Over 30 years ago, a disgruntled researcher unleashed the first noted ransomware virus, the “Aids Trojan.” Distributed on 20,000 floppy disks marked “AIDS Information — Introductory Diskettes'' using hijacked mail subscriber lists to the World Health Organization AIDS conference, the Aids Trojan encrypted hard drives and directed victims to post ransom money to a P.O. box located in Panama. However, the Aids Trojan had a design failure — it used simple symmetric cryptography, which meant that it was possible to extract the decryption key from the code of the Trojan.
It wasn’t until 2005 that the first modern ransomware programs began to appear, and not until 2006 that the first ransomware virus to use RSA encryption was released. Since then, ransomware techniques have continued to evolve. From around 2012 onwards, tens of thousands of different ransomware strains have emerged while demanding payments has been made easier by the emergence of anonymous cryptocurrencies. Ransom demands have grown as a result; computer maker Acer was only a few days ago hit with a $50 million demand--a new record.
The methods used to deploy ransomware attacks have also changed. Once delivered mostly through mass email blasts, ransomware is now commonly deployed and operated through sophisticated and highly targeted attacks. The chaos and uncertainty caused by the COVID-19 pandemic last year created a window for cybercriminals to reach new levels of sophistication and danger. In 2020, a victim was infected by ransomware every 11 seconds.
Ransomware attacks are on track to become even more virulent in the future. We can expect ransomware attacks in 2021 and beyond to be more aggressive and cunning than before, and once they breach the network perimeter, to have a higher chance of reaching their targets. To mitigate this fast-rising threat, understanding the changing nature of ransomware detection methods is critical.
The Rise of Spear-Phishing Equals Increased Concerns
A major trend in ransomware deployment is the rise in spear-phishing attacks, which results in fewer employees receiving targeted phishing messages instead of mass-email blasts. Because the COVID-19 pandemic made most digital communication within and between corporate teams the norm, spear-phishing attacks have become more prominent, innovative, and effective. In one example highlighted by Gartner, cybercriminals used deepfake technology to impersonate a corporate executive in order to solicit wire fraud.
The rise of spear-phishing attacks is partly fueled by the growing quantity of personal information that can be found for sale on the dark web. 2020 was named the “worst year on record” by the end of Q2 regarding the number of records exposed in data breaches, according to a report by Risk Based Security. It’s just the start of 2021, but things aren’t looking much better this year, either. In what is known as the Compilation of Many Breaches (COMB), hackers posted 3.2 billion unique email and password combinations on an online forum in February, giving spear-phishers even more ammunition to craft convincing attacks.
The proliferation of stolen data means that anyone can now buy details about an individual's usernames, personal information, and even passwords for as little as $100. Threat actors can leverage this stolen personal information, alongside publicly accessible data, to craft highly effective phishing emails aimed at specific individuals within an organization.
Spear phishing emails also frequently come from breached accounts that the victim is likely to trust. To take one example, a journalist left her job of 21 years after receiving a letter from "Harvard University" accepting her application for a professorship. The wealth of data available on the dark web for threat actors to use in their targeted phishing attacks is truly astonishing, and they will leverage any and all information they can to tailor a message to their target. Ultimately, this evolution in technique has made phishing attacks far more effective overall.
As a result, security teams need to ensure that their users are more aware than ever of how to identify phishing attacks. No longer can the average employee expect to be able to readily identify phishing emails because of poor grammar or misspelled words. Now, they need to be acutely aware of how to verify every email they receive to ensure that they don’t accidentally enable initial access for a ransomware attack.
Human-Operated Ransomware Attacks Present New Problems
While “traditional ransomware” strains such as NotPetya and WannaCry are automated, threat actors are now deploying ransomware that can be controlled remotely by human operators. The presence of a human operator can magnify an attack's impact by allowing an unprecedented degree of dynamic and evasive response. Notably, human-operated attacks, such as Bitpaymer, REvil, and Ryuk, are able to respond to changing conditions within a compromised network and bypass security controls in real-time.
Typically associated with nation-state threat actors, human-operated attacks in which cybercriminals use stolen credentials are particularly adept at exploiting network misconfigurations. As they move laterally within a network, threat actors using this technique can customize their malware deployment based on what they can access, allowing attacks to go on for months. Microsoft has identified one group, known as Parinacota, that routinely leverages this method and infects up to four organizations a week.
The increasing prevalence of human-operated ransomware attacks thus creates new problems for organizations who depend on a detection-centric approach to security. Ransomware that has a human operator behind it can often more efficiently evade detection platforms, thus having a better chance of achieving its ultimate goal of reaching the domain controller and locking down the target system. Companies would do well to understand the risk inherent in human-operated attacks, and deploy platforms that have a better chance of preventing evasive action rather than detecting it when it’s already too late.
The Rising Long-Term Threat of Double Extortion ransomware
Threat actors are constantly expanding their arsenal in an effort to gain maximum return against their victims. Alongside compromising operations, ransomware is now increasingly being used to exfiltrate sensitive data as a tool for blackmail even after an initial ransom is paid. When threat actors have a victim's data, they can easily demand a second ransom based on the threat of data exposure.
Cybercriminals are known to deliberately choose organizations that would suffer the most from a data leak. In one example, the recent cyberattack on the game developer CD Projekt focused on an attempt to force the company to pay for the security of a newly launched game’s source code.
So-called "double extortion actions" can turn falling victim to a ransomware attack into a long-term source of pain for an organization. There is no necessary end in sight for victims with threat actors prepared to auction exfiltrated data on the dark web piecemeal. Threat actors have even been reported to call and directly harass their victims and even victims’ relatives after infecting their networks to maximize the potential for a ransom payment.
While ransomware is nothing new, the technology and the methods used for its delivery and deployment have evolved rapidly. Today cybercriminals are leveraging highly targeted attacks to increase the likelihood of infection, human-controlled ransomware to infect networks with more precision, and double extortion to create a long-term income stream from victims.
In response, organizations need to consider ransomware to be an evolving threat backed by well-resourced and competent threat actors, one that can only be beaten with proactive, not reactive, defense. It is only by taking preventative measures, like applying adequate security controls and deploying deterministic solutions such as Morphisec, that organizations can protect themselves and their employees against ransomware attacks that, with each passing day, are becoming more threatening, daring, and brutal.