Ransomware observations

June 30, 2020 | Geoff Mefford

AT&T’s Digital Forensic Incident Response (DFIR) team has been observing cybercriminal organizations steadily increase their ransomware capabilities over the last few years.  We have seen ransomware grow in sophistication and capability at a rapid pace.  So rapidly in fact, that each investigation shows a new tactic or change in the binary program responsible for encrypting clients’ data. 

Not only are the digital tools advancing in scope and complexity, but also the tradecraft.  Up until a few years ago cyber criminals did not particularly care about the evidence they left behind.  The payoff was so high and with so many vulnerable networks it did not make sense to go slow.  But those times have slowly manifested into today’s ransomware capabilities, and no one is immune. 

Ransomware first appeared in 1989 called PcCyborg was very simple and easily circumvented.  There was very little choice in endpoint security software, and no one was thinking in terms of data being held at risk.  Since then ransomware has continued to evolve with new methods of evasion not seen before. 

As ransomware continued to be successful and prosecution of perpetrators remained difficult, criminal profits soared, development increased, and more people wanted to engage in criminal activity.

But as cybersecurity defenders caught on to the techniques new controls were added to defeat attackers attempts.  As more and more organizations were impacted, there was increased focus on how to protect networks.  This cat-and- mouse game continues today but the encryption is impossible to break, and the costs are much higher, on both sides. 

Recently, news articles have been published detailing how cybercriminals are outsourcing vulnerability analysis of their malware.Think about for a minute: criminal cyber threat organizations are now reaching a maturity level in their operations that has only been seen before in nation-state cyber operations.

The reasons to perform Quality Assurance (QA) on malware are the same reasons to perform it on traditional applications: protecting one's investment. Companies writing software want to take steps to provide the product they bring to the market does not contain vulnerabilities that could lead to public disclosure and, ultimately, revenue loss.  A criminal group has the same reasons, but for the purpose of keeping their technology viable for as long as possible.  A nation-state cyber organization, albeit with different goals and objectives, also conducts code analysis on their tools to protect their investment in time and money. The more sophisticated malware becomes, the more expensive it is to build and maintain.

Starting around five years ago the cybercrime industry moved away from “in-house” development and a cottage industry of services marketed explicitly towards criminal groups began.  These services initially marketed themselves in hacker forums and TOR-based web sites, but the explosive growth has seen them begin advertising on internet with ads placed with popular search engines.

These are true cottage industries; small decentralized businesses often operated out of a residence. They perform services from gaining initial access to the more traditional malware code development.

Due to the amount of money collected through the use of ransomware over the last few years and  cybercriminals projected annual earnings of $20 billion by 2021, we will continue to see a growth in outsourced services focused exclusively on a criminal clientele. But as we see criminal groups adopting traditional software development models, what does this mean for trying to prevent them from getting malicious code into your network to begin with? 

Criminal groups are spending a significantly higher percentage of their profits to make the business better. Ransomware is going to get better at doing its job and will be harder to stop even if you happen to catch it in the middle of encrypting your data.

The ability to recover is going to get harder and will require businesses to have more than one backup plan. One for restoring from good backups and one for recovering from bare metal, where you are restoring service, but your data is gone for good.  

As ransomware gets more sophisticated and your active countermeasures may fail to protect you, the next line of defense are the system-level backups. In a vast majority of ransomware events, it is discovered that the backups are not viable for full recovery, mostly due to either the length of time since the last backup, or the backups repository are kept in the same network and are encrypted in the attack.

A renewed focus on the backup processes will become increasingly important, and if your backups are not currently considered as part of the business's 'crown jewels' in your threat assessments, they should be added now.

One way to defeat a criminal hacking group is to outspend them.  If the operational cost to jeopardize your data becomes too expensive, they attackers will go elsewhere.  In ransomware recovery, the 'most effective' money spent to protect your data is backups! With proper backups, recovery can be in the hours.

Now, this author is aware of the dangers of using superlatives in cybersecurity and I am not advocating for companies to align a larger percentage of yearly cybersecurity expenditures on backup systems. That would not be the most effective use of a team’s technology and human capital to solve a problem.  A renewed focus on the process of having to use the backups in a large-scale event will help make your organization resilient to these attacks.  Outspend the attackers.  They are relying on you to have poor backups.  If they get into your systems and find your backups are untouchable, they are going to move on to the next victim.  If your backups consist of those created by the operating system and stored on the same disk its not going to work.  The operating system provides those as a convenience to the occasional hardware or software problems, not protection against a malicious attacker. 

Practice your recovery plan. Test its limits!  Simulate to the greatest extent possible an event where you must implement this process. Practice it more than once and increase the scope and complexity. If you do this twice a year, the team will learn lots of valuable lessons that become critical in ransomware recovery and can help reduce system downtime after an attack from weeks to hours. The reduction in lost revenue if attacked, is worth it alone.  

Geoff Mefford

About the Author: Geoff Mefford

Incident Response and Forensics Security Consultant AT&T Cybersecurity

Read more posts from Geoff Mefford ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial