Foiling RaaS attacks via active threat hunting
In this Help Net Security podcast, Jon DiMaggio, Chief Security Strategist at Analyst1, talks about the characteristic of attacks launched by Ransomware-as-a-Service (RaaS) gangs and how organizations can prevent them from succeeding.
To make things interesting, Jon’s nine-year-old son is hosting the interview. Below is a transcript for your convenience.
Damien: Hi, I’m Damien DiMaggio, and today I am interviewing Jon DiMaggio, Chief Security Strategist at Analyst1.
Jon: Hi Damien. Thanks for talking with me today.
Today we are talking to Jon about Ransomware-as-a-Service and some of the bad guys behind it. Jon, can you tell us what Ransomware-as-a-Service is?
Jon: Sure, Damien, that’s a great question. So, one of the biggest issues organizations have today is ransomware attacks. Traditionally enterprise ransomware attackers will find a way to initially breach an environment. They’ll “live” in that environment anywhere from days to weeks. We’ve seen as short as three days and as long as two weeks, where the attacker will spend time in the environment using legitimate tools that are already present (“living off the land”), using dual use tools and enumerating and gaining privileges during that time.
Then they use those privileges to turn off and disable security services. This allows the adversary to stage the environment so that when they do execute the ransom payload, it’ll have the most success in encrypting and removing access to customer data. Ransomware-as-a-Service takes this one step further.
Basically, what they do is they sell access to their attacks. So they advertise on dark net forums and marketplaces. And what they do is, you can buy into the service and you can take part in the profit sharing when you help to expose a victim’s environment and they actually pay money.
So, the biggest differentiator here is you have a higher volume of attacks, you have more people involved, you have greater volumes of attacks and shorter timeframes, therefore you bring in a greater amount of profit and by sharing this profit, it’s very appealing and lucrative to cyber criminals.
Interesting. How do these groups differ from traditional ransomware bad guys?
Jon: Well, you know, it’s in the tactics that they use, Damien. One of the tactics that really stands out, and they’re not the only attackers to do it, but they are one of the first to do it, is actually making a copy and stealing the victim’s data prior to the ransomware payload execution.
The benefit that the attacker gets from this is they can now leverage this for additional income. What they do is they threaten the victim to post sensitive information or customer data publicly. And this is just another element of a way to further extort the victim and to increase the amount of money that they can ask for. And now you have these victims that have to worry about not only having all their data taken from them, but actual public exposure.
It’s becoming a really big problem, but those sorts of tactics – as well as using social media to taunt the victim and hosting their own infrastructure to store and post data – all of those things are elements that prior to seeing it used with Ransomware-as-a Service, were not widely seen in traditional enterprise ransomware attacks.
What do they do with the data once they have it?
Jon: The first thing that they do is they go through, and they find some element of it that’s sensitive. Now that could be sensitive email communications, or it could be some sort of secret “sauce” to something that the victim organization provides or does, or it could be sensitive customer information that you wouldn’t want exposed. And they’ll take a small piece of that to dangle in front of the victim to let them know that they’re serious, and they will post it publicly.
They’ll use Twitter to “socialize” the fact that they have this data, they’ll post to text hosting sites, such as Pastebin, or they’ll take screenshots of emails or documents and post to image hosting sites like 4Chan. It’s almost like a propaganda-driven campaign where they’ll really try to put out the message and spread the word that they have access to this organization’s critical information and customer data in order to entice the victim to pay. They want to make sure customers know, they specifically will reach out to customers of some of these organizations in order to increase the pressure and have the victim pay.
So, everything’s about gaining as much money and profit with Ransomware-as-a-Service groups, and they’ve just found different ways to implement and exploit victims outside and beyond traditional ransomware encryption techniques.
Should the victims pay the ransom? And if they do, does the bad guy hold up their end of the deal?
Jon: That’s a good question also. It’s really difficult… You can’t judge a victim by whether or not they pay or not. We always tell people you shouldn’t pay a ransom. If no one paid ransom, you wouldn’t keep having attackers continue these types of attacks. It takes them time, days to weeks, as I mentioned, that they have to spend doing this work in order to get a payout. So if they spent all that time and no one paid for these guys to make additional money, so…
You can’t trust that paying them is going to keep you protected. Organizations are in a bad spot when this happens, and they’ll have to make those decisions on whether it’s worth paying. But traditionally, it’s always best to not get compromised in the first place, which obviously doesn’t help an organization once that’s already happened. But just understand, just because you pay the ransom doesn’t mean that you’re going to get your data back or that it’s not going to be posted publicly later on down the road.
What can companies do to protect themselves from these types of attacks?
Jon: The best time to stop the attack is before the ransomware payload is executed. So, during that time period, those days to weeks where the adversary is staging the environment, that provides an opportunity to detect them. So, when the adversary is using legitimate administrative tools in order to further gain a foothold, that’s the time for defenders to identify it.
So, looking at administrative tool use, looking at who’s using it, looking at the times that they’re using it, looking at what they’re doing with it, all of those are things where there’s an opportunity to prevent that from happening. And we have seen defenders that actually do this well, and they do identify that there is an attack taking place, and they have successfully stopped these ransomware attackers.
But it’s all about the mindset of having very active threat hunting take place, and just not relying on tools and applications to flash red and tell you that something nefarious is going on in your organization. It’s a very proactive approach, and it’s not just looking at the bad stuff, but also looking at the good stuff that organizations need to do, the legitimate tool use.
Damien: Thanks, Jon, it’s been very informative, great job.
Jon: Thank you, Damien.