Ransomware Ratchets Up The Pressure
Ransomware attacks may have dipped slightly but they continue to prove a bane, with 71% of companies worldwide affected by ransomware in 2022 alone. However, they have become harder to defend against. The ransomware window (ie the time from compromise to the deployment of ransomware and encryption of data) has shrunk from five days in 2021 to 4.5 days in 2022. Meanwhile, attacker dwell time on networks also halved from 22 days to just 11. These figures indicate that cybercriminals are becoming increasingly effective.
Threat actors are evolving their methods all the time, and there’s plenty of evidence to support it. Here, we’ll look at three different attacks methods used to by threat actors to deploy ransomware.
FiveHands
On 23 January, 2021, SonicWall released an advisory on a zero-day (CVE-2021-20016) – a severe SQL injection vulnerability that provides unauthenticated attackers with the means to remotely grab credentials from the affected devices. A threat actor used the zero-day T1190 as the initial access vector to gain access to the victim organisation and deploy a new ransomware variant dubbed FiveHands.
Royal
First observed in January 2022 and unlike any other ransomware seen, Royal is a private group with no known affiliations. The group has been found using Google ads to redirect users to forums, posts and blog comments, or sending phishing emails that contain links to download the malware. In another campaign, initial access is gained via “callback” phishing attacks. In this type of attack, the threat actors send an email containing a message to update a subscription of some kind with instructions to call a given number. When victims make the call, threat actors then persuade them to download and install their malware.
Clop
Another example comes from threat actor TA505, which delivered Clop ransomware as the final payload in financially motivated phishing campaigns targeting high-profile companies. While earlier versions of Clop deleted only the shadow copy files in the affected system and encrypted all files demanding the ransom, an updated version released in 2020 was capable of disabling services for Microsoft Exchange, SQL Server, MySQL and BackupExec.
We’ve also seen attackers moving away from botnets and towards the collaborative use of ransomware loaders to deliver payloads, different file types and binaries to download and launch those payloads, and the re-engineering of ‘infostealers’ to obtain access credentials.
Further, the Ransomware-as-a-Service (RaaS) business model has matured and evolved into a highly connected and sophisticated ecosystem of participants. Indeed, RaaS has moved on from using off-the-shelf tools like Cobalt Strike to attackers being able to buy access to networks and payloads, lowering the barriers to entry significantly and allowing less skilled attackers to carry out successful ransomware attacks.
Double extortion has also become the norm for ransomware attacks, and there has been significant growth in the use of triple and quadruple extortion techniques as threat actors attempt to apply maximum pressure to their victims:
Single extortion: Victim’s files are encrypted, with attackers then demanding a ransom to decrypt them.
Double extortion: Victim’s files are encrypted, with attackers also threatening to upload them online if their terms are not met.
Triple extortion: Double extortion, with attackers also contacting the victims’ customers and partners, notifying them that some of their sensitive data is being held and is under threat of public disclosure.
Quadruple extortion: Triple extortion, with attackers also threatening to bring down the victim’s public-facing servers with a distributed denial-of-service (DDoS) attack if the ransom isn’t paid.
Indeed, as ransomware becomes increasingly sophisticated, more efficient and easier to execute, so too does it become more widespread. As a result, we’re now seeing a trend whereby smaller organisations are being targeted in ever greater numbers, with over a quarter of SMEs in the UK hit with ransomware last year.
Combatting ransomware with SOAR
With threat actors continually working to uncover new vulnerabilities and develop increasingly sophisticated strains, firms need to focus on enhancing their security across the board, spanning prevention, detection and response.
Defence in depth is vital. With a multi-layered security strategy, companies can increase the potential of detecting ransomware before its deployment. Ultimately, that means building beyond the SIEM, incorporating a range of solutions and processes. So Security Orchestration, Automation and Response (SOAR) can be extremely useful.
Today, the sheer volumes of threat data can be overwhelming for security teams to manage. Even when alerts are logged in the central SIEM, security analysts are still required to spend time analysing them, requiring both specialist skills and significant time that make it harder to quickly identify and rectify potential ransomware attacks. This is precisely where SOAR technology can help.
SOAR initially centralises all cyber incidents and supporting data in one location, correlating disparate data into contextual threat intelligence. While much of this data is collected internally, external inputs can also be incorporated from third-party sources, open-source, industry and government, and commercial providers, offering security analysts and CISOs a complete picture of the threat landscape, including evolving ransomware threats.
SOAR is also able to accelerate response times by automating investigation workflows and guiding security analysts to optimal outcomes through the use of pre-defined playbooks. With SOAR conducting much of the heavy lifting, security analysts no longer need to manually investigate every alert. Instead, they are presented with the key information and prioritised alerts with recommended actions for response.
When ransomware is identified within the business environment, SOAR ensures that security alerts are instantly and automatically triggered based on predetermined rules, enabling organisations to detect potential threats and take corrective actions early.
With ransomware actors using a growing variety of sophisticated techniques to extort organisations, combining SIEM and SOAR can be the difference between combatting attacks and succumbing to ransomware pressures, now making it a vital tool worth adding to the arsenal of the security team.
About the Author
Nils Krumrey is Cybersecurity Expert at Logpoint. Headquartered in Copenhagen, Denmark, with offices across Europe, the USA, and Asia, Logpoint is a multinational, multicultural, inclusive cybersecurity company. Logpoint bolsters organizations in the fight against evolving threats by giving them a single source of truth — an intuitively designed platform with the powerful capabilities needed to ensure their safety. Powered by machine learning and backed by an industry-leading support team, Logpoint’s complete cybersecurity operations platform accelerates detection and response, allowing organizations to respond to tomorrow’s threats.
Featured image: ©E