CyberWire Daily - Naming and shaming is the worst thing we can do. [Research Saturday]
Episode Date: May 23, 2020In December 2019, the GOLD VILLAGE threat group that operates the Maze ransomware created a public website to name and shame victims. The threat actors used the website to dump data they exfiltrated f...rom victims' networks before they deployed the ransomware. Secureworks Counter Threat Unit (CTU) researchers have observed several ransomware operators following suit. Joining us in this week's Research Saturday is Alex Tilley of SecureWorks' Counter Threat Unit. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So we're talking initially about the people using the maze ransomware, which we call cold
village. It then sort of pivoted on through to other groups like
the people using Doppelpamer and Reval and Empty, et cetera, all the various different smaller,
you would say, ransomware families. That's Alex Tilley. He's a senior
security researcher at SecureWorks. The research we're discussing today is titled
Ransomware Name and Shame Game. They sort of saw an opportunity, we believe, to say, well, listen, yes, we've got your
business, we've got you either fully encrypted or half encrypted, but also here's your data
that we have.
And if you don't pay the money now, we're going to either leak the data or we're going
to tell regulators, et cetera.
So it sort of added a bit of extra pressure to the victims to pay up.
And what can you tell us about the maze ransomware itself?
It's relatively new, sort of coming around late last year, in around December last year.
It's really, it seems to spread via either via email or there's some sort of exploitation as well going on. Apart from that side of things, technically it's a pretty straightforward ransomware.
It does what it does.
It uses maths as a weapon, basically.
But the way that they're saying,
listen, we're going to name and shame you
and dump your data if you don't pay up,
that's sort of much more of a personal attack on the victims.
Well, before we dig into some of those techniques,
let's explore some of the technical things that are going on behind the scenes here.
Do you have any sense for how people are finding themselves infected?
Yeah, it does appear to be email, like phishing-based, but also via some sort of web exploitation sometimes,
either via exploit kits or various other web-based attacks that way.
So it's more of a browser and email-based attack.
And what's going on in terms of their command and control servers
and their infrastructure behind the scenes?
A lot of it is sort of hosted out of, some of it was via Cloudflare,
some of it's out of Russia.
There's a lot of the naming and shaming bits are done out of onion sites,
so through Tor, that sort of thing.
And what is your sense for who's running these operations?
Well, they definitely speak fluent Russian,
and they hang out on some Russian forums, Russian language forums.
So they either speak very, very good Russian for a Westerner,
or they are Eastern
European or Russian. Well, let's go through, there's several that you're tracking here.
You've got Gold Village, Gold Heron, Gold Southfield, and Gold Mansard. And these are
using different types of ransomware? Yeah, they're using different families of ransomware
and different attack styles. Like Gold Southfield is one of the ones that people would be most
familiar with. That's the Reval group or the group that uses Reval. They seem to use RDP
to access boxes. And it's always kind of amazing to me that we're in May 2020 and there's still
open RDP on the internet with single factor. And these attacks still work pretty easily. I mean,
if you think back, what, three or four years now to the ecstatic
leak where that forum that had a bunch of RDP boxes listed that you could buy access to,
that leaked. And those are still useful. Those are still being used these days. People haven't
changed passwords in three or four years, haven't put a firewall in front of their RDP or some sort
of second factor in front of their RDP. So a lot of these groups just sail straight in.
And once they get in, they find, you know, it's not the victim shame at all,
but relatively flat networks, no real segmentation,
not a lot of controls internally.
So they're able to sort of go nuts.
Obviously, that's at victims that we see fully victimized,
you know what I mean, like fully encrypted right to the end.
We can't really say how many they get in and have a look at
and say, oh, well, we can't fully victimize this network
and then just leave.
Definitely when they get in,
there's pretty standard lack of security controls,
which is in 2020, it's a bit of a shame, really.
And then the other ones,
one of them's using Doppelpamer
and one of them is using Nemty.
Yeah.
These families sort of all spring up and they all have their own approaches.
A lot of times they do use RDP.
A lot of times they'll use spear phishing.
These old types of sources of attacks still work these days.
And I sort of always say that criminals don't stop doing something unless it stops working.
So as they keep using these methods
of ingress, it means that they're still working, right? And they're still getting enough victims
and enough successful infections to keep it going forward, to keep it lucrative.
And who do they seem to be focused on, both geographically, but then also in terms of
the types of businesses they're after? Yeah, really, it's an interesting one.
So these groups we're talking about here are really a mixed bag.
Most of their targeting does seem to be in North America.
That could be because that's most of the targeting that we're seeing,
if you know what I mean.
But it does seem to be mostly in North America.
The verticals they're targeting are across the board.
