Alongside the world’s digital transformation, threat actors have shifted their paradigm over the last two decades. Instead of the many individual hackers present in the early 2000s, today’s hackers work together as an enterprise with affiliate partnerships. They contain their own unique skill sets, interconnecting to close the gap in the ransomware “killchain”.
One group may specialize in reconnaissance, while another acts through social engineering, phishing, or even money laundering tactics. Individually, groups master their methods so that combined, these attacks become much more sophisticated. Influenced by the Software-as-a-Service model, a new method—appropriately known as Ransomware as a Service (RaaS)—raises the stake for its victims.
While adding to the complexities associated with RaaS, a multifaceted approach lowers the bar of entry into the ransomware business. Malicious actors with minimal experience are now capable of leveraging outside expertise to infiltrate sought-after systems. In fact, the Accellion data breach is a great example of an extortion model without ransomware deployment.
Despite the small amount of effort or expertise required from the hackers themselves, ransomware attacks generate high payouts. As a result, ransomware is rapidly increasing in popularity throughout the cybercriminal ecosystem. In fact, attacks grew by nearly 140% from 2019 to 2020. Let’s take a look at some of the most notorious groups.
Maze, which had publicly announced its retirement as a ransomware group, made headlines again when it targeted Cognizant in April 2020. Cognizant, an IT services provider, lost over $70 million after Maze caused service disruptions amongst its customers that mostly spanned across the manufacturing, financial services, technology, and healthcare sectors.
Maze introduced the three “Es” to the ransomware community: encrypt, exfiltrate and extort. While most gangs traditionally (and “simply”) encrypted victim data locally, Maze put greater pressure on targets by threatening to leak sensitive documents. Since then, other groups such as Clop, Sodinokibi, and DoppelPaymer have adopted similar infiltration methods.
Unlike other threat actors that deploy spam campaigns to obtain illegal access through email or social engineering tactics, Maze used exploit kits in drive-by downloads. Although Maze affiliates have since moved over to Egregor, we would not be surprised if Maze made a comeback. After all, it wouldn’t be the first time.
FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. We observed the signs of FIN11 in the latest Accellion breach, where the threat actor posted screenshots of some portion of the files and demanded money on Clop’s Leak site.
Despite no indication of ransomware deployment on the victims’ network, this was an extortion model that leveraged an affiliate group. Reminiscent of APT1, FIN11 is not notable for its sophistication. However, FIN11 has recently deployed the CLOP ransomware and threatened to post exfiltrated data in order to compel users to pay ransom demands.
Relatively new to the scene, Egregor follows the same affiliate model as Maze did, supporting the belief that Egregor is its successor after many of its experts moved there after Maze announced its retirement. Today, it is one of the most rapidly growing ransomware families in the cybercriminal ecosystem.
Delivery tactics change from one attack to another, though the last step of the Egregor killchain involves the delivery of ransomware. Recent signals demonstrate the attackers’ tendency to use email lures that deploy Qakbot (often referred to as Qbot) worms which then spread through network shares and removable drives.
Some of the vulnerabilities utilized by Egregor include CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) and CVE-2018-15982 (also Adobe Flash Player).
Recently, several threat actors tied to Egregor were arrested through a collaboration between French and Ukrainian police. The French court had opened an investigation into Egregor last autumn after multiple French organizations fell victim. The police followed the Bitcoin transactions, through which the victims paid their fees.
Having earned more than $150 million since their first appearance in 2018, Ryuk ransomware has become one of the most aggressive forms of extortion. At least 32 government entities have been targeted by the Ryuk malware since then, including major cities in Georgia, Florida, Indiana and Louisiana.
As many groups did during the development of Covid-19, Ryuk targeted the U.S. healthcare sector in the second half of 2020. The killchain usually began with a phishing email followed by the BazarLoader malware which, in turn, deployed the Cobalt Strike pen-testing platform—allowing attackers to gain full control over the network.
The motivation for attacking hospitals was twofold: To gain reputation in the crisis environment caused by the coronavirus, as well as increase the leverage on ransomware payment, given the pressure hospital staff was working under.
Initially discovered in September 2019, the Netwalker strain is believed to work under the umbrella of the Russian hacker group known as Circus Spider. Also following the same affiliate model as Maze, Netwalker welcomes associated cybercriminals to join in and distribute the malware. According to McAfee, Netwalker has made more than $25 million from ransomware payments.
Proceed with Caution: Recent Attacks on Microsoft Exchange Server
Although it’s not a ransomware group itself, Microsoft Exchange-related vulnerabilities have become juicy targets of ransomware threat actors and Chinese APT groups alike. DearCry was one of the latest ransomware to utilize the ProxyLogon vulnerability CVE-2021-26855, which allows an attacker to bypass the authentication and impersonate as a system administrator.
Based on similarities with WannaCry and limited obfuscation, DearCry showcases how these vulnerabilities might become an initial entry point for ransomware. As mentioned, even inexperienced threat actors could then leverage and capitalize on this business model. In fact, there have been at least 10 nation-state backed groups that are making use of the vulnerability.
**Microsoft has released several patches for these vulnerabilities, including:
- CVE-2021-26858 and
Steps to Minimize Ransomware-Related Disruption
Organizations must mask their assets. However, once you are infected, there is little you can do other than stop the spread. With that said, more safeguards are necessary to mitigate damage after you are struck by the ransomware. That includes addressing all system insertion points, including:
- Critical open ports that provide remote access (RDP and SMB ports)
- Vulnerabilities with remote code executions
- Employees through phishing and credential-stuffing attacks
- Third-party providers including suppliers, partners and more
Critical open ports that provide remote access
In order to prevent ransomware attacks, there are several things to do aside from standard Firewall and IPS setups, especially as software that allows remote administration becomes increasingly popular. There are many types of remote administration tools and methods available such as RDP, VNC, SSH, Telnet, SNMP. Be sure to:
- Verify that only trusted IPs and/or users can access
- Use strong cryptography and security protocols
- Implement automated audit trails for all system components
Port 445 provides SMB over TCP. Vulnerabilities in SMB Listens on Port is one of the most frequent risks found on networks around the world. Over the years, there have been many security vulnerabilities in Microsoft’s implementation of the protocol or components on which it directly relies. Real-time attack tracking shows that SMB is one of the primary attack vectors for intrusion attempts. For example, the 2014 Sony Pictures attack and the WannaCry ransomware attack of 2017.
- Blocking 445 at the external firewall is relatively easy and solves many problems.
- Disable SMBv1
- If possible, block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all external boundary devices.
Vulnerabilities that allow remote code executions
This is as straightforward as it gets: patch your network. Organizations can leverage cyberintelligence and vulnerability detectors to pinpoint and notify of threats as promptly as possible. Keep in mind that it is just as important to monitor for your third parties’ vulnerabilities, especially if the vendor has access to sensitive information.
Leaked credentials are still the number one gateway hackers leverage to perform credential-stuffing attacks with automated tools. Phishing attacks are also becoming increasingly popular. Once they have the privilege to access the systems, they can find the right place to install the ransomware code. Follow these steps to ensure you’re protected:
- Monitor leaked credentials with cyber intelligence tools
- Harden cybersecurity measures on email systems
- Monitor phishing and/ or fraudulent domains that may target your employees
- Install endpoint protection
- Use additional protection on endpoints, such as systems that only allow users to download a file in a micro virtual machine