Threat Actors Shifting from Opportunistic to Targeted Ransomware

By Mike Mimoso

CryptoLocker, WannaCry, and the hundreds of other ransomware families that indiscriminately infected businesses and government agencies worldwide have been studied and in some cases neutralized by researchers who figured out how to decrypt data locked down by the respective malware.

Nimble threat actors, however, have lately focused on a much more targeted approach to potential profits. While still largely relying on commodity exploits for known vulnerabilities or configuration weaknesses to gain access to a network, rather than dropping malware on certain machines, attackers have been hitting organizations hard by flooding ransomware onto endpoints and network shares and demanding drastically high ransoms in return for decrypted data.

This is an abrupt turn from what had been the norm for more than two years. Already, state and local government operations have suffered major incursions, with one of the biggest being the attack against the city of Atlanta one year ago. Victims in other industries, notably financial services, telecommunications, and health care, have also felt the brunt of these new targeted ransomware attacks.

Flashpoint Director of Intelligence Christopher “Tophs” Elisan will examine this transition from opportunistic to targeted ransomware attacks in much more depth during a webinar April 24 starting at 11 a.m. ET.

We invite you to register here.

Atlanta paid a steep $2.6 million to recover its systems, but did not pay the threat actors’ ransom demands. The money was spent on response costs, including forensics, consulting, and communications services, as well as remediation costs including address vulnerabilities and aging systems that may have been exploited during the attack.

Atlanta was infected, according to investigators, with the SamSam ransomware, which is spread via exploits rather than through shotgun-style spam or phishing emails. Threat actors behind SamSam have preferred brute-force attacks against exposed Remote Desktop Protocol (RDP) services, and from there, are able to map internal networks and use stolen credentials to access more systems and drop more ransomware.

RDP is not the only means by which attackers are exploiting weaknesses to access networks. They’re also using known Windows internals tools such as PSEXEC or scripts to spread ransomware.

It’s a messy situation, one complicated by the abuse of these legitimate tools to evade detection. In many cases, RDP, for example, is not blacklisted and is treated as legitimate network traffic. This, in combination with known exploits and vulnerabilities, is putting more businesses and government agencies in line for attacks.

Some progress was made to halt the spread of SamSam last October when the U.S. Department of Justice indicted two Iranian nationals for their alleged involvement in spreading the malware. The indictments allege the malware was responsible for $30 million in losses to private- and public-sector organizations, and that $6 million in ransoms had been paid out.

As is the case with most malware families, copycats and knock-offs soon rise when other variants are eliminated. Ryuk is another ransomware family involved in targeted attacks since last August, and was likely responsible for the shutdown of network services in Jackson County, Ga., in March. The county paid a $400,000 ransom in exchange for the decryption key in order to get its systems and services back up and running.

Ryuk has been linked to the operators of the TrickBot banking malware, and numerous attacks have been initiated by TrickBot or Emotet another piece of banking malware. In the case of Jackson County, Ga., it was likely introduced to the county network via a phishing email.

We again invite you to learn more about targeted ransomware by attending Flashpoint’s April 24 webinar. Elisan, who recently spoke at the RSA Conference on the GandCrab ransomware, will cover how and why ransomware threat actors are maturing their tactics, techniques, and procedures (TTPs), the security and risk implications for public- and private-sector organizations, and also what defenders can do to better prepare for, mitigate, and respond to targeted ransomware attacks.