The Evolution of Ransomware and How to Move Forward

It seems that every time you check the news, there is a new ransomware attack. But for every attack that gets media attention, several other attacks likely flew under the radar.

Ransomware is not new – the first reported case in 1989 targeted healthcare organizations. The actor behind the attack delivered the ransomware by sending out over 20,000 floppy disks to AIDS researchers. Even in the early days, social engineering was used to get victims to access malware; in this case, the disks purported to contain a questionnaire that would assess a person’s risk of acquiring AIDs. We have since seen an evolution in the quality of the ransomware code, delivery mechanisms used and extortion methods.

One reason ransomware is such a big problem is that any initial attack vector can be used to distribute ransomware throughout an organization. For instance, it can be delivered in the later stages of an exploit kit where phishing is the initial infection vector; or by threat actors using leaked, purchased or brute-forced credentials to gain access to an organization through a public-facing service. Threat actors have also upped their game with their spear-phishing tactics to ensure their delivery is as realistic and enticing as possible.

The quality of ransomware code has also improved greatly over time and extortion tactics have also evolved where ransomware now will exfiltrate information before encrypting. Ransomware actors have also created public shaming sites where they will list their victims in an effort to force payment and removal from these lists. From there, we saw a shift to double-extortion, where actors demand payment for the decryption keys and then also demand a second payment to ensure that the exfiltrated information was not leaked to the public or sold.

Possibly the greatest advancement in ransomware has been how actor groups have evolved and created successful business models. This includes the recent shift to Ransomware-as-a-Service (RaaS). In these cases, the ransomware groups offer a framework for affiliate members to use. These affiliates have already gained access to the victim network and then use the RaaS software and infrastructure to conduct the actual ransomware part of the attack. The RaaS operators collect the ransom and then distribute a percentage to the affiliate.

Over the past month, we have seen that the ransomware groups are becoming more brazen in their attacks. Following the attacks on critical infrastructure provider Colonial Pipeline and meatpacker JBS, we heard of REvil, the criminal RaaS enterprise, targeting Sal Oriens, a subcontractor who works with the National Nuclear Security Administration (NNSA). All three of these attacks targeted businesses critical to the safety and security of the United States. While the impact of the attack on Sal Oriens is not fully known, there is great potential for damage to the nuclear security of the United States as they have threatened to leak the information to any nation-state or military they choose. This attack elevated ransomware to the equivalent of a nation-state threat.

"Possibly the greatest advancement in ransomware has been how actor groups have evolved and created successful business models"

The United States is now re-evaluating how it will tackle the growing threat to the safety and security of critical infrastructure and national security. As a first step, the White House issued an executive order regarding upping the security posture of .gov entities, including a push to the cloud and adopting zero trust architectures. After the Colonial Pipeline attack, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, issued a dire warning to private companies about the threat of ransomware attacks. Christopher Wray, the director of the FBI, even talked about the parallels of the complexity of the current ransomware investigations with that of the 9/11 attacks. Lisa Monaco, Deputy Attorney General, also released an internal memo directing US prosecutors to report all ransomware investigations they are involved with and highlighted the importance of tracking the complete ransomware infrastructure. This, too, makes the new tracking of ransomware similar to that of terrorism.

Ransomware continues to evolve in both technology and business models. While security vendors continue the fight against technology, governments worldwide need to step up and find ways to cripple the business model. As we have seen, indictments against some of the operators have limited effectiveness.

Law enforcement and government agencies can take a bold step to get ahead of ransomware actors: begin taking possession of the entire hosting infrastructure, not just the C2 servers. Anything associated with the advertising of the services, RaaS affiliate infrastructure and any other infrastructure used in the ransomware attack chain or by the ransomware operators must be possessed. Taking control of this infrastructure could go a long way towards reversing the “risk versus reward” ratio and force many out of the ransomware business. It may also allow law enforcement and government agencies to take over the financial assets of these organizations and allow for further tracing of transfer of funds to find other ransomware actors.

Governments need to work together to ensure that there is no safe haven for ransomware operators and continue to apply pressures to those who still offer a safe harbor. This may be the best solution to bring an end to the ransomware epidemic.

What’s Hot on Infosecurity Magazine?