Kujawa believes ransomware gangs might increasingly resort to such tactics because as more organisations learn how to deal with ransomware and put solid data recovery plans in place, criminals might find it harder to extract money from them by simply locking their files.
"If companies believe their data, which they feel is valuable and important to hold on to, may be released if they don't pay this ransom, regardless of whether or not the attackers can do it, the threat itself may inspire some victims to pay," he says.
New attack methods
The primary methods of distributing ransomware remain spear-phishing and insecure Remote Desktop Protocol (RDP) connections. However, attackers also buy access to systems already infected with other malware. Online marketplaces sell access to hacked computers and servers, and botnets deploy additional malware for those willing to pay.
The initial compromise in Ryuk ransomware incidents almost always comes through commodity malware, Chris Yule, a security researcher at managed security services provider Secureworks, said in a presentation at the DefCamp conference in November. His talk provided insights from real-world ransomware infections at large corporations.
"We see Emotet leading to TrickBot infections and then, over time, we see some of those TrickBot infections lead to Ryuk compromises," Yule said. "We don't know for sure why that is, but the logical assumption seems to be that the group behind Ryuk is paying for access."
Trickbot is doing its normal activity of automated credential theft, but once the Ryuk operators take over, everything changes, according to Yule. The activity becomes more hands-on and involves using system administration tools, network scans, the use of public attack frameworks like PowerShell Empire to disable endpoint malware detection and more.
The attackers are spending time learning the environment, identifying domain controllers and other important targets and preparing the terrain for the big ransomware hit while trying to remain undetected, a tactic common to APT groups.
The good news is that between the initial Emotet infection and the Ryuk deployment there's usually a significant window of time when companies can detect and deal with the infection. In the case presented by Yule, that window was 48 days.
The bad news is that detecting this type of manual hacking and lateral movement based on "living off the land" tactics is not easy without more advanced network and system monitoring tools. This means that organisations that have not built up their capabilities to defend against APTs because it's not in their threat model could now also miss ransomware and other sophisticated cyber criminal attacks.
Another interesting infection vector that some ransomware groups have adopted over the past year is to compromise managed services providers (MSPs) that have privileged access into their networks and systems of many businesses by virtue of the services they provide.
This poses a problem because smaller and medium-sized organisations are outsourcing their network and security management to specialised vendors, so it's important to take steps to limit the damage that can happen when trusted third parties or the tools they use become an insider threat.
Malwarebytes has also observed a resurgence in the use of web-based exploit kits to target businesses and deploy ransomware, particularly the RIG exploit kit. These are attacks launched through compromised websites that attackers know are of interest to certain business sectors or are visited by their targets' employees.
"Our theory as to why that is, is because there have been a lot of vulnerabilities discovered over the last couple of years," Kujawa says. "There's an expected focus on the Chromium engine that's used to run Chrome and will eventually run Microsoft's new browser. So, trying to exploit that browser will be very important to cyber criminals and exploit kits because a lot of people use that platform."
Security companies are always trying to find vulnerabilities in the file encryption implementation of ransomware programs to help victims recover their files without paying money.
The decryption tools created as a result of those efforts are typically released for free and made available on the NoMoreRansom.org website maintained by Europol.
However, the ransomware programs used by the more sophisticated groups are quite mature. Attackers have learned from their past mistakes or the mistakes of other ransomware developers and have corrected implementation errors.
The code of some ransomware programs has been leaked online and is available to copy and improve. Operating systems also provide cryptography APIs, and there are well-scrutinised open-source crypto frameworks and libraries. All this means that the most popular ransomware programs are also the most dangerous because they use strong encryption algorithms and have no solution.
It's critical for organisations to have back-up plans in place and a data restoration plan that is tested periodically. Backups should also be kept offsite or off network to prevent attackers from deleting or encrypting them as well.
In some documented cases, organisations decided or were forced to pay the ransom because their backups were corrupted or the restoration process would have taken too long compared to just buying the decryptor.
First and foremost, organisations should take themselves off the easy target list by performing internal and external penetration tests and identifying any potentially vulnerable systems or severs exposed to the internet. Remote connections into the network such as VPN or RDP should have strong and unique credentials, as well as two-factor authentication (2FA).
Inside the network, companies should ensure that endpoints and servers are up to date with patches for their operating systems and the software they run. The networks should be segmented based on the principle of least privilege so that a compromise of a workstation in one department can't easily lead to a full network takeover. On Windows networks, domain controllers should be carefully monitored for unusual access.
Organisations that rely on MSPs or managed security services provider (MSSPs) should make sure the connections from those third parties are monitored and logged and that the software they use also has 2FA turned on. The network and systems access provided to third parties should be restricted to only what is needed to perform their job.
Organisations should have a clear inventory of the data that's critical for their business operations. The systems storing it should be strictly controlled.
Since many ransomware infections start with an infected workstation, the use of endpoint anti-malware software is important. So is removing unneeded plug-ins and extensions from browsers, keeping the software up to date and making sure employee accounts have limited privileges.
Train employees on how to spot phishing emails and question unsolicited messages that ask them to open files or click on links. Create a special email address monitored by the security team where employees can forward emails they believe are suspicious.
Finally, draft an incident response plan and make sure everyone involved knows their role and what they need to do if a compromise does happen, including communicating with your security vendor or MSSP and law enforcement.
Don't treat commodity malware infections lightly; investigate them thoroughly, as they could be, and often are, an intrusion vector for more serious threats.