Article

Stop Ransomware like REvil with Managed Detection and Response

Michael K Hamilton

The CISO
Back to the News Desk

Ransomware is now the number one cause of loss for businesses, according to insurers. If you haven’t dealt with it, you are one of the lucky ones. One in five SMBs report they’ve fallen victim to a ransomware attack in the last two years.

In the first half of 2020, the ransomware threat has taken an ominous turn, as nation states and crime gangs change tactics to make more money. Now, in addition to encrypting your important files, some ransomware is also first handing over your potentially sensitive information to the attackers. That allows them to extort you twice, once to get access to your system again and once to buy your data back.  This also raises the impact from operational to (in some cases) regulatory since the data may be ePHI or other regulated information. 

Also, during the pandemic, the price of ransomware plummeted, making it easier for criminals to get their hands on the extortion-malware, and Ransomware-as-a-Service exploded. CI Security saw a jump in the number of attacks using the REvil, aka Sodinokibi ransomware. 

Meanwhile, due to the shift to remote work in March 2020 to stop the spread of coronavirus, unsuspecting employees with little to no IT knowledge or basic security awareness training went home to plug their work laptops into their home office networks, complete with commodity routers and poorly-protected wi-fi connections, elevating risks. 

 

REvil Ransomware and the Double-Edged Extortion Threat

Remember, the new tactic emerging is not just locking up systems and data, but also sending the data to the criminals first. In early May 2020, one hacked law firm specializing in entertainment, GSMLaw, a New York firm with clients like Madonna, was attacked by the REvil crime gang. Locking up the law firm’s data, the crime gang made their initial demand of $21 million, only to double it to $42 million after finding additional intel on President Donald Trump. 

Every company knows they are not supposed to pay the ransom – it encourages criminals to conduct more ransomware attacks and it doesn’t ensure the safe return of the company’s stolen data. In the case of the celebrity law firm, they did not negotiate because the FBI informed them that any negotiations would be illegal, due to known terrorism and nation-state ties. But companies do pay extortionists time and time again for a variety of reasons.

The new ransomware tactic criminals are using to ensure they get their payday is just proof you shouldn’t make a deal with a crook. The criminals are selling data on the dark web, even after a ransom has been collected. The criminals are actually threatening that the victims’ data will be sold via a public auction on the dark web to the highest bidder if the extortion demands are not met in time. That means additional bad press, lost business, and more fraud for victims. Knowing those costs exceed extortion demands, the criminals are hoping the new threat will increase their chances of getting their extortion demands met.

In fact, on June 9, 2020, a ransomware gang announced that their first stolen data auction was open on the dark web. They allege the data for sale is from a Canadian agricultural production company that hasn’t met their ransom demands.

With the latest research indicating that ransomware demands have skyrocketed up 200% over the last three years – with the median ransom payment at $115K – what’s up with this increase and what can be done about it?

Ransomware Payment by Strain - source Krebs on Security 

The average ransomware payment by ransomware strain.
Source: Krebs on Security

 

But Is It A Gang?

There are essentially three variants of ransomware actors, as partially evidenced by the chart above. There are (1) actual “gangs,” meaning organized groups that have a federated development and business framework; (2) ransomware-as-a-service (RaaS) operators that anyone can “hire” to carry out a campaign that may or may not be targeted against a specific organization, and (3) nation-state actors that use these tools to carry out operations under the guise of organized crime. Economically distressed individual actors using RaaS may be more prevalent than we think. There’s a new US Government advisory about the North Koreans.

 

Ransomware Prevention Now Requires Advanced Threat Detection

In offices around the world, devices and laptops that were in home offices for the past few months are coming back into the office to log into the network directly. That is the moment when cyber criminals are waiting to strike. IT teams and InfoSec leaders need to plan out how they reclaim digital field assets carefully now before allowing users to connect to the network at the office.

In the case of another law firm, the cyber criminals were paying attention to their target’s work location after getting a foothold on their laptop while in the home office. As soon as the law firm re-opened the office, the criminals were watching and that’s when they decided strike.

The full-blown attack could have been prevented. The ransomware has been there for some time and could have been detected with a strong detection and response program. Without the program in place, you allow the criminal to do some initial intel gathering, per the MITRE ATT&CK high level categories “Discovery” and “Collection” via an employee’s remote access to the main network (cloud, VPN, etc.). But they don’t attack in the home office.

They wait for the first time the user logs back in at the main office in order to penetrate the main network, where the most lucrative data is stored. Recent research shows criminals dwell in network for three days before executing the ransomware, indicating that both prevention and detection processes are key to stopping security incidents caused by ransomware.

During this dwell time, ransomware signals may include:

  • Password grinding to elevate access
  • Scanning for SMB and other network resources to identify file systems and contents for encryption
  • Command and Control communications for key synchronization or information exfiltration
  • Network based password or hash acquisition activities
  • …and more

This is your opportunity to detect, investigate, and mitigate the ransomware attack to minimize financial impacts. Because once criminals are ready to strike, that’s when parts of the company network get locked down and the extortion demands start.

 

Prepare for Ransomware

Which brings us back to the tried and true best practices to prepare and manage for ransomware risks

  1. Have an encrypted back-up system that is regularly updated, monitored, and tested. Threat actors are taking additional steps nowadays to corrupt encrypted back-up systems in advance of striking with ransomware; “set it and forget it” is no longer enough to ensure back-up systems and processes will work in a ransomware incident. Recent tactics include threat actors simply deleting cloud backups right before they attack – so the cyber resilience strategy for back-ups must be multi-layered.
  2. Strengthen detection and response in your cybersecurity program. If your IT team is over-stretched, consider hiring a trusted MDR provider with experts who know what ransomware executable code and ransomware network behavior looks like. CI Security Analysts monitor systems 24/7 and respond rapidly if they find ransomware or see malicious activity.
  3. Set up a “Laptop health check-up” of all users connecting to the company network. This is especially critical as employees are returning from home offices. Include remote users in this process and ensure a regular cadence for this work. Do not expect your users to run Malware Bytes or know when to patch their OS without time for training and user support.
  4. Practice ransomware incidents with table-top exercises so your team knows what to do should a ransomware incident occur.
  5. Work with your executive team and public relations firm to ensure you have a ransomware communications plan included in your overall emergency response plans.
  6. Check with your cybersecurity insurance provider to make sure your policies and procedures are up to date and you know their protocol for ransomware incidents.

And if you can avoid it, do NOT pay the ransom, especially since there’s no guarantee the criminals will give you what you want.

With advance planning in place, companies can avoid a ransomware incident if they are proactive with users, devices, and security. But if the unthinkable happens, companies that practice Incident Response can still save significantly – up to $1.23M per breach. It’s worth investing in both sides of the security breach – specifically in the case of ransomware, where both prevention and incident response strategies are mission critical to lowering ransomware impacts to the bottom line.