Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays

Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Gangs Tap Cheap But Powerful Cybercrime Services, Threaten Further Data Dumping

Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays
Ransomware gangs are tapping inexpensive tools such as “RDP Brute” to help take down bigger targets (Source: AdvIntel)

Targeted ransomware attacks continue to increase as gangs seek to obtain bigger ransom payoffs from larger targets, security experts warn.

See Also: Tenable Research: How Lucrative Are Vulnerabilities?

While attacks against individuals and mom-and-pop shops persist, today’s more prized targets are big businesses with deep pockets, John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, tells Information Security Media Group (see: Ransomware Attacks Growing More Targeted and Professional).

“The news is dominated by larger corporations being breached, and what we see is that they charge a lot more money, so the ransom [demand] is much higher,” he says, as is the demand for services that can help attackers gain and maintain access to these networks.

Services Support Cybercrime Economy

These cybercrime services include a host of “adjacent services that form that whole chain to commit cybercrime, or to help facilitate for instance ransomware,” Fokker says, highlighting such tools as macro builders, designed to infect endpoints with information-stealing malware; crypting services that compile malware executables to make them more difficult for security tools to detect; as well as precompiled lists of administrator credentials for different businesses that have been stolen by info-stealers.

John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, says ransomware attackers are increasingly targeting larger organizations.

Some underground actors provide purpose-built tools that have been widely adopted by ransomware gangs. For example, the actor known as “z668” maintains RDP brute-force pen-testing software called RDP Brute, which he says has been very popular with ransomware gangs, for gaining remote access to corporate networks (see: Ransomware Gangs’ Not-So-Secret Attack Vector: RDP Exploits).

Of course, there’s long been a cybercrime service economy supporting attackers. So, what’s changed?

“We’ve talked about [the] specialization of cybercriminals offering these tools for forever now, but it does seem like they’re becoming more common, and they’re becoming quite cheap,” Liv Rowley, a threat intelligence analyst at Blueliv, tells ISMG (see: From Cybercrime Zero to ‘Hero’ – Now Faster Than Ever).

“You can buy some of the top-named information stealers right now for $85 .. and that’s one of the best ones out there,” she says. “So it’s definitely becoming a more accessible market.”

‘Human-Operated Ransomware’

Driven by the promise of a bigger payday, more gangs have been availing themselves of such tools, which help give them easier access to tactics that might previously have been the domain of nation-state advanced persistent threat gangs. Some of these tactics, known as “living off the land,” resemble legitimate administrator behavior and may include gaining access to a targeted organization’s Active Directory implementation, for example, to give attackers admin-level rights and use this to better move laterally to reconnoiter networks, deactivate anti-virus tools, steal valuable data and eventually, deploy crypto-locking malware, all while avoiding detection (see: Ransomware 2.0: Cybercrime Gangs Apply APT-Style Tactics).

Microsoft labels these more manual, targeted types of efforts – in other words, less happenstance or opportunistic – as being “human-operated ransomware,” noting that attackers wielding REvil, Samas, Bitpaymer and Ryuk in particular are using these tactic. But Microsoft says it’s also seen them get used recently too by Doppelpaymer.

“The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access,” Microsoft’s Threat Protection Intelligence Team says in a new report.

Source: Microsoft

In some cases, the initial infection might be opportunistic, such as using Emotet botnets to infect endpoints with Trickbot malware as well as malware such as Ryuk or Emotet, or Dridex to instsall DoppelPaymer. But even though the ransomware might get installed, it often remains dormant, and only sometimes gets activated, Microsoft says (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).

“In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware,” Microsoft says. “In many cases, however, this activation phase comes well after the initial Trickbot infection, and the eventual deployment of a ransomware payload may happen weeks or even months after the initial infection.”

Source: Microsoft

Sodinokibi Operators Promise Data Leaking Site

Having access to better toolsets and tactics – for less cost – isn’t, however, providing gangs with the payouts they’d like to be seeing.

Apparently spurred on by the tactics being practiced by other ransomware gangs – starting with Maze, before expanding to many others, including DoppelPaymer – the operators of the Sodinokibi ransomware-as-a-service operation, aka REvil, are the latest to say that they have been finalizing a site they’ll use to name victims and dump their stolen data, unless they promptly pay a ransom (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).

“We saw it with Maze, REvil, BitPayer: a lot of these bigger ransomware groups are using this as a leverage method and to put pressure on the victim,” McAfee’s Fokker says (see: Maze Ransomware Gang Dumps Purported Victim List).

According to a Russian cybercrime forum post shared by malware analyst Damian with Bleeping Computer, the Sodinokibi operators have been publicly musing about how to best design the system to rapidly force payments.

“[We] have some interesting thoughts about auto-notification email addresses of stock exchanges (for example, NASDAQ), which will allow you to influence the financial condition of the company quickly and efficiently,” reads a translation of the Russian-language post shared by Damian.

The Sodinokibi operators are also promising affiliates – who infect systems, then share a cut of any ransom payment with the operators – the ability to search for valuable data among stolen information, such as Social Security numbers.

Data Leaking Return on Investment: Still Unclear

But Fokker says it’s still not clear that ransomware gangs’ threat to dump data, or following through and actually leaking it, will lead to more reliable or larger ransom payments by victims.

“How this will work? Personally I think it’s a very harsh tool, but it will go blunt very fast, in all respects, because when a company files that they’ve been breached and they go through proper authorities, it kind of loses its leverage,” he says. “So I’m curious to see how this will evolve.”