Now, that's the particularly bad part of it
because with things like Ryuk
and some of the earlier large-scale ransomware attacks,
we could see that they would surgically pick their targets
based on who would do the most damage
and who would be the most likely to pay up.
These guys seem to be just sort of going
for whoever they can get into,
mostly sort of medium to large businesses,
but it's really, there's no one vertical that's being victimized more than another.
It's pretty much open season. And what are you able to see? What sort of insights do you have in terms of their success? Well, so that's very interesting, right? So people sort of throw around
numbers like 10% or 15% of businesses pay up, that sort of thing. Obviously, our advice is don't pay
up. It's not worth paying up. But the ex-law enforcement person in me sort of says, well,
if they weren't being successful, they wouldn't still be doing it. And the fact that they're
doing it more and more does speak to a certain level of growing success, if you know what I mean,
from a criminal point of view. So, I guess all we can really say is that if ransomware wasn't
working, you wouldn't still see ransomware. But we do see a lot more ransomware, which
speaks to itself, really. Do you have any sense from the data that they're posting,
you know, a big part of this is the threat to post the data that they're able to exfiltrate.
Do you have any sense for how many victims they've been able to hit?
Yeah, so sort of if we pick the maze group,
it looks like around the sort of 95 to 100 sort of level of businesses
that they've posted so far,
which we would see as relatively significant across all verticals across the world.
If you think about it from a criminal point of view,
that's a decent success rate
if you get 10, 15% of those to actually pay up.
The other groups, you know, it's smaller numbers,
you know, 30, 40, 50 sort of things.
So probably a few hundred to a thousand worldwide maybe,
probably more likely to be a few hundred.
And they seem to be, I don't want to say this,
you know, it's a common thing when we see Russian-speaking organizations,
it seems as though they will avoid hitting their fellow countrymen.
It will be very noticeable that they don't seem to be hitting that part of the world.
Is that something that you're tracking with this group?
We haven't seen any hitting of Russian targets or many Eastern European targets, for that matter.
It is skewed towards the continental United States,
but again, that could just be what we're seeing
and what they're publishing.
They might hit some Eastern European or Russian targets
but just not publicize it.
Who knows?
But yeah, we're not seeing any of that.
It does seem to be definitely that point of view of you don't, you know,
if you're inside Russia, the last thing you do is hack Russia, right?
Right, right.
And in terms of staying up and running,
these organizations, they're using bulletproof servers.
Is that pretty much the name of the game?
Yeah, bulletproof servers or semi-bulletproof servers
in the case of some of the earlier stuff we saw.
One of their victims launched a legal
process against their hoster in Ireland and got their data taken down. So then they sort of named
and shamed them a bit more brutally via Cloudflare in the States. Yes, that was the Maze group with
Southwire. So that was an interesting sort of reaction. And I suppose we see that a bit
across different verticals where victims sort of first approach is to launch due process,
which is not a bad thing. It's just oftentimes that can antagonize the criminals, as we saw here.
And the criminals are following through on their threats to start publishing the data, yes?
Definitely. So that's a really good point.
And I think that's really sort of does bear understanding
that in a really weird way, ransomware is based on trust,
as in you're going to trust your attacker
that he'll either give you the keys
or in some way give you the means to decrypt yourself if you pay up.
And it's the same thing with this stuff. You have to decrypt yourself if you pay up. And it's the same thing with this stuff.
You have to trust your attacker that if you pay up,
he's not going to dump all the data he has
or more of the data he has or any of the data he has.
Because the second that you break that trust model,
which is in inverted commas,
because obviously it's a perverted trust model,
but the second that you as the attacker break that trust model,
that word's going to get out, right?
And everyone's going to know, well, if you get an email from the maze team or the reval team saying, we've got you pay up or we'll dump your data, if word gets out that they'll dump your data anyway, no one's going to pay.
You know what I mean?
Because that trust is completely broken.
It's a really perverted trust model that sort of says that we will do what we say we'll do if you pay us.
It's a really strange place to be, I think, as a victim of one of these things. Because, I mean,
if you think about it, if you're not getting asked for like $6 million, if you're getting
asked for $10,000, let's say, for instance, to actually say, no, we're just going to rebuild,
that could cost you significantly more than $10,000 to rebuild. But the reverse is also true.
If you're a large enterprise and you pay up,
let's say $300,000 and you pay up
and you get a tarball with 20,000 individual keys in it,
now you've got a data management problem.
How are you going to deploy those keys to workstations and servers
in an acceptable timeframe and which ones do you start with? So even if you do pay up and you get the data back, it's not saying that
you're going to be back online in 20 minutes. You've got a significant issue here of deploying
these keys and getting these workstations and servers decrypted and back online. A lot of people
don't consider that. They sort of think, okay, well, if I pay up, that's the magic key, and all
of a sudden, I'm good to go.
