This cycle has continued throughout 2020, with the emergence of the following key techniques being adopted by threat actors:
The increased prevalence of these two techniques marks a significant evolution beyond the classic automated and human-operated operational models of ransomware. Each poses new risks that defending organizations should take into account. These evolutions also raise the risk of ransomware to new organizations who may have previously not considered this risk as part of their threat profile.
The encryption of data, and therefore impacting the availability of the data, has been the mainstay tactic of ransomware actors since the methodology first arose. However, in 2020, F-Secure has seen a pivot towards targeting the confidentiality of sensitive data within victim organizations through exfiltration and subsequent ransom demands not to release this information into the public sphere.
The release of this data has been observed via websites hosted directly by the threat actors and they have provided proof of the data to the victim to induce a payment. A notable case of this became public in Finland when a threat actor released the therapy notes and medical information of patients at a psychiatric facility when they refused to pay the ransom.
Previously, the costs related to a ransomware attack - successful or otherwise - would generally cease after containment of the threat actor. Now, data exfiltration and blackmail by threat actors has meant the bills continue to rack up, even after the eradication of the threat from the organization’s network. There is no way for organizations to mitigate the costs of data loss after it has happened: regulatory frameworks such as the EU’s General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA) mean that data loss will continue to cost the victim organization.
The ‘Maze Team’ threat actor was widely reported to be one of the first to popularize this technique, but more and more threat actors have been observed following suit. This includes big name players in this space such as REvil (also known as Sodinokibi), Ryuk, and DoppelPaymer amongst others.
F-Secure assesses the prevalence of this technique will continue to grow in popularity as threat actors look to maximize the revenue from each successful intrusion and organizations struggle to implement effective mitigations. In F-Secure’s consultancy with organizations, data loss is often highlighted as something they struggle to implement effective controls against.
This new iteration of a common threat is relevant for the majority of organizations, and particularly important for those who hold highly sensitive data covered by specific regulatory frameworks such as financial, healthcare and legal industries.
In stark contrast to data exfiltration, there is a new threat in the form of reported ‘rapid’ domain-wide ransomware deployments. This involves the deployment of ransomware across a full domain a matter of hours after the initial access of the organization. This is an evolution on previous human-operated ransomware intrusions, when the threat actor would spend days, or even weeks, gaining access and carefully laterally moving before choosing to deploy ransomware at the most opportune time.
This rapid approach appears to be a fundamental shift in the operational model of the threat actor behind the recently reported intrusions. F-Secure assesses the increasing prevalence of this technique is being driven by the threat actors’ belief that it will prevent organizations an opportunity to respond and remove threat actor access. This may be due to the actors' experience of being identified and ejected from networks before they can deploy ransomware.
It is common that in longer intrusions the threat actors will spend substantial amount of time mapping out the victim infrastructure, disabling security tooling and backups prior to ransomware deployment. This model trades off speed of deployment with the ability to ensure full and effective deployment of their ransomware payloads across the full victim network.
In addition, F-Secure assess such an operational model will potentially facilitate a greater quantity of intrusions actioned per individual operative for the threat actor; therefore, optimizing the threat actors’ return on investment. This approach, if leveraging fewer resources, could also make smaller businesses more attractive targets, as it may now be perceived a worthwhile time investment for the threat actor. As a result, F-Secure assesses this new approach could raise the risk of exposure to more mature ransomware threats for small and medium-sized enterprises.
This rapid approach contrasts with the rise in data exfiltration, likely motivated by maximizing revenue for each intrusion, and will be a slower operational model overall. Factoring in the diversity of threats posed by ransomware threat actors will therefore be a more complex proposition and require additional maturity within defending organizations.
The potential speed of these intrusions raises a need for organizations to review their response processes and playbooks to ensure they have the agility to respond and contain such a threat. The secure architecture and protection of critical assets will play an even more important role than usual, by ensuring that the threat actor cannot immediately impact these assets and provide time for the organization to respond and contain the threat.
F-Secure assesses the adoption of this new tradecraft is not entirely bad news for defenders however, and in fact presents opportunities for defenders to identify compromise early and prevent damage from occurring. The data exfiltration approach requires the threat actor to perform additional malicious actions on the victim network and spend more time there prior to deploying ransomware. These two facts give defenders more opportunities to detect an intrusion and additional time to respond and contain such a threat prior to any impact occurring.
With the rapid ransomware deployment scenario, the speed at which the threat actor operates suggests they will likely be ‘noisier’ than usual with their malicious actions. This speed and noise will be more likely to trigger detections and the thresholds of defenders, providing the opportunity to detect and then respond to these threats that may have previously gone undetected.
A change in the tradecraft of ransomware threat actors raises the risk of successful extortion in those organizations not adequately prepared to defend against the new threats posed by this operational model. The evolution is applicable to a wide range of defending organizations across a swathe of industry verticals, and in addition potentially to new organizations that might not previously have considered themselves at high risk of a mature ransomware threats.
F-Secure recommends organizations assess how these evolutions impact against their internal controls and response processes. As highlighted above there are additional risks, but also opportunities for organizations to detect threats they previously may have missed.
The process of this adjustment will also be valuable experience for organizations, as the threats from ransomware threat actors and other groups will continue to evolve in the future; therefore, assessment of these changes and the awareness of controls can enable more agile, responsive and effective defensive posture improvements in the future.