Ransomware, then and now: The change in data theft behavior

The rising number of people working from home have left more businesses at risk from ransomware than ever before. Gaps in network security, shadow IT and a greater reliance on remote communications present cyber criminals with a wealth of options for exploitation.

Every time ransomware moves out of the news cycle, someone will ask whether cybercriminals have moved on to other, perhaps more lucrative, activities.

Unfortunately, not only is ransomware alive and well, but it’s also evolving.

Ransomware 1.0

Until around five years ago, the criminals’ goal was to encrypt a victim’s files and ask them to pay a release fee. It was indiscriminate, haphazard, with a low success rate and little need for in-depth reconnaissance. A cybercriminal sent an email with a malicious link and hoped an unsuspecting employee opened it to infect their system. Just about anybody could use a pay-to-play service to carry out these attacks. Threat actors sell ransomware kits online for as little as $1,000, while others don’t even ask for an up-front payment, but instead require a cut of the profits.

But as cyber defenses became more sophisticated, so too did the attackers and their methods. We saw the advent of WannaCry and NotPetya using advanced exploits to spread peer-to-peer.

While these attacks were devastating for any business unlucky enough to get infected, it was still hit and miss as to whether or not the victim would pay up.

For instance, even though Maersk suffered up to $300 million in losses to NotPetya, it did not pay a single penny in ransom. Furthermore, despite more than 200,000 machines ending up infected with WannaCry, it was reported that the attackers only made off with around $386,905 based on Bitcoin’s value in December 2019.

To ensure that their efforts have a greater chance of earning them a substantial amount of money, cyber criminals are changing their tactics again, focusing on what we like to call big-game ransomware.

The rise of big-game ransomware

In contrast to Ransomware 1.0, big-game ransomware attacks are well planned, targeted and have a greater chance of earning the perpetrators money.

The techniques are stealthier: threat actors will silently gain high-level access to Active Directory (aka “the keys to the kingdom”), which enables them to go wherever they like and do whatever they like on the system. They can steal information and sell it to the highest bidder later, while at the same time sowing the seeds of a ransomware attack. In this way, once the ransomware is activated, if a business doesn’t pay the rasom the threat actor can still turn a profit by selling the data. Some may even be unscrupulous enough to sell the information regardless, earning them a double pay day or will simply release it on to the dark web.

There are now many new ransomware strains that steal data before encrypting it, such as Maze, Snatch, Zeppelin and REvil. Recently, the gang behind the REvil ransomware attacks started auctioning off stolen data following the reluctance of one victim to pay up for their data.

Mitigation and recovery

With any type of ransomware, but especially big-game ransomware, prevention is more effective than the cure. First, businesses need to know exactly where all their sensitive data is kept and restrict access to it to only those that need it. Employing a least privilege approach will ensure that if cyber criminals do manage to access the network, their scope for lateral movement will be limited.

Firms also need to put in place contingency plans about what to do in the event of a ransomware attack. This should cover how employees can continue working and deploying a team to prevent the ransomware causing more damage and remove it from the system.

Sound backups are key to any contingency plan. To ensure that the right files are recovered, businesses should consider tracking file system activity, so that they know what the ransomware encrypted and when. In this way recovering corrupted files is relatively straightforward. Automation is also key, as the race is on to prevent ransomware from spreading and encrypting files, once your organization is infected. Reduce access to sensitive data by placing least privilege controls around this data and put processes in place to automatically detect unusual activity and shut down compromised accounts as quickly as possible to limit damage.

While a business tracks file activity, it should also monitor and then analyze activity logs, especially those on critical data stores. Automation can ensure this is achieved accurately and in real-time, alerting the security team to any anomalies that indicate an attack.
Businesses must assume that at some point they are going to be a ransomware target and prepare accordingly. If they don’t, reclaiming the keys to the kingdom could cost them a king’s ransom.