Well, not really.
If you pay up a lot of times, you're just starting your journey.
And this recovery journey can be arduous.
And I think what you can find is a lot of places,
obviously, I operate a bit on a don't ask, don't tell sort of policy,
if you will, around these things.
It's like if you've got keys, that's great.
You've got keys.
I'm not going to ask how you got them.
That's your business's business, as it were.
I see.
Yeah, but just having the keys is the beginning of your journey.
And then all of a sudden you have competing interests.
You know, like if you're a decent-sized enterprise
and you sit down and say,
okay, we've got the means to decrypt this stuff.
Where do we start?
Can you imagine the fight that could break out?
Because everyone's systems and everyone's data
is the most important in the business, right?
Of course it is.
Of course.
Yes.
Absolutely.
So that's sort of,
I've been sort of pushing this barrow
around my little patch here in Australia
for a little while now.
It's about people are having their BCP meetings
and their DR meetings
and they are now discussing ransomware.
That's great.
That's an awesome step.
You know, three years ago or two years ago, it wasn't really brought up in those sort of meetings.
You know, now it's, okay, well, if we get ransomware, what's our corporate policy?
What's our marketing strategy?
You know, these things that sort of come into play.
But the extra question is, okay, before the bad thing happens, discuss and agree on what we will decrypt first should we come into possession of keys.
Let's just say a magic fairy drops some keys in our lap.
Where do we start?
And I think having that nailed down and discussed up front will put you in a good position.
It will also help you sort of figure out what's the most important to your business.
in a good position.
It'll also help you sort of figure out what's the most important to your business.
Because fair enough,
we talk about it from a ransomware point of view,
but you can talk about it from sort of
any sort of nasty attack,
any sort of crippling attack point of view as well.
It's like, okay, well,
what actually is key to our business?
And it might be different than your normal BCP planning
where it's about a power outage
or some sort of event in your server farm.
It might have a different thought process
around what's most important when it comes to, it'll come back, it'll just take six hours
to decrypt, you know, and then you sort of have those discussions.
Yeah, it is interesting.
I find that how often I suppose it's easy for people to overlook the time factor that,
you know, even when we were in the mode of advocating for having good, robust backups,
that those backups aren't going to just restore themselves instantaneously.
That takes time.
Yeah, and I think, in all honesty,
that could be sort of a bit of a failing on us as security professionals
because maybe we don't think about that.
We just think about backups, check, do the backups work?
Yes, good, tick box, next problem.
We don't think about the poor server admin
who's got backups, yes,
but he's got 400 servers to restore
and everyone's screaming at him.
Maybe we haven't considered the personal aspect to this.
And that's the part that I find the most interesting
is the human aspect of what we do
as either criminals or defenders.
It's, yeah, those situations where it's, yes, you've got keys
or you've got backups, but that's going to take time
and have we budgeted for that?
And that's where it does come down to a realistic discussion
around what's it going to – it could take us three or four weeks
to get everything back online.
What's that going to cost us as a business,
even if we've paid the X hundred thousand dollars,
X million dollar ransom,
or it'll take us this long to rebuild from scratch
and we'll lose a week's worth of data.
Maybe there's a discussion to have there
because I think, yeah,
we maybe have just been discussing it,
as you say,
from a more of a technical point of view of,
yes, we have backups, that's all fine.
I think there's deeper chats to be had there. What sort of advice do you have for organizations to protect themselves against this? Well, block RDP would be a good starting point.
Honestly, if you can block RDP or put it behind some sort of second factor or some sort of authentication gateway, you'll be ahead of a lot of people.
Because while some of this stuff is definitely targeted and they pick their targets based on who is the most likely to pay up because they have either regulatory authorities on their back or they have maybe critical to life functions, that sort of stuff.
authorities on their back or they have, you know, maybe critical to life functions, that sort of stuff.
Some of this stuff does seem to be more opportunistic, which will be more around the, well, let's
just see what we can get access to and then see if it's worth our time to encrypt them
all.
So by not being on that list, either don't show up in the Shodan search or, you know,
don't be in a database dump or, you know, change your passwords, that sort of thing.
You will see a lot of these people just move on
to someone else. A determined
attacker is still going to be able to,
there's a lot of ways to
skin a cat, right? So if someone really
wants into your network, they're probably going to get
in eventually. But in one of these
cases here, it's just a case of they just want to get
access to anything, to anyone who might
pay up. So just make it a little bit harder
for them.
Obviously, proper email, sanitization,
that sort of stuff works really well.
You know, detonate all your incoming documents in some sort of sandbox to see if they go off,
if they're doing anything strange.
