Ransomware continues to be one of the most pervasive types of cybercrime and a tangible risk to enterprises, governments, schools and health care organizations. Although multiple countries have launched coordinated efforts to fight ransomware groups through law enforcement takedowns, cryptocurrency seizures and indictments, the crime remains difficult to stop. One tenet of many anti-ransomware action plans is improving cyber resiliency and thus reducing the potential target pool. This is no easy feat. The ability of organizations to harden their environments and improve baseline cybersecurity defenses vastly varies across verticals. The attack surface that ransomware actors can exploit is rich, varied and ever changing, which poses great difficulties for defense.
Organizations often discover a ransomware attack when the attackers have already exfiltrated sensitive data and launched the final encryption stage. But there are many ways that businesses can use intelligence to learn that they may be in the crosshairs of a ransomware group. The potential to pick up on those signs can start long before a network has been compromised. This blog post dives into those signals and indicators, which can be useful for getting a critical warning before attackers launch an encryption event.
How do attackers get in?
Earlier this year, security vendor Sophos commissioned an independent survey of 3,000 information technology (IT) professionals for its State of Ransomware 2023 report. The results narrowed most ransomware incidents to just three categories of attack vectors. According to the survey respondents, the most common vector for ransomware attacks is exploiting software vulnerabilities (36%). The second most common vector is the replay of compromised login credentials (29%). Email-based attacks, including various forms of phishing and malicious attachments aka malspam, came in third at around 31%. The remaining 4% comprised brute-force attacks and users who downloaded malicious code.
A powerful way to compromise organizations is by exploiting software vulnerabilities. These attacks may be possible if an organization has not promptly installed patches released by a vendor. Another avenue is zero-day attacks, or exploiting software vulnerabilities that are unknown and do not have patches. An example of a zero-day exploit by a ransomware and extortion group recently occurred with deep impact. The group known as CLOP (also linked with TA505 and FIN11) exploited a vulnerability in MOVEit file transfer software to devastating effect. The pre-authentication structured query language-injection (SQLi) vulnerability (CVE-2023-34362) allowed CLOP to remotely compromise and extract data from governments, cities, universities and businesses. CLOP demanded a ransom in exchange for deleting the data. The incident has highlighted the dangers of using internet-facing applications that may contain unknown vulnerabilities and are easily reachable by attackers.
The mass exploitation of a zero-day vulnerability by one group is notable, but neither rare nor exceptional. Day to day, patch management tends to be a trade-off between time and risk. Enterprises that run thousands of applications simply can’t patch them all, but do need to patch the vulnerabilities for the most sensitive systems that are at the highest risk of exploitation. There are metrics that can factor into making the time/risk calculation. Threat actors on underground forums discuss, develop and monetize exploits for software vulnerabilities. Monitoring those discussions can aid in prioritizing patching based on whether, for example, there’s a working proof-of-concept (PoC) exploit for a vulnerability available or an offer of an exploit for sale on a forum.
The theft and then subsequent replay of login credentials remains one of the biggest challenges for organizations. Login credentials are captured by cybercriminals in a variety of ways, including phishing, a catch-all term for a variety of social engineering ploys. Phishing can encompass creating fake websites with login forms that collect entered information. Although multifactor authentication (MFA) can stop the successful replay of stolen usernames and passwords, it’s not foolproof, and threat actors continue to refine social engineering tactics to defeat MFA.
And then there’s the malware side. Intel 471 tracks many families of information stealers whose distribution begins with malspam. Infostealers collect login credentials as well as session cookies stored in browsers. Session cookies allow users to stay logged in to a service. Replaying a session cookie means that the attacker doesn’t have to log in to a service and also bypasses MFA.
Login credentials are sold in marketplaces and in private sales by vendors. These vendors – or initial access brokers (IABs) – are a component of what’s known as cybercrime-as-a-service. Cybercrime-as-a-service refers to how sections of the criminal underground have developed their own bespoke products and tools that they sell to other cybercriminals. It is one reason why cybercrime continues to grow in scale. Threat actors, including ransomware gangs, do not have to develop their own capabilities for stealing login credentials. Rather, they can rely on specialized markets to buy that data. For example, botnet operators distributing infostealer malware sell packages of that stolen data – referred to as logs – for other fraudsters to monetize.
There are several points in this process where cyber threat intelligence (CTI) can help. Intel 471 collects login credentials from many sources, such as infostealer logs, database dumps and breaches – with a view to giving organizations warning when credentials appear on the so-called deep or dark web. Monitoring IABs is another way to gain intelligence. To make money, IABs have to sell their wares, and to do that means some public exposure. It is not always immediately clear what type of access is being sold and what organization is affected.
This is where human intelligence (HUMINT) comes into play: engaging threat actors using personas to uncover specific actionable information. If organizations understand that credentials have been stolen and even more specific information such as what account, they can take remediative action, such as locking out the account, resetting the password or initiating an incident response investigation. This process can be automated. For example, when a new credential is discovered in a data dump, the credential can be retrieved using Intel 471’s application programming interface (API). The affected organization can then query its corporate Active Directory to see if that particular user exists and if so, trigger an automated workflow to reset the account before it is accessed by an attacker.
The goal for threat actors when attacking an organization’s network is to land malware on a computing system without detection. To accomplish this, malware is always evolving and improving. Those improvements have forced defenders to try to detect minute changes and behaviors that may indicate an intrusion. But it’s often too late, and once malware is on a system, an organization is already on the back foot. During the dwell time between intrusion and detection, attackers move laterally into other systems, establishing other points of persistence that allow them to keep a foothold even if the initial intrusion is discovered. However, it is possible to get ahead of attack groups distributing malware and use that valuable threat intelligence for defense.
One way to do so is to study how malware behaves and how it is distributed. Malware is often distributed via botnets, or networks of infected computers controlled by a group of attackers. A common precursor to a ransomware attack is the infection of a network with malware. Emotet and Trickbot – both large botnets that sent prolific volumes of malspam – were responsible for the distribution of malicious code that often led to an infection by the Conti and Ryuk ransomware groups.
Botnets are a crucial component of the cybercrime-as-a-service economy, acting as the distribution mechanism for malware to capture new victim machines. These can be consumer computers, Internet-of-Things (IoT) devices or machines in corporate networks. Threat actors use bots to send spam, as proxies for intrusions and for other malicious actions such as distributed denial-of-service (DDoS) attacks. The bots themselves also can be exploited for their data, such as login credentials.
To understand how threat actors are using botnets and the malware they’re distributing, Intel 471 developed the Technical Research & Analysis Platform (TRAP) and the Malware Emulation and Tracking System (METS). By programmatically collecting malware and monitoring how it is being distributed, organizations can gain insight into malware campaigns and targeting long before threat actors begin the motions of a ransomware event.
Although ransomware groups appear to strike suddenly with impunity, as this blog post shows, there are many events in the targeting chain that occur prior. Effective use of CTI can result in the early warning needed to understand the risk and take remediative action.