This latest issue of the Junto Blog series shares how threat actor groups are learning from each other and ramping up their attacks, causing more damage and trouble than ever before with new ransomware variants.
Ransomware is always on the minds of the claims people and underwriters we support every day at NetDiligence. It’s critical to keep our cyber insurance partners up-to-date about the latest ransomware variants that could cause our partners to face business interruption or worse, especially when all signs point to a significant threat acceleration in 2021.
Matt Ahrens, Incident Response Expert and Principal in the cybersecurity and forensics team at Charles River Associates, describes why the situation is so volatile.
“Threat actors have become more advanced in how they’re attacking organizations. Historically, even as recent as two years ago, they didn’t need to take the data—the backups. The threat actor would crash the system, offer the key, and go away once receiving their bitcoin payment,” Ahrens says. “They didn’t need to do anything else to extort the company. But now that many companies have invested in backups, the threat actors have changed their methods. Now they are looking at ways to go in and thrash the backups.”
Ahrens goes on to explain that this behavior in the newest ransomware variants such as REvil/Sodinokibo, has threat actors going in and deleting the backups or reformatting the drives that hold the backups.
Another variant that’s been incredibly active in terms of a volume perspective is Conti.
“At first, Conti looked very similar to Ryuk; they kind of mimicked the Ryuk technical vectors, with their initial attack vector using Emotet and TrickBot and things of that nature,” Ahrens says. “But, although the Conti group used that same method, Conti is not Ryuk. Their encryptor is very different from the Ryuk encryptor; it has different signatures, different malware. Maybe someone bought some of the Ryuk code historically and manipulated it, but Conti is definitely not Ryuk.”
Other emerging variants today include DarkSide, Maze, and DoppelPaymer, which share similar extortion methods around the threat of leaking information (the double extortion pay or get breached trend).
Office of Foreign Assets Control (OFAC) And The Sanctions List
Contributing to the complexity and anxiety of cybersecurity risk is the proliferation of threat actors from groups sanctioned by OFAC, such as Evil Corp using Dridex malware.
Looking for hints to the threat actor’s identity (and possible sanction) can take a bit of reverse engineering in the network. Still, it is necessary to discover its identity and if it is sanctioned. For example, if any active Dridex malware is seen, or if the activity’s signature or tactics align with those known to be used by Evil Corp, the threat may be traced to them. Other clues can be found more easily: If the threat actor has a blog where it mentions it’s based in Iran, then a location can be inferred/pinpointed—in this case—in a sanctioned country.
In these sanctioned instances, the company’s ability to pay ransom runs into legal and ethical problems. That’s why companies need to work with their incident response expert to ascertain threat actor attribution and remain OFAC-compliant.
NetWalker Gang Takedown
One positive in the battle against the variants was January’s announcement of the disabling of the NetWalker ransomware gang and the leveling of criminal charges.
As a threat actor, NetWalker went several steps beyond data encrypting when it attacked:
- As ransomware as a service (RaaS), it allowed others to buy or lease its ransomware, and launch attacks or perform services in return for payments (similar to an affiliate model)
- It threatened to release data publicly if not paid
- From an encryption perspective, it moved quickly, speeding up the encryption process—once launched—because it only needed to encrypt part of a file
Disrupting this fast-spreading variant was a critical success for cybersecurity and law enforcement.
Now, tracing other users of RaaS is becoming easier. Ahrens explains that some level of attribution based on the malware does show up in the attack, and patterns can be discerned.
“Now we can see the type of malware used, and look at the ingress point and the type of phishing used to start building profiles,” he says. “When different threat actors or groups jump on the internet, you start seeing overlap from an ingress perspective, and you can begin to make assertions based on analysis of that forensic picture.”
Getting Back To Business
With the new variants’ change in attack mode, more companies are coming to terms with the necessity of keeping their backups offline or unconnected, effectively stopping ransomware from thrashing it. In much the same way, cloud storage is a viable option gaining in popularity and use because of its Write Once Read Many (WORM) functionality that can’t be corrupted. But, in those instances when a backup isn’t available or practical because of complexity, a company’s first (and often best) option is to roll back to its last good state before the attack.
However, when a company feels it has no other option but to pay the ransom, it still doesn’t have a guarantee its data will be decrypted or that the threat actor can decrypt it. To reduce the impact of a failed payment, “The company can ask for ‘proof of life,’ which is when they’ll send an encrypted file to the attackers and ask them to decrypt it before making a payment,” Ahrens says, “to prove that the key will work.”
We Can Help In The Fight Against Ransomware
While we may seem at the mercy of ransomware and its ever-developing variants, there is one way we can help. Ahrens says that being proactive in reporting events to law enforcement probably went a great way in helping take down NetWalker. The more we share, the more information there is for the experts to search out these threats, disarm them, and design better cybersecurity safeguards.
For further insights on 2021 ransomware variants—including the incident of the vanishing ransomware—watch our full discussion. If you have any questions for Matt Ahrens, he can be reached at Charles River Associates. Mark Greisiger can be contacted at NetDiligence.