Ransomware attacks are shifting from malware-centric threats to more nuanced and sophisticated tactics.
The more savvy and technically adept groups behind these attacks are trying to extract as much ransom as possible by using data extortion and leak sites to increase the pressure on organizations.
“Ransomware is getting detonated to get your attention so that you will then go pay so you can get your data back,” Pete Renals, threat intelligence analyst at Palo Alto Networks’ Unit 42, said last week during an interview at the RSA Conference in San Francisco.
“They are trying to get money more so than they are trying to create devastation and destruction at this point,” he said.
This includes a turn away from rapidly spreading malware across networks and instead exploiting vulnerabilities and zero days. The prevailing goal of ransomware groups today is to gain a foothold in a network so it can get an organization’s attention and perhaps exfiltrate data, Renals said.
The deviation has also dispersed the responsibilities of those initiating ransomware attacks. Some groups are tasked with writing the ransomware while others execute campaigns, engage in negotiations or break into networks to gain access that’s then sold to ransomware groups for exploits.
Evolving tactics have bubbled up to the initial point of contact ransomware groups have with their victims, Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, said in an interview.
Threat researchers and responders have seen incidents where ransomware notes include details about the data hackers have exfiltrated paired with threats of more pain to come.
Some of these notes, according to Miller-Osborn, effectively state: “We’ve got your data, we both know we could execute the ransomware but we’re going to do you a solid and we’re not going to as long as you pay us. And we’ll give you the data back.”
Some threat actors have actually helped organizations after the attack — after they pay the ransom of course — by explaining how they gained access and what vulnerability they exploited to attack, she said.
Mandiant is also observing ransomware groups switching tactics. The threat intelligence and incident response company, which Google is buying for $5.4 billion, noticed a spike in ransomware activity and the use of shaming, or leaks, during the week before the RSA Conference, EVP Sandra Joyce said.
“A lot of what we measure for ransomware is intermixed with data theft and extortion. And there may not be any need to drop any malware at all,” she said.
Joyce and others at Mandiant have been predicting this change for years. “Ransomware could have nothing to do with malware,” she said. “It could just simply be extortion and data theft, and it’s getting measured as ransomware.”
Enterprises can minimize some ransomware risk by consistently patching known exploitable vulnerabilities. “We constantly talk about the way the advanced threats and especially the ransomware actors have success, and that is often through those known exploitable vulnerabilities,” Robert Joyce, director of cybersecurity at the National Security Agency, said on stage at the event.
Every enterprise needs to remedy these vulnerabilities, he said, and take care of the unlocked doors culprits are coming in today.