Over the last six to 12 months, ransomware groups have continuously adapted their approach to maximise their chances of successfully extorting victims. Some of the most prolific ransomware groups have begun to demonstrate agility in responding to changes in the threat landscape.
Such evolving tactics, techniques and procedures (TTPs) mean ransomware attacks remain a major threat to organisations globally, even with significant investment in detection and response solutions and resources.
Some of the most notable emerging trends we have seen among ransomware groups’ TTPs include the following:
- Data leak extortion: ransomware groups are increasingly prioritising data leak extortion to maximise their profits and apply additional leverage beyond decrypting affected data.
US spirits and wines company Brown-Forman successfully detected and stopped attackers from deploying the Sodinokibi ransomware on its corporate network. However, Sodinokibi’s operators instead exfiltrated 1 terabyte of the company’s data and threatened to release it if the company refused to pay the requested ransom.
- Valuing data to tailor ransoms: some ransomware operators are specifically targeting financial data to value targets and tailor their ransom demands to victims’ revenues.
Security researchers in August reported on a new ransomware strain dubbed DarkSide. The group behind the ransomware targeted at least seven organisations in two weeks, exfiltrating their financial and accounting records to assess their liquidity before adjusting ransom demands.
- Faster “trickle down”: some capable ransomware groups have begun to adopt TTPs of more advanced actors much faster than ever before, as well as co-operating with other groups to improve their capabilities.
The operators of the Maze ransomware in September conducted an attack in which they executed the ransomware payload inside a virtual machine, an advanced defence evasion technique previously used by the Ragnar Locker ransomware group. Earlier in June, the operators of Maze and Ragnar Locker formed a ransomware syndicate with several smaller ransomware groups to provide technical support in exchange for a percentage of profits.
We outline below some of the key strategies that businesses can use to stay one step ahead of ransomware extortionists in light of their evolving approaches to targeting and extorting victims.
1. Use threat intelligence to tailor your readiness preparations
While it is true that ransomware groups are rapidly developing new tactics and capabilities, the security community is also more rapidly identifying and reporting on changes in attackers’ TTPs. Such intelligence is essential for mitigating ransomware attacks.
Firstly, technical intelligence regarding specific indicators of compromise (IOCs) can be ingested by detection and response tools to identify suspicious behaviour on the corporate network before a full-scale infection. This is a highly valuable method of defence, as highly capable criminal groups adopt more advanced TTPs, providing businesses with less time to adapt. In 2019, low-level criminal activity would take over a year to adopt advanced techniques or tools; however, Control Risks’ Cyber Response team in recent months has seen an increasingly fast “trickle down” effect with advanced TTPs.
Secondly, beyond technical intelligence, profiles and case studies of the most prolific threat actors targeting each sector or industry can help organisations anticipate the extortion tactics most likely to be used against them. Ransomware groups are increasingly focusing on identifying areas of weakness, beyond critical systems, that may add leverage to payment negotiations. By identifying these pressure points such groups may seek to leverage to extort a payment, organisations can prepare and protect the data most likely to be targeted, or create an effective response to extortive demands before an attack occurs.
2. Improve the visibility of your network
There are a variety of tools available today that can help identify and protect networks and critical assets. However, all endpoint or network detection capabilities rely on an organisation’s ability to centralise and analyse the data that each tool collects.
In order to support organisations in becoming better prepared, there are a number of helpful tools available online, such as the UK National Cyber Security Centre (NCSC)’s Logging Made Easy tool. This tool is particularly useful for organisations starting out on their security logging journey but in need of some guidance regarding their approach.
Starting or enhancing your organisation’s ability to centralise logging and identify malicious behaviour will not only help identify IOCs across the corporate network. It can also help with investigating an incident after it has occurred, as well as improving your organisation’s ability to understand the affected areas of the network, the scale and nature of any compromised data and the initial attack vector. Such information is helpful for containing and recovering from an attack, but it is also valuable when communicating with affected customers, regulators and internal stakeholders. A fast and effective way of gathering such information is often key to providing a positive and prepared response following an attack.
3. Prepare your client and regulatory engagement strategy in advance
As mentioned above, to increase their leverage on a victim some ransomware groups are increasingly focusing on information that could be used to damage an organisation’s reputation or compound financial losses.
The two most common types of data targeted and leveraged by ransomware groups such as Maze Team, NetWalker and Sodinokibi are customer data and personally identifiable information (PII) data. From an attacker’s perspective, customer data is valuable leverage as leaking it could have significant legal and reputational consequences for the victim organisation, particularly if it is a regulated entity with additional data security obligations. PII is also commonly targeted as it carries regulatory implications; stealing and leaking such information could lead to fines or additional financial impacts for the targeted entity.
Given the increasing threat to such sensitive data, it is critical that organisations prepare themselves for communicating with clients and other external stakeholders in the event of an incident. Organisations should consider how many clients would need to be notified in a worst-case scenario, and whether they are obliged to do so under legislation such as the EU’s General Data Protection Regulation (GDPR).
Once organisations are aware of their obligations and strategies, information governance and IT teams should collaborate to ascertain how long it will take them to identify the compromised data in the event of a ransomware attack. Based on these timelines, the crisis management, legal and communications teams should then define communications templates that can be tailored and used following an incident. Such preparation allows for more efficient communication with clients and external parties, while also highlighting issues that are likely to slow down the organisation’s ability to respond, such as the time it is likely to take to restore services or analyse key databases.
4. Don’t rush into making a payment
Although the addition of data leak extortion is a relatively recent tactic among ransomware groups, the logic and risks associated with paying ransoms are often the same as when dealing with any other extortive cyber attack. Namely, paying a ransom does not guarantee that your organisation’s data will be returned to you, or deleted so that it cannot be leveraged again or monetised on deep web and dark web platforms.
At a glance, the trade-off between paying a ransom and the operational, reputational or financial damages that organisations could incur by not paying a ransom can encourage them to pay. However, this decision often overlooks that there is no guarantee that threat actors will return the stolen data, destroy it or refrain from selling it to other threat actors to maximise profits. Further, under data protection regulation such as GDPR, making a payment does not reduce an organisation’s obligation to report a breach to regulators or affected parties, meaning that the organisation may suffer reputational damage irrespective of whether it paid a ransom. It is therefore essential that decision makers conduct a full review of the purpose, risks and expected outcomes of making a payment before doing so.
Aside from their individual significance, the strategies above reinforce the need for greater focus on holistic security governance that understands the technical IOCs and impacts of attacks in order to inform better decision making. If organisations can begin to bridge this gap between technology and response management, they will be in a better position to adapt to new threat actor strategies when they are identified.