Ransomware has made big headlines recently, including the attacks on Colonial Pipeline, the Washington, D.C. police department and other victims. These attacks are becoming more frequent, more costly, and more targeted. In addition, ransomware attacks are increasingly powered by artificial intelligence to improve effectiveness, and may include “double extortion” tactics –exfiltrating sensitive data prior to the ransomware attack and threatening to release it – to improve the odds of extracting the ransom. In short, ransomware is poised to become a pandemic in corporate, government and other organizations’ networks.
Anatomy of a Ransomware Attack
Recently, hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks before locking its computers with ransomware and demanding payment. The company said it proactively halted all pipeline operations to isolate the attack. The U.S. government declared a state of emergency to keep fuel supply lines open following the shutdown. Colonial’s 5,500-mile conduit carries 2.5M barrels a day to the East Coast, or 45% of the region’s supply of diesel, gasoline and jet fuel.
Multiple sources, including the FBI, identified the ransomware attack as being perpetrated by the Russian cybercrime group Dark Side. According to news media, federal officials believe the malware was directed at the back-office operations of Colonial instead of the pipeline’s control systems. A preliminary investigation reportedly revealed poor security practices that made it “fairly easy” for hackers to infiltrate the company’s network.
Ransomware Isn’t Going Away
As scary as it seems, cybersecurity experts predict that cyber extortion (i.e. ransomware) is not going to go away – in fact, it will only become worse. Experts envision that the majority of ransomware will continue to stem from state-sponsored cyber warfare, primarily from Russia, Iran, and North Korea.
Ransomware will continue to be one of the most common forms of cyberattack. It is becoming a “go-to” method, fueled in part by third-party vendors of ransomware-as-a-service (RaaS). These services make ransomware attacks much easier and more accessible, and help increase the sophistication of the malware.
Ransomware will continue to take advantage of user behaviors and poor corporate security practices. Phishing and spear-phishing will continue to be the most effective methods of initial breach, unless users become more educated and cautious about opening suspicious emails.
Shifting Trends, Increased Sophistication
Ransomware attacks are becoming more sophisticated and frequent, and most likely will become even more highly targeted. Open-source and other artificial intelligence (AI) technologies are increasingly being used to create more sophisticated and precise ransomware attacks. For example, AI can be used to construct user profiles drawn from social media and other sources and then build highly convincing spear-phishing tactics to open the door to a ransomware attack.
Deepfakes are another concern, in which AI is used to modify a video so that it appears someone is saying something that, in reality, they did not. A deepfake could conceivably (and convincingly) order an employee to issue a payment directly to the attacker’s account, or divulge corporate secrets, for example.
Because of these trends, many security experts agree that AI needs to play a far greater role in protection against ransomware in the coming years – largely because the threats we now face are in themselves AI-enhanced.
New Targets and Tactics
As mentioned, ransomware is increasingly becoming highly targeted. A number of high-profile ransomware attacks have hit education and health care institutions recently, and more attacks are being launched against governmental organizations down to the county and city level.
During the year 2020, intelligence research teams observed that hacker groups shifted from widespread, indiscriminate distribution to highly targeted campaigns. Alarmingly, ransomware was often deployed via compromised Managed Security Service Providers (MSSPs). These trends coincide with the trend of Ransomware-as-a-Service (RaaS) shifting to a more private model.
Another disturbing trend involves the exfiltration of data prior to the ransomware encryption process. This enables attackers to “double-extort” victims with the threat of sensitive data leakage if they fail to pay.
Since companies around the world have improved their data management by making backups more frequent and more secure, a threat of data loss might not be enough to convince the victims to pay. As a result, the ransomware business has evolved to adapt to these changing circumstances through double-extortion.
In some cases, publication of sensitive information can be significantly more damaging than data loss, and thus make it far more likely for the attacker to extort the desired ransomware payment. In the Colonial Pipeline incident, for example, hackers exfiltrated 100 gigabytes of data before locking the computers. The cyber-gang that attacked the Washington, D.C. Metropolitan Police published exfiltrated information from personnel and gang database files onto the dark web.
Increasingly, threat actors hand-pick their targets based on their perceived ability to pay. Or, depending on their tactics, they can also profit from the sensitivity of the exfiltrated data to increase their target’s willingness to pay the ransom to preserve the integrity of their data.
Learn More about Ransomware
In our next post, we’ll further discuss the financial and other costs of ransomware attacks, and the dilemma faced by businesses regarding whether to pay (or not pay) the ransom. In addition, we’ll provide actionable tactics and techniques to help protect your network in this new era of pandemic ransomware.