CyberWire Daily - A snapshot of the ransomware threat landscape. [Research Saturday}
Episode Date: May 1, 2021Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their 2021 Unit 42 Ransomware Threat Report, which highlights a surge in ransomware demands based on a global analysis of... the threat landscape in 2020. To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyze the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis. The report details the top ransomware variants, average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk. The report can be found here: 2021 Unit 42 Ransomware Threat Report Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The incredible change and ramp up that we've seen over that time,
we felt it was a good time to kind of revisit that and get a state of the,
you know, what is the ransomware threat landscape look like now?
That's Jen Miller-Osborne.
She's Deputy Director of Threat Intelligence
with Palo Alto Network's Unit 42.
The research we're discussing today
is their latest ransomware threat report.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily
transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, I mean, before we dig into some of the details of the report here,
I think it's worth taking a little look back at the history. I mean, my recollection is that ransomware, like a lot of things,
started out small and sort of low dollar amounts, a lot like spam.
It was a nuisance for a lot of folks.
But first of all, is that perception correct on the origin story of it?
And how has it developed since then?
That's definitely how it started.
And it also started out typically targeting individuals.
So the payout was significantly smaller and there wasn't a lot of attention paid to it,
especially from a business sort of perspective.
But then as will happen, criminals will look for bigger paydays.
So they started recognizing, hey, if we go after businesses, we can get way more money.
That it's not one person, it's hundreds of people, potentially all of their customers.
So then we started seeing a shift into going after businesses.
And it's really just continued in that vein over the years with the attackers,
both becoming better at their targeting, better at their development of ransomware,
and also just continuing to advance the tactics they take to get paid. So one of the
new things we've seen going on, especially over the last year or so, is what we're calling
double extortion, where ransomware attackers have recognized that the traditional guidance was to
have good backups. If you had good backups, then you'd be fine. And attackers
have recognized that. So now some of the groups have started going into these networks before
they actually execute the ransomware and looking for valuable information. IP, anything related to
sales data, customer data, things that would be very, very damaging for the organization to lose.
customer data things that would be very very damaging for the organization to lose and then they're exfiltrating that information first and then encrypting all of the the systems so that
way when they go back to the organization they can say if the organization says whatever you know we
have good backups you know goodbye they have the additional leverage of well that's fine that you
can restore from there but how valuable is this data to you? And a lot of the attackers that are doing that are also posting that
information that this organization has been compromised to a website somewhere on the dark
web. So then there's also that kind of public disclosure. Hey, we have this organization and
their data. We're going to release it if we aren't paid by X time. So just, yep, they continue
finding new and inventive ways to make money.
Well, one of the things that the report tracks here is the increase in the amount of money that they're making and the amount of money they're demanding.
What did you uncover there?
They're going after, in many cases, larger organizations or organizations that can't afford the downtime.
larger organizations or organizations that can't afford the downtime. One of the worst things we've seen is the continued focus on healthcare sector attacks, because when you're holding
a hospital hostage, they have quite a bit of urgency to have their systems up and running.
But they're also just going after both bigger organizations and more money because they know
they can demand it. And you'll also see the amounts have gone up with the groups where they're doing this double extortion
kind of thing, because they really have two different things they can monetize plus the
perceived public pressure of losing all of that data if they don't pay by a certain time. And
that data is for some of the groups that just say they're going to publish publicly. And that,
you know, there are organizations that wouldn't be able to recover from that.
You know, for many years, the popular wisdom was don't pay the ransom. You know, that's certainly
what the FBI's message was. And I suppose the notion was, you know, if we pay the ransom,
then we're supporting this ecosystem and incentivizing them to continue their efforts here.
Is that still the case?
I guess what I'm getting at is, does the message of don't pay the ransom align with what's actually happening on the street?
I don't think organizations ever want to pay the ransom.
organizations ever want to pay the ransom, but, you know, it's a use case or a business case per organization for, you know, what they can withstand or what they can take to be able to
still be able to recover from. So while, you know, no one's ever going to encourage paying the ransom
because that does further encourage the attackers, you know, it can be a business decision where that's the
only way they're going to be able to remain a business or however they do that logic. And
it's kind of hard not to feel at least some level of sympathy.
Yeah. One of the things that you track here in the research is the availability of these tools
and, you know, how there are more readily available ransomware as a service subscription
based models. Can you share some of the details on that side of things?
