Ransomware world in 2021: who, how and why

[harlan4096]

As the world marks the second Anti-Ransomware Day, there’s no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but it’s changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course, systems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which companies fall prey to it. In this report, we take a step back from the day-to-day ransomware news cycle and follow the ripples back into the heart of the ecosystem to understand how it is organized.

First, we will debunk three preconceived ideas that obstruct proper thinking on the ransomware threat. Next, we dive deep into the darknet to demonstrate how cybercriminals interact with each other and the types of services they provide. And finally, we conclude with a look at two high-profile ransomware brands: REvil and Babuk.

No matter how much work we put into writing this report, before you start reading, make sure your data is backed up safely!

Part I: Three preconceived ideas about ransomwareIdea #1: Ransomware gangs are gangs

Along with the rise of big-game hunting in 2020, we saw the emergence of a number of high-profile groups in the ransomware world. Criminals discovered victims would be more likely to pay ransoms if they could establish some form of reputability beforehand. To ensure that their ability to restore encrypted files would never be questioned, they cultivated an online presence, wrote press releases and generally made sure their name would be known to all potential victims.

But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem. From the outside, they may appear to be single entities; but they are in fact only the tip of the spear. In most attacks there are a significant number of actors involved, and a key takeaway is that they supply services to each other through dark web marketplaces.

Botmasters and account resellers are tasked with providing initial access inside the victim’s network. Other members of this ecosystem, which we’ll name the red team for the purpose of this discussion, use this initial access to obtain full control over the target network. During this process, they will gather information about the victim and steal internal documents.

These documents may be forwarded to an outsourced team of analysts who will try to figure out the actual financial health of the target, in order to set the highest ransom price that they are likely to pay. Analysts will also keep a lookout for any sensitive or incriminating information which may be used to support their blackmail tactics – the goal being to put maximum pressure on decision-makers.

When the red team is ready to launch the attack, it will purchase a ransomware product from dark web developers, usually in exchange for a cut of the ransom. An optional role here is the packer developer, who may add protection layers to the ransomware program and make it harder for security products to detect for the few hours it needs to encrypt the whole network.

Finally, negotiations with the victims may be handled by yet another team and when the ransom is paid out, a whole new set of skills is needed to launder the cryptocurrency obtained.

An interesting aspect of all this is that the various actors in the “ransomware value chain” do not need to personally know each other, and in fact they don’t. They interact with each other through internet handles, paying for services with cryptocurrency. It follows that arresting any of these entities (while useful for deterrence purposes) does little to slow down the ecosystem, as the identity of co-perpetrators cannot be obtained, and other suppliers will immediately fill the void that was created.

The ransomware world must be understood as an ecosystem, and treated as such: it is a problem that can only be addressed systematically, for instance by preventing the money from circulating inside of it – which involves not paying ransoms in the first place.

Idea #2: Targeted ransomware is targeted

The previous description of the ransomware ecosystem has noteworthy implications when it comes to the way victims are selected. Yes, criminal groups are getting bolder and ask for ever-increasing ransoms. But ransomware attacks have an opportunistic aspect to them. As far as we know, these groups do not peruse the Financial Times to decide who they are going after next.

Counter-intuitively, the people who obtain the initial access to the victim’s network are not the ones who deploy the ransomware later on; and it is helpful to think of access collection as an entirely separate business. For it to be viable, sellers need a steady stream of “product”. It might not make financial sense to spend weeks trying to breach a predetermined hard target like a Fortune 500 company because there’s no guarantee of success. Instead, access sellers go after the low-hanging fruit. There are two main sources for such access:

• Botnet owners. Well-known malware families are involved in the biggest and most wide-reaching campaigns. Their main objective is to create networks of infected computers, though the infection is only dormant at this point. Botnet owners (botmasters) sell access to the victim machines in bulk as a resource that can be monetized in many ways, such as organizing DDoS attacks, distributing spam or, in the case of ransomware, by piggybacking on this initial infection to get a foothold in a potential target.
  
• Access sellers. Hackers who are on the lookout for publicly disclosed vulnerabilities (1-days) in internet facing software, such as VPN appliances or email gateways. As soon as such a vulnerability is disclosed, they compromise as many affected servers as possible before the defenders have applied the corresponding updates.
  

...

Continue Reading