Ransomware Roundup: 07.31.23

MoveIT Exploits Could Earn Cl0P $100 Million as Victims Approach 400

Researchers assess that while the likelihood is less than 50% that a victim will pay a ransom demand in attacks where data is exfiltrated for extortion, but no ransomware is deployed – as with the latest spree of MoveIT exploits by the Cl0p gang - the ransom amounts have been typically much higher.

“While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying. Those that did pay paid substantially more than prior Cl0p campaigns, and several times more than the global Average Ransom Amount of $740,144,” reports Security Week.

“It is likely that the Cl0p group may earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments.”

Takeaway: Cl0p ransomware operators have been actively exploiting a vulnerability in Progress Software’s MOVEit file transfer app for several weeks in what have been predominantly straight data-extortion attacks, where no ransomware payload is deployed.

The Russian-linked ransomware gang leveraged the patchable vulnerability in the MOVEit file transfer software to compromise hundreds of victims, including the US Department of Energy, according to reports.

The mass exploitation of the MOVEit file transfer vulnerability by the Cl0p ransomware gang closely follows their success earlier this year in conducting the mass compromise of more than 100 organizations leveraging a vulnerability in another file transfer program called GoAnywhere.

While there have reportedly been many victims of these campaigns, it remained unclear whether Cl0p was able to successfully monetize the large number of networks compromised until this research was published.

And while the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - will certainly prompt Federal authorities to ramp up their efforts against these operators.

Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims.

While these data-extortion-only attacks don’t compel as many victims to pay, those that do are paying more. This may work to Cl0p’s advantage, as straight data-extortion attacks are arguably much less complicated to carry out and likely highly automated, which means Cl0p’s strategy may be to simply ramp up the volume of attacks to make up the deficit in ransoms collected.

Cl0p was not the first group to opt for ransomware-less-extortion attacks – groups like KaraKurt and RansomHouse have practiced this model for some time, with groups like BianLian following suit – but Cl0p appears to have perfected the mass exploitation via automation aspect, potentially making the tactic highly profitable.

Again, we assess that it is unlikely that all or most ransomware operators will abandon the ransomware payload and opt for straight data-extortion attacks, we will likely see certain groups favor the approach if they can operationalize them as successfully as Cl0p has thus far.

Progress (the vendor who produces the MOVEit software) has issued updated advice on mitigating this vulnerability, which includes a new patch for additional vulnerabilities that could be exploited. MOVEit customers should apply the latest vulnerabilities fixes, as described in the MOVEit Transfer Knowledge Base Article (Updated 15th June).

Confidence Extremely Low in Battle Against Ransomware

A recent survey of IT and Security pros found that fully 93% of respondents felt the threat of ransomware attacks to their organizations had increased in 2023 – and rightly so, as the dip in the volume of attacks witnessed in the first half of 2022 was short lived.

A recent report revealed that ransomware operators are approaching near-record profits in the first half of 2023, having extorted nearly a half-billion dollars from victim organizations.

The survey also found that two-thirds of respondents (67%) lacked confidence that their organizations could recover data and critical business processes in the event of a ransomware attack.  

Furthermore, nearly half of respondents (45%) acknowledged that their organization had been the victim of a ransomware attack in the prior six months – which should come as no surprise considering there are dozens of active ransomware gangs in operation today.  

Consider that just one of those groups, Cl0p, has compromised hundreds of organizations this year already, and are on track to hit about 400 victims in 2023 for an estimated $400 million in ransoms if the trend continues.

Takeaway:  Several studies put the average cost of remediating a ransomware attack for victim organizations in excess of $4.5 million, and this figure does not include the ransom payment, damage to brand, lost revenue from disruption to operations, increased cyber insurance premiums or other tangential costs.

Ransomware is one of the biggest threats to any organization, regardless of size or industry. The downstream impacts from a large-scale ransomware event can have massive fiscal fallout and real-world repercussions.

The ransomware game is profitable – highly profitable. In fact, if you were to compare P&L sheets from the leading ransomware operations against leading security solution providers, you’d see ransomware gangs enjoy operating margins that would make almost any SaaS provider envious.

Ransomware operators are also better viewed as mature criminal business organizations with top-down hierarchical structures and diversified revenue streams.  

Why is ransomware so successful? The Ransomware-as-a-Service (RaaS) business model also includes many aspects that mirror those of legitimate Software-as-a-Service (SaaS) models, including:

• Organized Like a SaaS Company: The RaaS model mirrors the SaaS model in that the providers offer subscription-based services and software – in this case ransomware and the associated attack infrastructure. RaaS operators invest in R&D and talent recruiting to stay competitive, offer customer support to reduce churn, and maintain and are intent on growing their annual recurring revenue (ARR).
• Efficient Marketing and Partner Programs: Like their SaaS counterparts, RaaS providers develop their brand and foster revenue growth through marketing. RaaS operators seek to offer competitive affiliate programs where they compete on the basis of platform performance and profit sharing with their affiliate partners, much like SaaS vendors.
• Multiple Revenue Sharing Options: Established RaaS operators may offer several options, including one-time licensing for a flat fee, monthly subscriptions, or through profit sharing where the RaaS provider takes a cut of the affiliate’s ransom take. Terms of Service can vary between RaaS operators, so the services included are key competitive factors.
• High Revenue, Low COGS: Compared to their SaaS counterparts, RaaS operators typically have extremely low cost of goods (COGS) and a high operating margin, which means that they are very profitable from the outset. In contrast, most SaaS organizations have low or negative operating margins and a high COGS and can take several years or more to become profitable.

Ransomware is big business. The costs of recovering from a ransomware attack are passed on to consumers, to other businesses, to state and local governments, and so on. The financial impact of ransomware attacks is one we all bear, and it is going to become a significant drag on our economy.

Traditional security solutions, while robust and effective for some threats, have clearly failed to protect organizations against ransomware attacks. There is a huge gap in protection and ransomware operators are expertly exploiting it to the tune of hundreds of millions of dollars yearly.

The only way we can counter its growth as a major industry vertical is to disincentivize the attackers, and the only way to disincentivize them is to make ransomware attacks unprofitable. The only way to make them unprofitable is for organizations to be resilient in the face of this ongoing threat.

SEC to Require Public Companies Disclose “Material” Cyberattacks in Four Days

The U.S. Securities and Exchange Commission will soon be requiring publicly traded companies to disclose cyberattack events within four business days if they are deemed “material” to current and prospective shareholders "in making an investment decision."

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said, as reported by Bleeping Computer.

"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

The new SEC rules will require impacted organizations to report:

• The date of discovery and status of the incident (ongoing or resolved)
• A concise description of the incident's nature and extent
• Any data that may have been compromised, altered, accessed, or used without authorization
• The impact of the incident on the company's operations
• Information about ongoing or completed remediation efforts by the company

It was noted that in some cases public reporting may be delayed if it is determined that a disclosure would pose a risk to national security or public safety.

Takeaway: More visibility and accountability in regard to security-related events at publicly traded companies is a good thing – that's a no-brainer. But we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.

The fact is that publicly traded companies are attacked every day, and if the company is really big, they may be attacked hundreds of times in a day. As we in the security trade already know, you can’t stop cyberattacks, but you can stop an attack from being successful and attaining its intended objective.

That said, the real challenge with this new SEC ruleset is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” to investors.  

This leaves quite a bit of room for subjectivity, plausible deniability, and – if not structured correctly – could produce a culture where there is pressure on security teams to conceal security events from the executive suite, so the event goes unreported.

The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information about an incident – and this is the real rub here. There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.”

Forensic investigations are difficult, and they take time. The disclosure rule set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

But investors, once informed of an attack, will want the details, and want them now. This could create situations where company leadership appears incompetent because they can’t answer tough questions about an event, undermining investor confidence.  

As well, the company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts.

The inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that - while reportable per SEC rules – may in fact not be that serious of an event from a security standpoint.

For example, a denial of service (DoS) attack that takes a company’s web retail operation offline for a period could cost the company millions of dollars. This is definitely material and thus required to be reported.

But a DoS attack is not necessarily an existential event for a company compared to, let's say, a corporate espionage attack where no systems went down, no revenue was lost, but systems with sensitive data like intellectual property were accessed.

Material? Probably so. But such an attack could also be written off as a simple intrusion event and nothing else. The attackers got into the systems, the intrusion was detected, the security team evicted the attackers from the network, and it appears no damage was done.

That is, until two years later when a foreign-based startup emerges with basically the exact same product selling at a steeply discounted price because the new competitor has no R&D costs to recover.

This scenario would possibly be an existential event for the victim organization, but how could they possibly forecast this serious situation within four days of detecting the intrusion event?

Without a great deal of education for the investor community, in situations like this we might see shareholders fleeing every time a company gets hit with a relatively minor DoS attack, crashing a company’s stock price, yet feel secure that their long-term investments in a company that is actually at significant risk of becoming obsolete.

While this is an overly simplified example, it drives home the point: any requirements on victim organizations to report material security events to investors needs to come with a concerted effort to educate investors on the nuances of attacks, security operations, and risk, or the SEC will just be creating more problems than they are actually solving.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.