Sure. So that's where it's called an affiliate model and it's where the attackers who own
the ransomware itself or kind of the base, they let others rent it out to then conduct their own
attacks you see this as well with a lot of other types of malware like botnets and things like that
and it's just another way the attackers have figured out to make more money and in some cases
make more money easily because they're setting up the structure for the software
and then these other people are paying them to do actual attacks.
It's just another step in attackers figuring out every possible way they can to monetize ransomware attacks.
You know, one of the things that really struck me when I was looking through the research here,
when you're highlighting this rise of double extortion was the activity from the Netwalker gang and how much more activity
you saw from them than some of these other groups who are leaking information online.
Yep. And that was one of the things that they really like to do. And I think that it's worth noting that that also got them quite a bit of attention from law enforcement. So there was that international law enforcement effort to disrupt that particular ransomware family.
other details here. I mean, when we're looking at the various sectors who've been hit hardest by ransomware attacks, can you share with us, I mean, who's getting hit worse?
Unfortunately, healthcare has been hit quite heavily, which is one thing that we really
don't like to see, but that's definitely been an area that's been a focus. What we've seen by far is manufacturing quite a bit.
And then, you know, we're seeing kind of legal services, construction, high tech.
It kind of runs a gamut from there.
But if you look at this chart from a perspective of potential amount of money that could be
made by ransoming these various organizations, you can see a lot of the focus is on organizations
that potentially have larger resources
and maybe more difficulty in recovering
if they lose their data.
Yeah, on the defensive side of things,
I mean, I suppose it's worth noting
that these exfiltrations,
I mean, in some cases,
they're grabbing multiple hundreds of gigabytes of information.
And it strikes me as interesting that the organization's attention
wasn't drawn to that, that in terms of shoring up your defenses,
it seems like being on the lookout for that
is something people really should focus on these days.
Yes.
For any number of reasons, large amounts of data leaving your network should probably be noted.
And also, that ransomware has continued to grow and spread at the rate it has just highlights that it really hasn't been taken seriously.
You know, it kind of remained this nuisance. Like we were discussing earlier, people really didn't recognize the threat
that they were facing. And I think that's changing now. That's one of definitely one of the reasons
we wanted to do an updated ransomware paper now to call the organization's attention to this,
that this is a massive problem.
They are making incredible amounts of money on it, and we really need to globally be more effective in our defense.
Are those nuisance operators still out there? I mean, are there groups out there who are still going after individuals?
groups out there who are still going after individuals? Yeah, you still see people going after individuals, but very, very little. That tends to be more of the variations of the old
Nigerian prince kind of scheme. And we track that quite a bit. We have grouped all of that activity
under Silver Terrier for us. So they definitely continue to be active and to evolve their
methods of making money. But for the most part,
there are still other smaller ransomware families out there.
And that's one of the things,
one of the goals with publishing this paper and getting this data out there
is by drawing attention to it,
you'll get more organizations to improve their protections to further price
out some of these other ransomware families.
And that's one of the
key ways, one of the only things we can really do to stop this outside of law enforcement efforts.
That in conjunction with people recognizing this problem and doing better and better defenses will
start to price out a lot of these different attackers because they aren't going to be able
to continue to evolve at the same kind of speed.
Yeah, one of the things that you track in your research that I found interesting was just the increase in incident response costs,
what it takes for an organization to react when this happens to them.
The price of that has increased significantly as well.
Yep, the price of that has increased. And there are any number of reasons
around that demand, the complications that can be involved in trying to go through one of these
cases. And in a lot of times, the incident response can be just as expensive, if not more so than
the ransom was, which is another reason that organizations really need to pay attention
that this is a legitimate problem and that you could potentially be out a lot of money one way
or the other. So you really want to get ahead of that scenario and try and keep this from happening.
Well, let's go through some of the ransomware variants that you all track in the report here.
Can you take us through some of the top ones and kind of what
their MO is, how they do the business they do? Sure. So one of the ones that really stood out
to us was Ryuk, that in particular for their targeting of healthcare, which is unfortunate.
But it did result in CISA and the FBI and the Department of Health and Human Services
jointly issuing warnings for healthcare organizations
specifically about being aware and defending against Ryuk
because they were focusing so much on healthcare,
which, yeah, there's just a special place for people.
That's where they've decided they're going to make money.
Like you could literally pick any other kind of organization,
but healthcare is going to be the one you're going to target.
Like, yeah, you deserve all of the law enforcement attention that you get.
Sure. Yeah, right.
And then you already mentioned NetWalker,
which is the one that we really saw taking advantage of the double extortion technique. And again, that also got significant attention, at least this time from law enforcement and works to disrupt that.
awareness being put on ransomware attacks and more focus on making sure people are informed,
defenses are in place. Law enforcement is really focusing on the people carrying out these attacks to go after that and disrupt it. And that's kind of unprecedented, really, especially for a lot of
the cyber things where we've treated this over the years, that it's being recognized now. And there's that, the focus that it's big, big global problem is good.
And I think it's very necessary.
It needed to happen now.
Yeah.
I think that is interesting that, you know, the pressure is on from law enforcement on
an international level where these folks aren't just operating with impunity, you know, they
have to be looking over their shoulders.
Yes.
And that is exactly, yeah, that's exactly what should be happening.
It's a success story of everyone working well together in the way you would always hope they do. So at least in that, it's a good news story.
And I expect that we'll continue with law enforcement.
And, you know, once these relationships are built, these processes are built,
it becomes easier and easier over time
to do more cases like this.
So the attackers should, you know,
be aware that they're in the crosshairs.
Yeah, absolutely.
In terms of where we find ourselves,
if you're sort of tracing a curve,
you know, the growth and the rise
and hopefully eventually decline of ransomware, do you have any sense for where we are on that curve? Is this a problem that we're getting a handle on or is to continue to grow in seriousness? Where do you suppose we are?
I think we are poised right now to be in a good position to really take action and foot playing catch up because these attackers continue to evolve,
continue to find new ways to make larger and larger amounts of money.
And they're not going to stop unless someone steps in to stop them.
They have no reason to, you know,
they're making tons of money with whatever having to leave home.
So you have to kind of take away that reward. Right, right. Yeah, it leaves
some of us sitting here scratching our head wondering maybe, hey, this is a good line of
work to get into, right? Like I could make millions of dollars that way. Right, right. Yeah.
It's just if it weren't illegal, immoral, and all those other things, you know, it'd be a great
business to be in. Yeah. Well, the report concludes with some recommendations for folks to better protect themselves.
Why don't you take us through some of those?
So some things that are very important for organizations to do is be aware of the way the attackers typically try to get initial access.
A lot of times it's via phishing.
the way the attackers typically try to get initial access a lot of times it's via phishing.
So, you know, it's needing to have good cybersecurity protections in place. And these apply not just for ransomware, but these are really just things for attacks across the board.
A good backup and recovery process. And that's something really organizations need
for any number of reasons reasons in addition to a potential
ransomware attack. One of the key components for that is the backups need to be disconnected from
the normal everyday network so that they can't also be encrypted if there's a ransomware outbreak.
Definitely have seen some cases that reported where the organizations did have backups, but unfortunately they weren't properly kept segmented.
So they also ended up being encrypted.
And then now you're back to square one from that perspective.
And really for ransomware, things we're finding to be critical for any number of attacks is real effective endpoint security.
is effective endpoint security.
That's really where the first kind of really malicious behavior component
that happens within a network related to ransomware
that is detectable.
So if you can catch that there and stop it,
then it's a non-issue, it's a non-starter.
But it's when you aren't able to catch that on the endpoint
where ransomware is able to be executed, then
that's where now you're in a tough spot. And that's endpoint security is the same thing that
would have detected the SolarWinds attack. That's the same thing that was an initial way of stopping
all of that from happening. It's just endpoint detection. Very, very, very important for a lot of different types of attacks.
Yeah, it's a really good point that, you know, this really is, I mean, it's a broad sort of thing.
It's kind of a, I mean, I often like to compare it to public health, you know, washing your hands.
You know, it helps you not get sick from a lot of different things, right?
Not just catching a cold.
Exactly.
And so there's good in lot of different things, right? Not just catching a cold. And so there's
good in all of these things. I mean, even like backups, you know, it's great to have backups,
but you got to make sure that those backups are good. You got to practice your recovery
processes and things like that. It's that old, I guess, sports analogy of practice like you play.
Yeah, that's very true. And that's
definitely something that I think can get deprioritized because, you know, it's not an
everyday activity and things can keep jumping in front of it, but it really is critical. I agree
that organizations, they've run the drill and they know what to do in those situations. You know,
they know who's responsible for it. They know the timeline for it. All of those things need to be, yeah, you need to practice. Our thanks to Palo Alto Network's
Jen Miller Osborne for joining us. The research is Unit 42's Ransomware Threat Report.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.