want you to pay a ransom to get your files unencrypted. The Washington Post article notes, “When a company is hacked, the attackers will generally leave a ransom note. The note can be as simple as an email to the company’s executives or a text file left unencrypted on one of the servers. … The note typically contains instructions on how to access a website on the dark web. That’s where hackers will say how much they want, and how much time the victim has to pay up. A countdown clock sometimes ticks away, giving a company a set amount of time, usually about a week, before the price goes up.”

 

Most companies end up paying the ransom to unlock their files; however, paying might not be an option in the future. Tarah Wheeler (@tarah), a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, and Ciaran Martin (@ciaranmartinoxf), a professor of practice in the management of public organizations at Oxford University, report, “As victims have paid up in order to mitigate damage, there are now growing calls for businesses to be banned from paying ransoms.”[9] They go on to note that banning payments would put most businesses between the proverbial rock and a hard place. “These calls to ban ransom payments,” they note, “outright fail to capture what is an enormously complicated policy issue. As it stands, the ransomware model favors the criminal, but will banning ransom payments outright reverse this imbalance of incentives?”

 

Along those lines, the Biden administration is looking at several methods to turn the tables. The Wall Street Journal reports, “The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter. The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.”[10] According to the report, “The Treasury Department plans to impose the sanctions … and will issue fresh guidance to businesses on the risks associated with facilitating ransomware payments, including fines and other penalties. Later this year, expected new anti-money-laundering and terror-finance rules will seek to limit the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities. The actions collectively would represent the most significant attempt yet by the Biden administration to undercut the digital finance ecosystem of traders, exchanges and other elements that cybersecurity experts say has allowed debilitating ransomware attacks to flourish in recent years.” The first step taken by the Biden administration was to blacklist “a Russian-owned cryptocurrency exchange for allegedly helping launder ransomware payments, an unprecedented action meant to deter future cyber-extortion attacks by disrupting their primary means of profit. The targeting of SUEX OTC marks the first time the Treasury Department has sanctioned a digital currency platform.”[11]

 

In the concluding installments of this article, I will discuss what experts say organizations can do to either prevent or mitigate ransomware attacks as well as what actions can be taken during and after an attack.

 

Footnotes
[1] Gerrit De Vynck, Rachel Lerman, Ellen Nakashima, and Chris Alcantara, “The anatomy of a ransomware attack,” The Washington Post, 9 July 2021.
[2] Robert McMillan, “Ransomware Gang Masquerades as Real Company to Recruit Tech Talent,” The Wall Street Journal, 21 October 2021.
[3]Drew Adamek, “The hidden risks and costs of ransomware,” Financial Management, 4 August 2021.
[4] Peter Fretty, “REvil, DarkSide and Now BlackMatter. It Never Ends!” IndustryWeek, 1 September 2021.
[5] Peter Fretty, “They’re Back!” IndustryWeek, 9 September 2021.
[6] Dev Kundaliya, “REvil ransomware gang taken down in multi-country operation,” Computing, 22 October 2021.
[7] Dev Kundaliya, “REvil ransomware may be set to return,” Computing, 9 September 2021.
[8] Anton Lucanus, “Everything you need to know about Ransomware,” insideBIGDATA, 2 September 2021.
[9] Tarah Wheeler and Ciaran Martin, “Should ransomware payments be banned?” The Brookings Institution, 26 July 2021.
[10] Ian Talley and Dustin Volz, “U.S. to Target Crypto Ransomware Payments With Sanctions,” The Wall Street Journal, 17 September 2021.
[11] Ian Talley and Dustin Volz, “U.S. Sanctions Crypto Exchange Accused of Catering to Ransomware Criminals,” The Wall Street Journal, 21 September 2021.