Standard security provisioning around, you know,
don't run as admin, app whitelisting, et cetera.
Again, things that are very easy for us
as security professionals to say, but trying to deploy app whitelisting on a large enterprise is, as cetera. Again, things that are very easy for us as security professionals to say,
but trying to deploy up white listing on a large enterprise is, as we all know, quite a beast in
and of itself. But if you can move towards that, you're doing pretty well, I think. But yeah,
a lot of times, honestly, it is just literally put something in front of your RDP or block your RDP
and then use two-factor on your OWA. Honestly, it's really
simple things to make you not be at the top of that infection curve, as it were, and make them
move on to someone else. Do you think there's any advantage to encrypting all of your data at rest
so that if these folks get their hands on your data, it's encrypted, if they publish it, there's really nothing to be gained from it?
Yeah, I mean,
see, that's a very good question
and it's a little bit hard to sort of say
categorically because
yeah, if you encrypt all your data
and they get it, yeah, 100%,
it's going to be just maths,
it's going to be entropy, that's all they're going to look at.
But a determined attacker
who's got enough access to your systems
to get that data, you could say that have access to the means
to decrypt it at the same time.
You know what I mean?
So if you're on a system as admin or a system privileges
and that has some involvement in the encryption or decryption
of those data at rest, you're going to be able to decrypt it anyway.
So yeah, it will definitely put a hurdle in place.
But I think, again,
if it's a sufficiently determined attacker,
we'll be able to sort of subvert that anyway.
We see that a lot with things like with the BEC stuff
where these emails are arriving at suppliers or vendors
that SPF and DKIM ticked
and they've got digital signatures tick
and the invoice looks exactly the way it should, et cetera,
because they're literally in that person's system
generating all this information and the emails through their mail client.
So all these little technical ticks that we put in place
to say, yes, this is legitimate, it'll tick on all those boxes
because it is literally legitimate.
It's just not that person using that laptop to do it.
It's someone else.
Right, right.
It's like that old horror movie where they call and they say,
you know, the call is coming from inside the house.
It's literally what it is.
And it's why it's so insidious because, you know, again,
we've sort of said, listen, if the little padlock is there
and the address bar is green, yeah, that's fine.
Or if it's got the tick here or whatever,
it's passed some sort of technical check to say that, yes,
this is a legit document or a secure site or whatever,
these sort of positive security affirmations, as it were.
We've said, if you see these or if these things happen,
then it's all good.
The problem then becomes is when the bad guy can subvert that trust
and use it against us to say, well, yeah,
everything's good about this email,
except it wasn't that person sending it.
Again, our trust model is completely broken down
because we trust all these technical indications
that things are all fine.
So that's what makes a lot of this stuff insidious.
It's a hard one because we've taught people that, yeah,
if all these things say, yes, it's all good, then trust it.
But maybe we shouldn't.
Yeah, that's a really interesting
insight. It's hard, right?
Yeah, it is. Oh, it absolutely
is. It absolutely is. And I think
that's a big part of why
you can't sort of
shame the victims here.
No, 100%.
They're doing their best.
Yeah, 100%. And that's sort of, even
if I'm not professionally involved,
if I'm just, you know, if I have a friend in a business
who's doing this sort of, who's getting victimized,
say, by a ransomware at various levels,
my advice to my friends is always,
if you do pay up, that's cool.
That's on you.
You know, like I would advise not doing it,
but, you know, your business is your business.
Don't tell anyone.
You know what I mean?
Like, you just, you came across some keys
or you managed to, you know,
find some sort of way to decrypt it.
Whatever your story needs to be,
but your business is your business
and you haven't got to tell the world
because, yeah, people do like to victim shame.
But I think it's maybe a situation similar
to what we used to see, again, with BEC,
where with business email compromise, where people didn't want to say that they were victimized that they
didn't want to say that they'd lost you know four hundred thousand dollars to
some scammer because they're embarrassed or it might hurt trust in their business
or whatever like that but now right you know I said I'm in front of groups of
people and say well who he is had it had an issue and hands got across the across
the board everyone's going yep, we lost 20 grand,
yep, we lost 80 grand or we almost lost $400,000.
You know, everyone's had an experience with this now.
So that sort of shame element has gone out of it
because, yeah, we used to think,
some people used to think, you know,
oh, you'd have to be a real fool to fall for one of these scams.
And that is no way the case at all.
You know, these attackers, be they ransomware or
BSC or whatever, they've been doing this just as long or longer than we have as defenders.
You know what I mean? So we have to sort of respect the adversary in a way. And yeah,
victim shaming is not going to help anyone. It's the worst thing we can probably do.
Our thanks to Alex Tilley from SecureWorks for joining us.
The research is titled Ransomware Name and Shame Game.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.