Editor's note: This article is George Glass, head of threat intelligence at Redscan.
Ransomware continues to be a dominant factor in the threat landscape, which has changed drastically in just the last 24 months. More and more organizations are falling victim to ransomware, including charities, critical infrastructure and even security companies themselves.
Despite lots of ransomware advice centering on backing up files and systems, it's important to remember that precursors to ransomware can be identified and attacks disrupted. It's vital that businesses have appropriate controls in place to detect and respond to attacks. This means understanding:
- The current ransomware landscape and most common variants
- The rise of double and triple extortion methods — used by ransomware operators to improve their success rates
- The best opportunities to identify precursors to ransomware swiftly and effectively take action
The current ransomware landscape
The current ransomware landscape is extremely worrying, whether viewed through the lens of real-world incident response cases or trends seen on the dark web. Top ransomware variants seen in the wild during the first half of 2021 included the likes of Ryuk, Conti, REvil, Darkside and Avaddon.
Even though some of the groups have since either disbanded or rebranded, the ransomware tactics, techniques and procedures (TTPs) they use are continuing to be used by threat actors around the world.
Attackers are actively taking advantage of known software vulnerabilities in technologies relating to remote working, including exploiting remote desktop protocol or VPN vulnerabilities, as many people continue to work from home.
Cybercriminals are also continuing to use phishing as a reliable method of initial access, while evolving their techniques to launch more sophisticated infections. Meanwhile, ransomware as a service has been a constant threat for the past two years, since it exploded onto the scene in the summer of 2019.
As for dark web trends, many ransomware groups are now using double or triple extortion tactics. This approach escalated around the end of 2019 when the Maze ransomware group was at its peak.
Maze was among the first groups to pioneer the double extortion tactic of exfiltrating data during a ransomware incident and then posting some or all of it on a dedicated website for stolen victim information. This method has contributed to ransomware payments soaring.
By threatening to leak data and cause extra reputational and operational damage, attackers have far more leverage and the ability to demand much higher payments. In 2021, it was reported that the average ransom payment rose more than 40% from the previous year to $220,000.
Now the vast majority of our Incident Response cases with known ransomware variants involve this double extortion tactic. The number of threat actor sites, which display the stolen information, has also skyrocketed, with 24 different known sites now in operation.
If this situation wasn't bad enough, we are also seeing ransomware gangs add a new, third layer to their pressure tactics, which some industry professionals have dubbed triple extortion.
Sophisticated attackers may launch distributed denial of service (DDoS) attacks and spam campaigns during negotiations, cold call victims, or alert customers, partners, shareholders, and the media about the attack. Some gangs even have a dedicated call center to do this for them.
It's a nefarious but effective way of intimidating and pressuring a victim to pay up, especially if they have adopted radio silence in response to the attack.
Case studies: AI chat applications and web forms
For understanding these common and emerging ransomware trends, it helps to review real-world case studies of some newer attacks methods we've seen this year.
AI chat applications are increasingly popular. Many larger companies will attempt to solve the most common and most basic support requests without any human intervention via artificial intelligence.
In 2021, attackers have created tickets through a third-party AI chat application posing as a legitimate customer requiring support. Often, if the AI support can't identify or solve the issue within a few messages, the company will ask for more details, and this is where the attacker can gain initial access.
When a company moves to manually resolving the query, this often includes the option for the "customer" to attach a file or screenshot with more details, and we've seen attackers exploit this by uploading malicious .zip files.
As an example, in one particular case the team investigated, a malicious document was delivered in the form of a zip file which was used to install IcedID malware, which then allowed Egregor ransomware to be deployed on the client's system.
Online web forms also fall victim to similar methods. Analysis of a recent case study showed that a malicious link had entered the target organisation via a "Contact Us" form on its corporate website. From the link, an individual in the organization downloaded a zip file which, once opened, executed malicious code to downloaded files containing the likes of Cobalt Strike and IcedID, as well as a potential connection to REvil ransomware.
In one particular case, the attacker posed as a photographer complaining that one of his images was being used on the site without the appropriate license, and attached a malicious file as proof.
The malware was triggered by the company's operative opening the attachment but fortunately that organization had a defense in depth strategy in place using technologies that were able to detect and disrupt the malware before it could cause any damage.
Identifying precursors to ransomware
To stop the kinds of examples above in their tracks, it's imperative that organization identify precursors to ransomware events. There are multiple detection opportunities at different stages of the attack, including:
- Delivery, the moment when the malware is introduced onto the system
- The post-exploitation framework, often involving tools like Cobalt Strike and PowerShell Empire
- Lateral movement and reconnaissance, where the attacker has the goal to elevate privileges and take over the domain controller
- Finally, the deployment of ransomware
Thankfully, the detection opportunities at some of these stages can be incredibly noisy if you know when and how to listen. Using security information and event management (SIEM) and endpoint detection management (EDR) tools, it is possible for security teams to detect the detonation of malware, evidence of tools used for reconnaissance, the signs of a persistence mechanism (where a threat actor is establishing a way to stay within an organizations' environment) and lateral movement throughout the environment.
For example, EDR can be used to detect scheduled task creations and strange task creations that happen after the initial execution. These tasks enable the attacker to maintain their presence on the network or their remote access to the environment. This activity takes place in the initial stages of an attack, making it a perfect early detection opportunity for preventing real and lasting damage.
We are seeing "dwell times" coming down, meaning attackers are working more quickly and the window to detect them is getting smaller. In the case of malware like IceID, we're starting to see attackers perform the lateral movement stage of an attack in less than an hour, which is very fast indeed.
During this stage, it's common for attackers to search for domain admins and investigate the trust relationships between machines and domains, which may look like legitimate administrative activity on the surface.
However, security teams should ensure they can recognize malicious intent, for instance if a device at the reception desk is conducting this activity, it will almost certainly be the result of a bad actor.
At this stage, an attacker may also seek to identify which antivirus products are on the infected machine. Again, this is another obvious precursor to more malicious behavior. By this point, given the number of odd or suspicious tasks issued by the machine and identified by EDR, the malware should be identified or stopped, and the machine isolated from the rest of the network.
Isolating a machine early is one of the best ways of disrupting ransomware and evicting the attacker.