Ransomware gangs move to pure blackmail without encryption • The Register

feature US and European police officers, prosecutors and NGOs recently convened a two-day workshop in The Hague to discuss how to respond to the growing scourge of ransomware.

“It is only by working together with key law enforcement and law enforcement partners in the EU that we can effectively address the threat that ransomware poses to our society,” US Assistant Attorney General Kenneth Polite, Jr. said in a canned statement.

Earlier this month, the same topic was on the minds and lips of cybersecurity professionals at the annual RSA conference.

Ransomware and other cybercrimes, where criminal organizations extort money, “still make up the vast majority of threat activity that we see,” said Michael Daniel, CEO of the Cyber ​​Threat Alliance, in an interview at the security event.

However, more and more cybercrime rings, still being pursued as ransomware operators, are turning to data theft and extortion first and foremost – skipping the encryption step altogether. Instead of encrypting files and requiring payment for the decryption keys and all the stuff in between to make this easier, it’s just as effective to just filter out the data and charge a fee to avoid leaking everything. This shift has been going on for many months and is now virtually inevitable.

The FBI and CISA this month warned of a lesser-known racketeering gang known as Karakurt, who are demanding ransoms of up to $13 million. Karakurt does not target specific sectors or industries, and the gang’s victims have not encrypted any of their documents and held them for ransom.

Instead, the crooks claim to have stolen data, using screenshots or copies of exfiltrated files as proof, and threaten to sell or publicly leak it if they don’t receive payment.

“Multifaceted Blackmail”

“This is exactly what happens to many of the victims we work with,” said Sandra Joyce, vice president of Mandiant Intelligence The registry. “We call it multifaceted blackmail. It’s a fancy way of saying data theft coupled with blackmail.”

Some of these thieves offer discounted ransoms to companies to encourage them to pay earlier, with the longer it takes to cough up the cash (or bitcoin, as the case may be) the larger the requested payment.

Unless it’s the lucrative business it is today, it won’t go away

Additionally, some criminal groups offer “sliding payment systems,” Joyce noted. “So you pay for what you get,” and depending on the size of the ransom you pay, “you get a control panel, you get customer support, you get all the tools you need.”

As criminals delve deeper into extortion, they rely on other tactics to force organizations to pay — like leaking stolen confidential data from Tor-hidden websites and devising other ways to publicly humiliate companies, ransom theirs to pay for stolen documents, Joyce added. “Until it’s the lucrative business it is today, it’s not going away.”

This mirrors what the Palo Alto Networks Unit 42 responders are also seeing. Criminals post details of confidential information stolen from seven new victims per day on these dark web leak sites, on average, according to a Unit 42 investigation released at the RSA conference.

“The cyber extortion crisis continues as cybercriminals have relentlessly introduced increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented global digital crime wave,” wrote Ryan Olson, VP of threat intelligence at Palo Alto Networks, which runs Unit 42.

More sophisticated… marketing campaigns?

Indeed, there has been much talk about the growing ransomware-as-a-service market, with malware authors renting their code to less-technical scammers for use on victims’ networks once they break out by purchasing stolen or Leaked credentials gave access or pay someone else to intrude or similar.

In fact, Conti’s internal communications leaked earlier this year showed how these ransomware gangs operate similarly to software-as-a-service startups.

Additionally, the way these criminal groups employ marketing and PR campaigns indicates a whole new level of sophistication, according to Ryan Kovar, who leads the Splunk Surge research team.

In March, Kovar’s security company released a study on how long it took ten of the major ransomware families — including Lockbit, Conti, and REvil — to encrypt 100,000 files. They found that Lockbit was the fastest – the reason the team performed this analysis in the first place was because this ransomware gang claimed to have the “fastest ransomware” on their Tor website.

“They’ve gotten to the point where someone said, ‘We’re losing ground to other ransomware families. And we actually need to create marketing collateral to better position our ransomware as pick of the day,'” Kovar said in an interview with the RSAC sidelines.

“This is fascinating,” he continued. “The sophistication shows that there is a competitive aspect to this that goes beyond just ‘we’re good at turning ransoms into bitcoin’.”

But still the same unpatched vulnerabilities

The rogues may have moved on to new extortion techniques and more sophisticated business models, but they exploit the same known vulnerabilities simply because they still work and don’t require much effort from the malware operators. After all, these are for-profit criminals trying to keep costs down and profit margins high.

“The way ransomware actors thrive…often stems from these known exploitable vulnerabilities,” NSA Cybersecurity Director Rob Joyce said during a panel discussion at the RSA conference.

Businesses can reduce their risk by patching these known bugs that are actively being exploited, he added. “That has to be the base,” Joyce said. “Everyone needs to get down to that base level and deal with the unlocked doors [cybercriminals] come in today.”

In a separate interview at the show, Aanchal Gupta, who heads Microsoft’s Security Response Center, agreed.

“Companies sometimes feel they need to do something unique against ransomware,” she said The registry. “And I would say no, you don’t have to do anything special about ransomware. All you have to do is protect, detect and respond the same.”

Protecting means patching your systems, and detection requires visibility across the network, Gupta added. “Because they all come through the known vulnerabilities that have been disclosed and patches are available 99 percent of the time.”

Typically, these for-profit crooks don’t enter networks through zero-day exploits, she said. “You’re not going to buy a half-million-dollar zero-day to run a ransomware attack,” Gupta noted.

Gupta and others encouraged organizations to conduct table drills so they are prepared if or when an attack occurs.

Say the truth. Even when it hurts

The public reaction to an intervention must be transparent if it is to be helpful – even if it is embarrassing. This includes writing a ransomware press release in advance, noted Dmitri Alperovitch, chairman of the security-focused think tank Silverado Policy Accelerator.

“Write a press release that you put out in the event of a data leak or ransomware attack,” he said. “Have that ready, because often it inevitably takes days for people to wrap their arms around what they’re going to say publicly, and they involve far too many lawyers. Get that out of the way early so you can just fill it in in detail.”

And don’t lie. After all, businesses recover from ransomware attacks — especially if they have good backups.

But they may not win back customers’ trust unless they are transparent about what happened, said CrowdStrike CTO Mike Sentonas The registry. His company was hired to help with incident response after a “well-known media outlet was hit by ransomware,” Sentonas said.

CrowdStrike advised the company to tell the truth, “and they went and did the opposite, saying it was a sophisticated adversary and nobody could ever have stopped this,” Sentonas said. In fact, “it was a really basic attack,” he noted. “And you come out of this process a little silly.” ®