Ransomware Foundations: Part One

Modern Malicious Actors

The past decade marked a precipitous rise in ransomware as the attack of choice for cybercriminals. Malicious actors leverage encryption in their campaigns to render important files in accessible then demands a fee to regain access to affected data.

These attacks are so profitable that cybercriminals in 2022 mainly operate as meticulously organized services rather than lone wolf social deviants.

Ransomware gangs often operated similarly to software as a service (SaaS) organizations in what is known as ransomware as a service (RaaS). RaaS groups separate the authors of the malicious payload from the operators of the associated infrastructure from the attackers who earn a portion of the ransom.

RaaS attacks have been described as human-operated ransomware in which teams of highly skilled hackers breach targeted endpoints and execute their campaigns in real-time. Once the victim’s network perimeter is compromised, the team will adapt the attack route according to the circumstances of the compromised network and often leveraging existing tools in the environment – Powershell, Python and Group Policy Objects – to compromise additional targets.

This differs from traditional auto-spreading ransomware, which required the malicious payload to programatically propagate across the network. The challenge for the attackers in this scenario is that the scope of victim machines could be limited with network segmentation or, more drastically, taking affected machines offline. Cybercriminals now manually breach an environment before deploying a malicious payload, which ensures that they can affect as much critical infrastructure as possible.

Consider this example: A small health clinic with dozens of civilian patient records on its servers is compromised by a sophisticated human-operated ransomware attack. The patient records are now so thoroughly encrypted that the most powerful computer on earth today would take years to decrypt the data.

These records could contain individual drug sensitivities, vaccination statuses and other private details. A ruthless ransomware mastermind could quickly capitalize on these conditions and even cause a patient’s death for the sake of profit.

Ransomware cybersecurity is still in its infancy, but defenses against these attacks have forced malicious actors to evolve their tools and techniques to apply pressure to targets.

The Rise Of Double Extortion Tactics

In many cases, denying victims access to their files will supply sufficient incentive to pay hackers the ransom. However, cybercriminals are implementing additional measures to profit from their cryptovirologic hosts.

Cautious organizations will back up their files and often do not trust hackers to lift the encryption once the ransom is paid. In these cases, hackers will encrypt, exfiltrate and threaten to leak the targeted data publicly if the ransom is not paid within a specified time window.

For example, consider a bank’s private servers. A successful breach of this network could leave hundreds of customers’ assets at the mercy of this cold- blooded hacker.

Encrypting, exfiltrating and threatening leaks has become known as “double extortion.” The outcomes of this threat are undeniably devastating but do not represent the outer limits of the bad actors’ tactics. There have been hundreds of documented cases where attackers will use triple and even quadruple extortion tactics.

Make That Double A Triple

Triple extortion will add a measure known as Distributed Denial of Service (DDoS). DDoS is not, in and of itself, a new cyberattack. The tactic involves the hacker purposely directing an enormous flow of internet traffic onto the target network’s internet servers and overwhelming them until they crash completely after encrypting and exfiltrating data.

Here, the intent of this third measure to literally incite a “denial of service” to normal operations on the Internet. This means that legitimate traffic (i.e., the victim’s clients, coworkers and contractors) are unable to perform daily business operations with the target firm. This disruption will halt almost all the victim organization’s business operations online.

However, IT threat management teams have dealt with DDoS attacks for more than a decade and have devised mitigations to DDoS attacks. This is mostly positive news, but unfortunately, the hacking “industry” tends to attract some of the most resilient and tenacious workers in the IT world, who will almost always find a way to counter any cyber-defense measure.

This brings us to the appropriately named “quadruple extortion”.

The Four-Pronged Attack

Quadruple extortion is a tactic employed by cybercriminals to further pressure victimized firms to pay a ransom. This method involves implementing the previous three measures and extending their influence by making threats to release confidential information on the public internet to an organization’s business associates, customers or employees.

This represents a crescendo to a ransomware actor’s timeline and is particularly damaging as it – by nature – involves damaging a firm’s reputation or potentially spoiling vital business relationships.

The Future of Attacks

This multi-pronged approach to hacking organizations for monetary gain is only in its infancy. The scores of ransomware events in the past several years are a testament to the real danger these present to victim firms and the general population.

The most prominent example is the Colonial Pipeline breach in May 2021, which wreaked havoc in the Southeastern United Sates and caused fuel shortages and panic buying. Furthermore, the hackers forced the pipeline’s senior leadership to pay a $5 million ransom.

Considering Prevention

This terrifying reality highlights the need for cybersecurity risk management and mitigation teams to start planning. What can we do to prevent such high-visibility ransomware attacks?

Security teams need to learn the tools, techniques and procedures of attackers, research defense strategies and implement defensive solutions to reduce or eliminate the threat of ransomware.

Ready to Chat?

Halcyon is the industry’s first dedicated, adaptive security platform that combines multiple proprietary advanced prevention engines along with AI models focused specifically on stopping ransomware. Halcyon is built by offensive security experts to stop attackers and was formed by a team of cyber industry veterans after battling the scourge of ransomware (and advanced threats) for years at some of the largest global security vendors. The Halcyon Platform is easy to deploy, does not conflict with existing endpoint security solutions and provides multiple, unique levels of protection against ransomware.

The Ransomware-as-a-Service (RaaS) Economy

The rise of Ransomware as a Service (RaaS) gangs mimics the more conventional Software as a Service business model in every meaningful measure. The ransomware economy involves multiple players who specialize in various aspects of the larger ransomware attack. These elements include:

Initial Access Brokers

Initial Access Brokers (IABs) are highly skilled specialists who are exceptionally good at penetrating and establishing a foothold within secure networks. IABs often sell access to these compromised networks to other threat actors, including ransomware affiliates. The deeper an IAB can penetrate a network, the more valuable their services become. Purchasing credentials and access is surprisingly easy and relatively inexpensive.

RaaS Platform Providers

Ransomware-as-a-Service (RaaS) operators provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits.

RaaS Affiliates

The actual ransomware attack is managed and executed by an affiliate; a person or group who plans and carries out the attack campaign. They obtain access via an IAB (or create their own), use a platform or toolkit from a RaaS operator, execute the attack, and then move the ransom dollars around to stay below the radar.

Command and Control Providers (C2Ps)*

C2Ps are legitimate ISPs who lease the attack infrastructure to threat actors while turning a blind eye to abuse by hiding behind privacy policies. *These "C2Ps" are a net new facet within the RaaS Economy and were discovered and reported on in the, Cloudzy with a Chance of Ransomware, by Halcyon Research.

The overall maturity, level of organization, and specialization within the ransomware economy means we are dealing with an adversary whose tactics, techniques, and procedures (TTPs) are approaching the sophistication of some nation-state-sponsored attackers.  In many cases, there has been documented overlap between nation-state attack elements and those of cybercriminal ransomware gangs. Today's ransomware attacks are more complex and difficult to defend against than ever before.

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.