Over the past few years, the emergence of destructive and costly ransomware attacks has prompted the US government to act to circumscribe primarily Russian-based threat actors behind the scourge. At the same time, ransomware has been a critical factor in the growth of corporate cybersecurity budgets as organizations grapple with an often crippling threat.
Despite policy measures and increased private sector funding to slow the pace of attacks, ransomware threats remained a major topic at this year’s RSA conference. Experts at the event stressed that Russian state-sanctioned criminal actors are not the only ransomware threat actors to fear, and that ransomware attacks are not diminishing despite intensified efforts to quell them in the egg. The same actions taken to nullify ransomware activity could end up forging alliances between financially motivated threat actors to create hybrid cyber attacks that combine social engineering with ransomware.
Iran is a ransomware innovator
Speaking to RSA, Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator and co-founder and former CTO of CrowdStrike, said Iran is a ransomware innovator with its SamSam ransomware. He noted that it was an Iranian group that attacked the city of Atlanta and the state of Colorado with this malware, and that it was Iran that first introduced big game hunting to large scale.
“Not just trying to target a system within a network and locking it down, but really intruding and then deploying ransomware all over the network to try to get as big a ransom as we can get now view of all the other bands like REvil, LockBit and others,” he said. “One of the things the Iranians do, and we also see this in the criminal space, is leaking data to harass organizations,” Alperovitch said.
Ransomware attacks continue to rise
Sandra Joyce, executive vice president and head of Mandiant Intelligence and Advanced Practices, said it’s misleading to think ransomware attacks are declining, a common misconception following Russia’s invasion of Ukraine. “If you look at Q1 year over year and Q2 year over year, you’re going to see a very big increase,” she said.
“I can tell you that in Mandiant we have seen a spike in the last week and a half.” Joyce pointed in particular to victims of shameful sites, “where if you don’t pay and frankly at times when you actually pay, threat actors will dump your data there.”
Sometimes ransomware is not a factor in threat group attacks. “A lot of what we measure for ransomware is intertwined with data theft and extortion, and there may not be a need to remove malware at all,” Joyce said. “And we’ve been anticipating for some time that these attacks might have nothing to do with malware. It might just be extortion and data theft, and that’s also measured as ransomware. So the thing to think about is a lot of what’s happening in the ransomware space with or without malware is a tactic to evade sanctions.”
REvil returns from the dead
But the ransomware news isn’t all bad, Alperovitch said. “We had good news on the ransomware front. In January, a month before [Russia’s invasion of Ukraine]the Russians took action against 14 individuals who were part of this group, REvil, which was responsible for some of the most publicized attacks last year.”
More recent developments have undermined even this positive point. “Problem solved, right?” said Alperovitch. “Well, not so fast. The little thing called the war happened, and that, of course, caused a breakdown in communications between the US government cyber teams and the Russian cyber teams. It’s understandable .”
“What you’re seeing now are statements from lawyers for these individuals in Russia saying, ‘Well, it turns out the United States isn’t providing any information that we can…use in the prosecution of these individuals. [prosecutors] should just drop the charges and let them go. We don’t know if that’s ever happened.”
As a result, the prolific threat group comes to life again in what Alperovitch called an incredibly resilient ecosystem that distributes responsibility among many specialized actors within the group. “One of the things we’re seeing now is that REvil is starting to come back. Some of their tor sites and networks have come back, and we need to watch that very closely.”
Costa Rica ransomware attack is a cautionary tale
The recent ransomware attack in Costa Rica, which cost the country hundreds of millions of dollars in lost productivity and prompted Conti ransomware attackers to call for the overthrow of the country’s government, highlights the enduring destructive power of ransomware . Matt Olsen, assistant attorney general for national security at the US Department of Justice, said the attack on Costa Rica is likely untargeted, but likely a case of runaway ransomware.
Olsen said the attack in Costa Rica was a possible “spillover” from the operations of the Russian ransomware group. “When you look at what happened with NotPetya, where the Russian attack was really focused on Ukraine, it was sort of a fake ransomware attack. But it immediately spread outside of the borders of Ukraine. That’s the nature of these types of attacks. They don’t recognize national borders. I think it’s a cautionary tale where you see there’s every reason to believe that the Russia will expand its reach to countries and places using groups that will help it achieve its goals.
Ransomware and BEC players could converge in the next year
Two of the top financially motivated cyberattacks, ransomware and business email compromise (BEC), have grown in parallel over the past five to six years, even though “they are on completely opposite sides of the spectrum.” cybercrime” in terms of sophistication, Crane Hassold, director of threat intelligence at Abnormal Security, told conference attendees.
Ransomware is a highly concentrated specialty with a centralized ecosystem. Almost two-thirds of all ransomware activity between 2020 and 2021 could be attributed to just three ransomware groups, Hassold said. “Right now, over 50% of ransomware activity is attributed to Conti or LockBit.”
On the other hand, BEC is engaged by thousands of actors with little central direction, mostly in places like West Africa or Nigeria. Despite these differences, Hassold believes ransomware actors will gravitate towards BEC over the next 12-18 months, primarily because government authorities are making it difficult for ransomware gangs to get paid via cryptocurrency. “The frictionless environment that cryptocurrency transactions used to provide will start to disappear, and it will be much more difficult to carry out these transactions for more malicious and illicit purposes,” he said. “Because of this, the overall ROI, the overall effort required to complete these transactions will begin to create diminishing returns for threat actors.”
Ransomware players “are going to pivot elsewhere to make money, and in my view, what we could see in the next 12 to 18 months is this essential convergence of ransomware players and the BEC space to create this sophisticated hybrid social engineering attack that essentially takes [on] the scale and sophistication of ransomware.
Copyright © 2022 IDG Communications, Inc.