Data-Leaking Extortionists’ Revised Playbook Goes Way Beyond Ransomware
Ransomware gangs have increasingly been trumpeting leaks – and auctions of stolen data – via dedicated data leak sites. (Image: ISMG)
When organizations get hit by crypto-locking malware, preceded by data exfiltration, is it right to still label these incidents as being just ransomware attacks?
Ransomware-wielding attackers keep expanding their horizons, to the point that focusing on the crypto-locking malware alone, or even calling this “cybercrime” – as opposed to just crime – too often misses the big picture, including the full repercussions of such attacks, says Raj Samani, chief scientist at McAfee.
“Ransomware – what we used to call ransomware, now it just comes under this category of crime.”
“Crime has evolved and crime is now becoming more digitally dependent, and ransomware – what we used to call ransomware – now just comes under this category of crime,” he tells me. “Because it’s not a ransomware attack – it is an intrusion of a computer network, and that intrusion then leads itself to data exfiltration, which in turn also includes ransomware, which then in turn also leads to extortion. … Ransomware is just part of the bigger attack.”
Underlying Samani’s analysis is the fact that crime keeps changing. Last November, for example, in an extortion twist, the Maze ransomware gang began leaking stolen data to try to force non-paying victims to cough up a ransom payment – payable in bitcoins, naturally. About a dozen gangs have followed suit, trying to name-and-shame a victim by posting their name on a leaks site, then leaking samples of stolen data, and if a victim still hasn’t paid, dumping all of the stolen data to serve as a lesson to future victims (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).
Data exfiltration has rewritten the rules of the ransomware game. But if there’s one rule of that game, it’s that nothing stays static.
In the early days of ransomware, attackers who used it were widely ostracized even on cybercrime forums because of the perceived detrimental impact on society such attacks so often have – aka the “what if your ransomware infects my grandmother’s PC and she loses everything?” scenario.
Ransomware also had a reputation for being used by less-skilled, smash-and-grab attackers, who would spam out ransomware downloaders and have them automatically crypto-lock whatever systems they might touch.
One Crime Constant: Evolution
But crime always evolves. And many more organizations are now being hit by more advanced attackers wielding not just ransomware, but also some of the aforementioned, innovative new twists designed to help maximize their chance of seeing an illicit payday.
These more advanced attackers’ MO frequently involves picking targets with greater care and shopping on cybercrime forums for working remote desktop protocol access credentials – already stolen or brute-forced by others – to find organizations that look like good targets.
Raj Samani, chief scientist at McAfee, discusses why attacks labeled as being “ransomware” increasingly don’t capture the full crime picture.
When more advanced attackers gain remote access to a victim’s network, they may spend weeks or months exploring it in depth, trying to escalate privileges to take control of Active Directory, as well as seeking systems that store valuable or sensitive information. They can exfiltrate such data for future sale via cybercrime markets – especially if it includes personally identifiable information or payment card data – or via dedicated leak sites that have been created by Maze, REvil – aka Sodinokibi or Sodin – and others.
Finally, attackers might use their Active Directory access to push ransomware onto every possible endpoint in an organization. Or the original attackers might stop after exfiltrating data, then sell the access and administrator credentials to less-skilled attackers, who might use the access to unleash ransomware.
Throughout the process, attackers might also have given themselves multiple ways to regain remote access to the hacked organization’s network, which can allow them to spy on victims as they discuss how they plan to respond (see: Nefilim Ransomware Gang Tied to Citrix Gateway Hacks).
Prelude to Shakedown
Ransomware-wielding attackers’ main goal is to get paid. Pay us, they promise, and we’ll leave you alone and give you a decryptor to restore crypto-locked data. Whether these decryptors work, or work well, and whether criminals honor their promises, varies by gang. So too does the shakedown strategy, as more gangs have taken to leaking data to increase the psychological pressure to pay (see: Ransomware Reminder: Paying Ransoms Doesn’t Pay).
Samani says gangs’ adoption of data leaking was likely driven by fewer victims paying, or paying as much as attackers were demanding.
As that highlights, crime gangs keep experimenting with new shakedown strategies. The Ako gang, for example, has been demanding multiple payoffs – one to delete stolen data and another to furnish a decryption tool. Others refuse to negotiate the price of their ransom demand.
Or take the REvil gang, which has been testing auctioning stolen data to the highest bidder when victims don’t pay. Lately that includes making hay with a celebrity law firm from which it allegedly stole data pertaining to Lady Gaga, Nicki Minaj, Mariah Carey and LeBron James (see: Ransomware Gangs Go ((Lady)) Gaga for Data Breaches).
Data Breach Notifications
As that episode demonstrates, attacks involving ransomware increasingly also mean data breaches, and that can trigger a host of notification rules – across all U.S. states and beyond – if personally identifiable information may have been exposed. Under the HIPAA healthcare regulation in the U.S., for example, if it appears that any patient data was exposed, organizations must report the breach to regulators.
In Europe, under the EU’s General Data Protection Regulation, privacy regulators can investigate victims to ascertain whether they had the right people, processes and procedures devoted to safeguarding PII. If not, the organization could face steep fines.
Again, ransomware often now is only one component of a more sophisticated criminal play. Any organization hit by crypto-locking malware also faces the prospect of having to repair expertly hacked networks and hackers still being camped out in those networks. Plus, they face the threat of data having been exfiltrated, followed by rolling leaks – not to mention data breach reporting obligations and what could be a lengthy and expensive incident response process.
Hence, a ransomware attack is so often just one piece of a much bigger, criminal picture that’s growing uglier by the day, no matter how you might define it.