Over the past year or so, ransomware gangs have been changing up their game. The focus has been largely moving away from classic ransomware tactics, as they have found new ways to extort money from their victims. The days of a flashy notice in your web browser, or desktop image, seem to be a thing of the past, and the new tactics employed by these criminal organizations are doing more harm than ever. Ransomware is nothing new, but ransomware operators are all about making money, and as businesses and individuals are increasingly employing sufficient backup solutions, these gangs are having to find new ways to extort money out of their victims. In fact, I think it’s time we start calling ransomware gangs by a new name: extortion gangs.
A Brief History of Ransomware
While ransomware didn’t really take off until around 2005, the first ransomware attack was the AIDS Trojan, back in 1989. This was four years before the internet was even made available to the public, which means the attack vector had to be a little more clever than getting an unsuspecting user to click on a malicious link in an email or website. And AIDS researcher, Joseph Popp, PhD, distributed 20,000 floppy disks, claiming to be AIDS research software but containing the ransomware as well, to AIDS researchers in 90 countries. The ransomware did not take effect until the infected computer had been restarted 90 times, then would demand a measly $189 to unlock the computer, and $378 for a software lease.
Even by today’s standards, the delivery method was genius. The basic idea was to utilize a trusted source, and provide an enticing lure that would ensure the victims install the software on their systems. This is very similar to modern phishing attacks utilizing the images and templates of trusted brands, like Microsoft and DHL, to convince users to input sensitive data, or enable macros on a document – which will usually then install ransomware or other malware on the victim machine. This attack definitely didn’t popularize ransomware though. In fact, ransomware didn’t start becoming a common attack until about 15 years later.
Before ransomware gained popularity, we saw all sorts of scareware. Remember the old attacks where you would get a popup that said you had malware, and you needed to call a number to have it removed? That was scareware. If you called the number, they would try to convince you to pay them to remove the “malware” from your computer. These attacks are still around, and may even lead to ransomware, but they definitely aren’t as prevalent as they used to be.
Ransomware’s popularity among cybercriminals began to really gain a foothold around 2005, and it has been increasing in popularity ever since. Originally, ransomware operators would code the encryption themselves, but as the industry has advanced, they have started using encryption libraries. More recently, we have seen ransomware gangs moving to Ransomware as a Service (RaaS) packages that allow for different plugins to be installed, extending the functionality beyond simple encryption of files, adding persistence on infected systems, and even exfiltrating sensitive data and taking screenshots.
It’s no longer about ransoms
As I mentioned earlier, I don’t call these criminal organizations ransomware gangs anymore. How can I, when a simple ransom isn’t what they are after anymore? The industry has moved beyond ransomware, to the point that we are seeing some of their attacks leaving files unencrypted. It’s all about extortion now, by any means, and that’s why I have begun calling them extortion gangs.
Sure, extortion has always been what ransomware gangs have done. They tell you that you have to pay to get your files back, and if you don’t, well then you had better hope you have backups. In 2020 we saw a significant increase in the number of double-extortion attacks taking place. Some could even be described as multi-extortion attacks, taking it farther than just two forms of extortion.
The first double-extortion attack was performed in 2019, at the hands of the now defunct Maze ransomware group, and targeted Allied Universal. In this attack, Maze stole sensitive data from Allied Universal, and encrypted files across the company’s network. They then gave the company a deadline to pay the ransom, or face the consequences of their sensitive data being leaked online. The ransom demand for this attack was 300 Bitcoins, which was equal to about US$3.8 million at the time. When the company refused to pay the ransom, all of the stolen data was released online.
In 2020, the number of ransomware gangs moving to this double-extortion method grew rapidly, with 16 gangs using the tactic by the end of the year. As early as August, we were even beginning to see triple and quadruple extortion tactics, as gangs began to reach out to customers of their victims to extort them as well, and even re-extort victims after a ransom had already been paid.
By the end of the year, news had hit that Accellion’s legacy file transfer appliance (FTA) devices had been breached. No big deal, there were only about 50 of them left in operation. Now is where we prove that size really does matter. 50 appliances isn’t large in today’s electronic world, but a quick look at who was using these devices will show that this was no small breach. On the list of affected victims we see names like oil giant Shell, major Singapore telecom Singtel, Reserve Bank of New Zealand, the Australian Securities and Investments commission, Qualis, and the list just keeps growing.
While no credit for the breach has officially been claimed, the famous Cl0p ransomware extortion gang has gained a lot from the breach. Observation would indicate that the gang was responsible for the breach, but did not bother to encrypt any files. At first, there was speculation that the encryption had failed, but the success of the attack would indicate that the lack of encryption was all part of the plan. They didn’t just hit FTA devices in a single network, they hit all active Accellion FTA devices. This was clearly not an attack where mistakes were made – it was an indication of what is coming.
Winter is coming
There are some cold and dark times coming, and we, as a society, are not well equipped to handle them. At one time, we thought data encryption was the worst thing we would encounter – or maybe it was theft of credit card numbers. It turns out we were wrong. We have learned to retain backups of important data, and to monitor and quickly report fraudulent credit card transactions. Laws have even improved slightly to support us in these endeavors. What we aren’t prepared for is for all our deep dark secrets to be out in the open.
Even if we don’t have any real secrets, there is always something that we keep hidden for a good reason. As our lives become more digital, we have more on our computers that could be catastrophic in the wrong hands. Sure, this could be credit card numbers, but it could also just be the collection of personal data that we store on our computers. For companies, it is financial data, trade secrets, copyrighted materials, and even disaster recovery plans.
We’re all doomed. Who’s flying this thing? Oh, right, that would be me. Back to work.
It’s easy to think that there’s nothing you can do about modern extortion gangs. In fact, there can be some comfort in giving in to the fact that you will eventually be hacked and hopefully not lose everything because of it. The thing is, that’s not the right solution. So, what do we do?
Now is a fantastic time to start improving your security. Sure, you may not be able to keep an attacker out forever, but why not make it as difficult for them as possible? I’ve already mentioned backups, and they are a great start. We don’t want to move away from using measures that are already benefiting us, but there is plenty more to be done if we are going to win this war against the cyber criminals.
If you don’t already, start using a password manager – and really use it. Don’t just keep your one or two passwords in there, keep all of your passwords in there. Every account should use different credentials. I currently have over 450 sets of credentials saved in my password manager, but it doesn’t feel like it, because I only have to remember computer login passwords, and my password manager password. That’s really not so bad, and gives me a giant boost in personal security.
When it comes to protecting your data, a multi-layered approach is always best. This means training anyone with access to the data to stay vigilant, and report anything unusual. This could be unexpected app behavior, emails that request sensitive information, or even someone unusual asking questions about the data. Where possible, advanced security measures like an EDR or XDR solution should be implemented, and any sensitive data should always be properly encrypted. One of the biggest factors that is often overlooked is to maintain the software you have installed. When a security update is released, install the update. If an app has the option to update automatically, enable that option.
If you do not have the resources to manage this security on your own, it is definitely worth looking into a reputable cloud provider, who will likely have proper security in place. Don’t be afraid to ask questions about security before signing on with a provider. If you’re not comfortable with them having your data, there’s probably a reason you feel uneasy.
While adversaries are always looking for new ways to update their tools and processes, so are security researchers. It’s an ongoing battle, but it is far from hopeless. If everyone does their part, and stays on top of personal and company security, we can significantly reduce the impact cybercriminals have on our lives. Stay alert, stay updated, and most of all, never give up. Ransomware is not going anywhere, but the tactics are evolving, and we will be ready for what comes next!