CyberWire Daily - A rough year ahead for ransomware attacks - and how to stop them. [Research Saturday]
Episode Date: April 4, 20202020 is shaping up to be a rough year. Ransomware attacks will continue to grow as cybercriminals get more sophisticated in their methods and expand their reach. Allan Liska, Senior Analyst at Recorde...d Future, shares their findings and predictions in a new report. The research can be found here: 5 Ransomware Trends to Watch in 2020 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
We've seen an overall shift over the last few years from a focus on widespread consumer-focused attacks to much more targeted business or organizational-focused attacks.
That's Alan Liska. He's a senior analyst at Recorded Future and co-author of the book Ransomware.
The research we're discussing today is titled Five Ransomware Trends to Watch in 2020.
ransomware trends to watch in 2020.
With that, we've also seen a huge increase in ransom demands from, you know, a few hundred dollars to a hundred thousand, a million dollars, et cetera. So we're seeing a lot of six and seven
figure ransom demands now. So that's kind of where we see the biggest trend. And then you add to that, that the ransomware actors,
the more advanced ones are figuring out other ways to monetize their attacks. So that's where
we start to see more of these extortion attacks, where if you don't pay the ransom, then they're
going to publish the files they've stolen from your network, you know, and
keep them up on a webpage somewhere until you pay that extortion fee.
It's interesting to me that, you know, I want to say a year ago or so, maybe a little longer than
that, we thought we were going to see a shift to crypto mining and that ransomware was going to die down. That didn't play out.
No. So in 2017, we saw a huge dip in ransomware attacks, and then there was an acceleration
of crypto mining attacks, and that continued to your timeline through a good part of 2018.
It turns out it's really hard to make money crypto mining.
Unless you're able to command literally hundreds of thousands and maybe even millions of devices
to do the mining for you, it's actually really hard to make any kind of substantial money
from crypto mining.
Even as Bitcoin and other cryptocurrencies were rising,
it was just that much more difficult to actually do the calculations at scale.
What other trends are you tracking here when it comes to ransomware?
So we're seeing a big rise in ransomware as a service, which is really interesting because some of the top ransomware actors,
so the teams behind Revel, also known as Sotobinki, and Nemty, Megacortex,
all rely on a ransomware as a service model.
And of course, famously, before they were shut down,
Gancrab relied on that model as well. What that does is it becomes
a force multiplier for the threat actor. Instead of having to worry about a dozen threat actors,
we now have to worry about hundreds of threat actors. Still only dozens of ransomware that
are really a threat, but there are a lot more people behind them using a lot of different
methods of activity, which means that it's harder to pinpoint where the entry point for the
ransomware will be. So if you take Revel, for example, primarily what we used to see is they
would be delivered through phishing emails, and we still see a lot of that. But some of the people that use their ransomware as a service will also gain access through a
managed service provider, and then they'll jump from that managed service provider to
target customers. We saw that in Texas, for example, last year with the 22 towns and cities that were infected from a managed service
provider. We've also seen some of the Revel affiliates who are going after Citrix vulnerabilities
or remote desktop protocol, etc., which means that, again, that attack surface grows because there are so many different threat actors that are using that same ransomware.
Given where we stand today with ransomware, what are your recommendations for organizations to set up shop to be protected against it?
In this environment, as things have evolved, how do you think folks should go about that?
Well, one of the things that you need to worry about, we've always advocated for good backups, right?
Good backups and checking those backups and making sure that you have offline access to your backups, that they're not directly connected to the networks.
Because we know attackers, ransomware actors like to go after
those backups but the other thing that you now have to worry about is you have to identify the
attack as soon as possible so before what you'd have is you'd have when i say before, I'm talking all the way back in 2016, 17, the ancient times.
You'd have the ransomware actor who would gain access to a box, and then they'd infect that box, and then the attack would be over.
With the more advanced ransomware actors that we're seeing a lot of activity from now, they're sitting in the network for a couple of weeks.
They're learning the network, they're understanding it, and they're deploying the ransomware
after they've studied the network, which means that early detection is much more important
because in addition to studying and learning the network, they're also stealing a bunch of data.
So if you wait until the first system is encrypted to stop the ransomware
attack, even if you effectively stop that, gigabytes, hundreds of gigabytes, if not terabytes
of your data have already been stolen. And you're going to get an email from that actor in a few
days saying, hey, you haven't paid the ransom. just want you to know I've thrown your files up on this website and I'm going to release them to everybody if you don't give me that extortion fee,
which is actually an interesting trend that we're seeing that was one that I hadn't expected
where lawyers are now getting involved in the process. So the problem is if you're going to throw a company's data up on a
website, you can't necessarily do it on like an underground forum or a dark web where nobody can
see it. You have to throw it up on a public website. Well, the moment you do that, you're now
in sort of the realm that companies are used to operating, where the ransomware actors
aren't used to operating in that realm. So we saw this with the Maze ransomware, where they were one
of the first to lead the extortion campaigns. They put all of the customer data up on a website
hosted in Ireland, which obviously all of that ran afoul of GDPR. The website provider got sued by a company
in Georgia whose data was exposed. And not only did the website get taken down, but the whole
hosting company got shut down. So this is going to be an area where we may see more lawyers involved
in this type of activity as the courts get smarter about
this. Another example in the UK where a company paid a ransom and the court stepped in and
demanded that the exchange actually return the ransom money. The court said it was a legal
activity and the Bitcoin exchange had to actually give back
some of the Bitcoin that hadn't already been taken off and laundered in other places.
Which again, this is a surprise to me, is we will see more court activity as the money gets,
as the ransom demands get higher, as the extortion demands get higher, and these operators, these ransomware operators, act with more impunity, they're going to come up against, you know, not just law enforcement, but legal enforcement.
they're in my network and they're exfiltrating that data that they're then going to put on a public server somewhere.
Is a possible solution to that for me or a prevention for that
that I encrypt that data on my system so that they can't get access to it
even though they're in my network?
Absolutely.
I highly recommend that any data sitting on a desktop or a server be encrypted wherever possible.
Now, where that may be a problem is if the attacker has the credentials to that machine,
then they may be able to unencrypt that.
So it depends on how the encryption process works.
able to unencrypt that. So it depends on how the encryption process works. But wherever possible, if you can encrypt that data while it's at rest, it makes it that much harder for the
attackers to expose that. That's Alan Liska from Recorded Future. The research we discussed was
titled Five Ransomware Trends to Watch in 2020. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening.