CyberWire Daily - Ransomware on repeat. [Research Saturday]
Episode Date: October 12, 2024In this episode, Trevor Hilligoss, VP of SpyCloud Labs at SpyCloud, discusses the increasing threat of ransomware, emphasizing the role of infostealer malware in facilitating these attacks. He draws f...rom SpyCloud's 2024 Malware and Ransomware Defense Report, highlighting how compromised identity data from infostealers creates opportunities for ransomware operators. With 75% of organizations experiencing multiple ransomware attacks in the past year, Trevor explores findings from over 500 security leaders in the US and UK, discussing the challenges businesses face and how they can use insights from this research to defend against ransomware and other cybercrimes. The research can be found here: MALWARE AND RANSOMWARE DEFENSE REPORT Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
And now a word from our sponsor, SpyCloud, the leader in operationalizing cybercrime analytics.
Traditional threat intelligence is a thing of the past.
Cyber criminals are stealing vast amounts of credentials, session cookies,
and financial data every day,
and it's hard to keep up.
SpyCloud is the trusted partner
businesses turn to to fully understand
their darknet exposure risk
and neutralize threats before it's too late.
SpyCloud alerts your organization
as soon as an employee or customer's data
appears on the darknet,
so you can act faster than bad actors to prevent cyber attacks like ransomware,
session hijacking, account takeover, and online fraud. With insights from the industry's largest
repository of recaptured data, protect the digital identities and systems most important
to your business. Get your free corporate dark net exposure report at spycloud.com slash cyberwire and see what
information criminals have in their hands today.
That's spycloud.com slash cyberwire.
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Yeah, so this is a yearly report that we do, basically looking at what are the indicators that we can derive from our reporting, our research, our data, and what kind of conclusions
can we draw between that and maybe some ransomware
trends that we might be seeing in the broader community. And then sort of larger look at the
longitudinal nature of ransomware events over time. And, you know, what are we seeing? Are we
seeing increases? Are we seeing changes to actor TTPs, etc.? That's Trevor Hillegas, Vice President of
SpyCloud Labs. Today, we're discussing their newly released 2024 Malware and Ransomware Defense Report.
So the story here is ransomware.
And before we dig into some of the details, I mean, can we start with some sort of a broad description?
I mean, in your mind, where do we find ourselves when it comes to this ransomware threat?
Well, we find ourselves in the same kind of place that we have been, maybe a little bit worse. There are some trends
that we don't love to see. Ransomware payments becoming a little bit more common this year over
last year. You know, there are certainly some positives, though. We've seen some fantastic law
enforcement actions on the part of the National Crime Agency in the UK, the Federal Bureau of
Investigation here in the US, and others seizing the infrastructure, putting out indictments on
the actors that are behind these groups. So I guess it is kind of a mixed bag, but we would
all like to see ransomware be much diminished, and it's pretty clear that that's not the case this
year. Yeah. One of the things that caught my eye as I was making my way through the research here was
the prevalence of InfoStealer malware and the part that that plays in, I guess we could say,
the ransomware ecosystem. Can we touch on that? And for folks who may not be really tuned into it,
I mean, how do you and your team define InfoStealers themselves?
Yeah, that's a good question, Dave.
So InfoStealers, when we talk about InfoStealers, we're really talking about a type of malware.
This is often sold as malware as a service.
So you can think of malware as a service kind of similar to software as a service, right?
malware as a service kind of similar to software as a service, right? Where you maybe pay a monthly subscription fee to a company that gets you access to software that has been designed by someone else.
You can use it. Maybe you can use it for commercial gain. If something goes wrong,
you have a support network. You can reach out to somebody and troubleshoot on your behalf.
And it's a recurring license. So that same model exists in the criminal ecosystem.
So when we're talking about InfoStealer malware, the vast majority of this stuff is sold
kind of on the criminal underground by malware developers to end users. And so these folks
buy access to the malware. Some of them come with kind of a built-in panel that the end user can use to, you know, look
at the proceeds of their infections and create custom builds of the malware and do other things.
Others are much more bare bones. But this really is kind of a burgeoning economy that we've seen
kind of continually grow since sort of the pre-pandemic days.
And how are the InfoStealers finding their way onto people's systems here?
I mean, what are the weaknesses that they take advantage of?
Well, it kind of varies.
We see a whole range of initial access methods, some of which are quite sophisticated.
The vast majority are not.
We see things like game cheats, add-ons for popular games pushed.
We see malvertising is kind of a significant avenue that these stealers tend to make their way onto the victim endpoints.
The goal here is really one of scale. So, you know, depending on the malware, you might look at something as a very
targeted attack where, you know, someone has some ill intent towards you specifically. And so they
develop this very sophisticated attack chain that targets you. And maybe they know, you know, what
kind of hardware or software,
what versions you're using and can exploit a vulnerability therein. Info stealers tend to
be deployed much more to whom it may concern, right? These things are staged in places where
a lot of people will come into contact with them and therefore become infected. So there's this
whole economy that
kind of supports the InfoStealer economy aimed at sorting through the data that's been exfiltrated
and identifying things that they can then either sell themselves, maybe we're talking about
an install broker that's going to sell access to, sorry, an access broker that's going to sell that
access to a ransomware
affiliate or a much lower level, you know, somebody that's interested in just stealing
some credit cards and selling those on a carding marketplace. It kind of runs the gambit
in terms of sophistication. And again, you know, as I was looking through the research here,
is it fair to say that in a lot of the cases here that these two things go hand in hand, that the info dealer can almost be a predictor for a ransomware attempt?
Maybe.
Am I overstating it a little?
Well, I don't know.
I am going to hedge my bets a little bit.
Let me actually take a step back and kind of walk through sort of the methodology here, because I think it's important to understand that, especially when
people are making big claims. So essentially what we did is we took a set of data on publicly known
ransomware events. So basically when ransomware actors are successful or claim that they're
successful, oftentimes they'll go out on a blog that they maintain or some other site and name and shame the company.
This is especially true when people don't pay.
So we pulled in that as kind of a good data set of likely ransomware events, likely successful ransomware events.
ransomware events, likely successful ransomware events. And then we basically built out sort of a manifest of each one of those companies, all of their domain names that they use.
And then we took those domain names and looked within our own holdings, especially our InfoStealer
records, and kind of turned back the clock to see, you know, historically 12, 16 weeks before an event took place, before we
have information that an event took place, what was that company's or that organization's, you
know, total security posture as it pertains to information security, information-sealing malware.
And what we found was at least a correlation. We found about one third of the companies that we had in that pool of likely ransomware events had an InfoStealer infection within the prior 16 weeks.
So there's obviously a lot to unpack there.
And I'm happy to kind of go into a little bit more of the technical details of sort of why we made choices that we made.
But the top line number there,
you know, 30%, that's pretty significant. And I think it's something that certainly bears,
deserves additional research and discussion at a minimum.
Yeah. Well, I mean, let's dig into some of those details then. Can you share
some of the methodologies here that you all used?
Yeah. So let me first start with that 16-week number.
That might seem a little arbitrary.
I guess it is a little arbitrary.
But we're dealing with the date that a ransomware actor posts that something happened.
So we kind of have to infer when the actual event took place.
And in many cases, it's impossible to do that, right?
It could have been the day before, could have been the week before, a month before.
All we can essentially say with certainty is that the event took place before the actor
posted it.
So we did 16 weeks.
That does kind of break down.
There's some interesting things about, well, if it's Luma C2
versus Redline, does that impact the date that we tend to see correlating to that ransomware event?
But the sort of big takeaway there is that an InfoStealer infection of a corporate device or
of an individual with access to a corporate environment does significantly elevate your total risk, certainly, but more specifically, it seems
to elevate the risk of a ransomware event.
We'll be right back.
We'll be right back.
And now a word from our sponsor, SpyCloud, the leader in operationalizing cybercrime analytics.
Traditional threat intelligence is a thing of the past.
Cyber criminals are stealing vast amounts of credentials, session cookies, and financial data every day, and it's hard to keep up. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Yeah, that's an interesting correlation here. And so,
Yeah, that's an interesting correlation here. And so what are the other connections you make?
Having made that connection, where does that take your line of thinking?
Well, I'll tell you where it takes my line of thinking, because I'm something of an info stealer nerd.
I've been interested in this very niche segment of malware for a long time.
My mind initially went to, is there something, is it specific to the Stealer? Do we see some
crazy difference between a modern Stealer with some very sophisticated methods, maybe a target,
something very specific that we can kind of infer that
that's a higher risk. Unfortunately, there's kind of a mixed bag. You look at the Steelers that we
identified as being significantly correlated with ransomware. Number one is Luma C2, which for
anybody that understands Steelers and has researched this segment, it's probably not a surprise.
Luma's pretty advanced within the field of Steelers.
They've come out with some significant improvements over a lot of other Steelers.
Earlier this year, they had the Google Cookie Refresh that then spread to other Steelers, of course, but it started with Luma.
refresh that then spread to other Steelers, of course, but it started with Luma. But then you have in the number two spot Redline, which Redline is a totally competent Steeler, but it's older.
It's been around for several years. It doesn't really share a lot of the modernizations that
Luma C2 has, but it has a significant user base. So that could potentially be the reason that we see it there in the number two spot.
And then number three is Steel C, which we go back to, you know, a not super sophisticated
stealer, doesn't have a ton of market saturation, relatively new.
So, you know, how do I explain that?
I'm still kind of untangling my emotions on that one, I guess, Dave.
Well, help me understand kind of the InfoStealer ecosystem here.
I mean, you've alluded to it that there are varying degrees of sophistication. the high-end sports car version of an InfoStealer versus the daily driver? Do they attract
different audiences to people who have different amounts of resources to throw at this problem?
Yeah. There's a lot to unpack there. So I guess I like the metaphor there, sports car versus a minivan, maybe.
Yeah, there definitely is.
We've seen over the past couple of years, one of the things that has come out as a significant difference between Steelers, malware in general, but especially Steelers, is the method by which it exfiltrates data.
but especially Steelers, is the method by which it exfiltrates data.
So historically, if you're looking at malware, even malware as a service that is a commodity you can purchase,
you don't have to write it yourself, there is still kind of an access cost that comes with that,
largely in the way that the infrastructure is set up.
So historically, you buy access to Raccoon, for example.
That's a bad example. That's a bad example.
That's a centralized dealer.
But a non-centralized dealer, you would have to gain access to infrastructure.
You'll probably have to set that up yourself.
Maybe there's some guides you could follow. But it does require a little bit more technical acumen than maybe the normal person off the street would have.
These days, a lot of dealers are kind of going the opposite direction. So we see a lot of exfiltration through messaging
applications like Telegram, for example, where, you know, the actor, the end user doesn't have
to do much more than just getting access to an API key that they can use. So that certainly sort of lowers the barrier to entry
for these kind of things.
But in terms of what makes this so significant
and what makes this interesting,
I think I kind of take the perspective
of the broader ecosystem.
And when we're talking about that,
you're looking at things like install services
that can get you access to,
you know, infrastructure that's already ready made for you that add networks, for example,
cryptors that can make it very easy to bypass things like antivirus, even very good antivirus.
And then there's sort of this whole backend infrastructure marketplace that exists after
the infections take place to sort through the logs,
pull out that interesting information, be able to market that information to other criminals that
might pay for it, for example. So, this is a very, I would call this a very mature ecosystem,
and it's one that we see constantly increasing in maturity and in scale.
What about the professionalism, for lack of a better word,
of the providers here? I mean, do they have respect for each other? Are they trash-talking
each other? How does that play out? Yeah, good question. Yeah, you know,
there's no honor amongst thieves. I think we've seen recently, whether it's the Alfie Black Hat exit scamming, whether it's actors that are kind of doing their own pump and dump schemes of various degrees of success.
about criminals here, I don't think there's a ton of honor in the system. There is definitely a lot of collaboration here. I mean, we do see, for example, you know, malware as a service,
oftentimes when you purchase access to a stealer, you will get that bundled with, you know, for
example, a checker. So a checker is something that you can use to go through the logs,
the data that's been exfiltrated, and identify things of interest,
identify software wallets, crypto wallets, that kind of stuff.
And maybe you'll get a one-month free access to a checker
when you buy access to a Steeler.
I'll commonly see cryptors being bundled too. A lot of malware developers
will actually require that you use a cryptor because they don't want their build to be
compromised, uploaded to VirusTotal. So there is definitely a lot of collaboration there as it
pertains to kind of like criminal to criminal and especially, you know, financial gain. I can't
say that there's profit sharing or anything like that. We can kind of infer that that's probably happening,
but I don't have any evidence of that. But as far as
trash talking, yes, absolutely. Everybody talks trash on the
internet. Criminals are certainly no exception to that. And so it definitely
does happen, even between communities. People on breach forums
don't like people on exploit.
People on XSS might have a problem with an English-speaking telegram group.
Who knows?
It certainly does happen, and it is comical to watch.
Well, getting back to this year's ransomware defense report,
based on the information that you all have gathered here,
what are your recommendations?
What are the takeaways for folks?
Well, I think the takeaways are
certainly keep doing the things
that have been recommended
and continue to be recommended, right?
So keep monitoring for vulnerabilities,
keep patching those vulnerabilities
as they come up.
Use multi-factor authentication, Use multi-factor authentication.
Enforce multi-factor authentication.
Make sure that you have short-lived authentication cookies.
Make sure that you have visibility into what devices are accessing your network,
certainly if you have that ability to have that visibility.
What we're recommending is kind of one step further,
which is sort of the awareness and monitoring level,
especially as it pertains to exposed information.
So a wise man once said,
the internet is forever.
I have no reason to doubt that claim.
When information is stolen,
whether it's stolen by a hacker
that gains access to a database or a
stealer that lands on somebody's endpoint, that information is out there, right? It might be that
it's not that first person, the first person that acquired that data that's going to use it
maliciously, but likely someone will eventually, right? So you can't really undo. There's no undo
button for the internet, unfortunately.
Once something is out there, it is there forever. So the best you can do is have awareness, right?
Be able to identify what data is exposed, what data about your employees, about yourself,
about your customers is exposed, and then be able to effectively create whatever controls you can
And then be able to effectively create whatever controls you can to prevent that data being misused.
So maybe that's being aware of live cookies being stolen and being able to invalidate
those sessions.
Maybe it's identifying credentials that have been exposed, forcing credential resets,
prompting or forcing MFA, forcing the adoption of hardware tokens.
Those are all very good things.
And I think anything above having no idea that something happened is a great start
and will certainly do you quite well as we all try to prevent the spread of ransomware.
What's your sense for where we're headed here? I mean, it seems to me like
we might not necessarily be gaining ground
or losing ground.
It seems like a tense equilibrium
at this particular moment.
Is that a fair way to describe it?
Yeah, I think it is.
I mean, we don't know what we don't know. And I'll readily
admit, I mean, one of the problems in, or one of the things that we're aware of in our analysis
of the relationship between Steeler malware and ransomware is, you know, we only know about what
was announced publicly. Many times ransomware, you know, ransoms happen, data is exfiltrated, extortion
occurs, and never gets publicly posted, right? Whether that's, you know, somebody negotiated
something, a ransom was paid, who knows? So we don't really know the full scope of this problem.
I don't think we really ever will, because that information is just not out there.
But I think as long as this is profitable, it will happen.
You know, crime is not a new phenomenon.
Cybercrime might be kind of a brave new frontier, but crime has been happening for a long time.
And, you know, especially financially motivated crime, I don't really see that as
being something that you can just wave your magic wand and stop. I think the best thing for all of
us to do is make it as difficult as possible for these guys to be successful. And then at least if
we can raise the bar to entry, that will diminish the number of successful events and thus the
number of ransomware actors that are out there in the wild.
And that's Research Saturday
brought to you by N2K CyberWire.
Our thanks to Trevor Hillegoss
from SpyCloud Labs for joining us.
We'll have a link to their 2024 malwareware and Ransomware Defense Report in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the
survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karf. Simone Petrella is our president. Our executive producer is Jennifer Iben. Our executive editor is Brandon
Karff. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.