The recent ransomware attacks on The Guardian and the Royal Mail have served to remind us just how widespread and devastating these assaults can be. No sector is safe, with a significant volume of attacks recorded against healthcare, education and government agencies, to name a few. Ransomware is now the number one threat, according to the Cyber Attack Trends: 2022 Mid-Year Report, which found that attacks were up 28% in Q3 and described them as akin to nation-state attacks.
Our research found that the ransomware window – the time taken from the point of compromise to the deployment of the ransomware and encryption of the data – has shrunk from five days to 4.5 days over the course of the past year. This effectively means the window of opportunity to defend against an attack successfully has also been reduced, making it significantly harder for businesses to protect themselves.
We also found that the mean dwell time for ransomware has gone down – in fact, it’s halved from 22 days to 11 days – which may sound like good news but is anything but. This means attackers are becoming much more efficient and spending less time on previously compromised or protected systems.
RaaS as a Gamechanger
So, why are we seemingly losing the war on ransomware? The answer lies in the emergence of Ransomware-as-a-Service (RaaS). This has seen a move away from off-the-shelf tools like Cobalt Strike, with attackers now buying access to networks and payloads. The result is that the bar to entry has been significantly lowered, allowing less skilled attackers to carry out successful ransomware and extortion attacks.
Under RaaS, there’s now an entire ecosystem of players from the ransomware operator who creates and maintains the tools that power ransomware activities, such as ransomware payload builders and payment sites for connecting with victims, to their affiliates, who perform the intrusion, privilege escalation and deploy the payload. Any profits are then divided among the parties, making it more difficult for agencies to track and shut down operations.
A RaaS program may include a leak site for sharing bits of data exfiltrated from victims, allowing attackers to demonstrate the authenticity of the exfiltration and attempt to extort payment. Many RaaS programs also include extortion support services, such as hosting leak sites and integrating them into ransom notes, as well as decryption negotiation, payment pressure and bitcoin transaction services. Additionally, RaaS developers and hosts may profit further from the payload by selling it and running campaigns with additional ransomware payloads.
Tools of the Trade
However, it’s not just the business model that has evolved. The tools are also being continually modified. Some payload loaders, for instance, have been retired and replaced by new ones, such as ChromeLoader, and there’s every indication that groups are now collaborating over the development of these, resulting in a move away from complex botnets.
Operators continue to favor specific infostealer malware used to obtain credentials, with Formbook the keylogger choice since 2016. However, others are gaining in popularity with Snake Keylogger, which is usually spread through emails containing DOCX or XLSX attachments with malicious macros, now spreading via PDF files too. The Raccoon stealer dropped out of use only to re-emerge in June (V2), newly improved and with added features. We’re also seeing operators increasingly using ISO, ZIP and LNK file types to deliver Emotet, Qakbot and IcedID to bypass Microsoft’s measures to block macro-enabled documents.
Small wonder, then, that organizations continue to fall foul of ransomware and that we’re now seeing it enter the mainstream. Even SME businesses are now deemed target-worthy, with over a quarter of SMEs in the UK hit with ransomware last year. Indeed, these businesses often make the easiest and most lucrative targets because they lack the necessary defenses and tend not to be able to get back up and running as quickly as they need to.
Fighting Back
Yet it is possible to successfully defend against ransomware. What most attacks have in common is that they exploit chinks in the armor, be that staff or unpatched systems. Aligning defenses is therefore crucial, but this is often more difficult than it sounds because it requires cultural alignment across departments as well as the alignment of resources.
Regarding detection, it’s key to monitor for specific Indicators of Compromise (IoCs), such as the deletion of shadow copies in the log activity. Threat intelligence on types of ransomware, different variants and their behaviors can enable the security analyst to understand the next attack phase. These IoCs can also trigger an automated and orchestrated response, such as endpoint agents enforcing policies or disconnecting machines from the network.
The ransomware war is undoubtedly seeing our adversaries become more organized, and this is a game of strategy. By aligning your approach and using threat intelligence to create a unified view, you can spot, mitigate and thwart these attacks, provided your systems know what to look for.