A big reason why ransomware has grown into such a large cybersecurity problem is because it’s easy for criminals to get involved. With promises of millions of dollars and very little threat of legal trouble, attacks are happening at a rate that is increasingly difficult for enterprises to keep up with.
What makes it so easy for criminals to launch attacks is a combination of something we see in the everyday world: a growing base of people with technological know-how and a fine-tuned business model. The cybercriminal underground is filled with people who have honed their skills in a short amount of time, studied where the security gaps are and learned what needs to be done in order to maximize profits. With headlines showing that attackers are earning tens of millions of dollars, it’s clear the underground has stumbled upon something that (unfortunately) works.
While money and geopolitics play big roles, there are some other means that have allowed ransomware infections to proliferate with little resistance. Each one covered below can be seen in ransomware attacks that have occurred this year, proving that the cybercrime underground is quick to utilize methods that will ultimately lead to the largest payouts possible.
Ransomware code gets reused
Developers in every area of development reuse code - it’s a hallmark of the tradecraft. No matter the language, you can find direct copies of the same code in everything from cellphones to construction equipment to cybersecurity products. Furthermore, code from past versions of software is built upon to make newer versions of software work better than ever before -- think about the difference in your smartphone’s current operating system as compared to three years ago. It can feel like it’s light years beyond what it once was.
This practice is no different among the cybercrime underground. Ransomware developers are fine-tuning the software to make it work as “well” as it possibly can. Additionally, criminal developers borrow code from different types of malware if the functions are relatively the same and it can help attacks be “successful.”
One such example lies in Babuk, the RaaS variant that was released as “open source” at the end of April. After the builder was posted on the internet in June, it was discovered that it generates pairs of encryption and decryption tools targeting Microsoft Windows systems, VMWare ESXi hypervisors and network-attached storage (NAS) units from both Intel x86 and ARM architectures. Shortly thereafter lower-level actors took advantage of the builder, launching their own ransomware campaign outside of the Babuk affiliate program. In late June, an operator using info-stealing malware Vidar issued “download and execute” tasks to bots, aimed to install the Babuk ransomware variant generated by the builder.
Another RaaS variant shows that malware code can be used interchangeably. Intel 471 has observed multiple similarities in the code between Conti ransomware and BazarLoader, malware that grants backdoor access to an infected Windows host. One particular similarity is in the code that allows Conti to evade analysis in an isolated instance, such as a sandbox or virtual machine. The code of this function is nearly identical to that used by the BazarLoader, with both functions following the exact logic and executing the same way when searching for hooks.
While these examples are heavy on technical details, they essentially serve as building blocks for malware developers to easily build more efficient versions of ransomware, which in turn allow criminals to demand more money from ransomware victims.
Cybercriminals love those CVEs
It’s a basic function of security teams, and yet it’s one that causes quite a bit of consternation: the process around security patching. Cybercriminals pay attention to CVEs as much as anyone else, knowing that organizations drag their feet in closing vulnerabilities that give criminals the access they need to carry out attacks with little struggle.
You can be sure that if you have read about a big vulnerability in the tech press, ransomware operators are aware of the news and will look to take advantage of it as soon as possible.
For instance, Intel 471 has observed the FiveHands ransomware crew looking to utilize vulnerabilities like a SonicWall buffer overflow vulnerability that wasn’t patched correctly the first time it was uncovered, a remote code execution vulnerability in VMware’s vSphere Client that was pushed in May 2021, and the two vulnerabilities attached to Microsoft’s PrintNightmare problem that are still causing issues for organizations across the world. We have not seen these vulnerabilities used in any attacks since being mentioned, but given the need to have access to the domain controller in order to launch a ransomware attack, it may not be long before the group leverages the vulnerability in order to lock an enterprise up for a hefty ransom.
Criminals Sell Their Service
Ransomware attacks have evolved to go beyond attackers just locking up an organization’s technology stack and hoping it finds a way to pay up. Now attackers are looking to cause more problems via double extortion attacks, name-and-shame blogs, or DDoS attacks directed toward any public-facing assets that haven’t been locked up by the initial ransomware attack.
In order for that to happen, RaaS gangs are working with other “experts” in the cybercrime underground that specialize in various methods that can extend the life of a ransomware attack.
Intel 471 observed one such actor working alongside the DarkSide ransomware gang until it shut down following its attack on the Colonial Pipeline Co. in the United States. The actor claimed to have launched DDoS attacks against DarkSide’s victims for six weeks before the gang’s shutdown. The actor also claimed that 10 to 20 targets were under DDoS at any given time, with attacks lasting from one to 21 days. According to the actor, they earned US $500 to US $7,000 each time a victim paid a ransom.
What’s novel about this actor is they are unlikely to be a veteran of the cybercrime underground. This person first surfaced on a well-known cybercrime forum in January 2021. Over a six month period, the person built enough reputation to latch onto one of the most notorious ransomware gangs in operation, profiting off the million-dollar ransoms DarkSide pulled in before disappearing. While this actor is new, they followed a model that is being replicated by a variety of actors that work in the cybercrime underground.
The solutions are actually pretty simple
The instances highlighted above are not the sole reason for the rise of ransomware attacks in 2021. But attacks have moved far beyond sending a malicious link in an email and hoping for an errant click. Bad actors have evolved to quickly learn how to maximize their impact in order to make a large amount of money. Cybersecurity teams inside organizations must understand that being proactive about what the cybercrime underground is learning and how it's behaving can point them in the right direction of solutions for their security needs.