Ransomware and Extortion Evolve More Brazen Tactics

Posted: 29th April 2021

For this week’s show we welcome back Allan Liska, a member of Recorded Future’s CSIRT security team. Allan updates us on the latest trends he and his colleagues are tracking on the ransomware and online extortion fronts. We discuss the growing sophistication of the tools and tactics attackers are using, and the remarkable brazenness with which they do their business.

This podcast was produced in partnership with the CyberWire.

For those of you who'd prefer to read, here's the transcript:

Dave Bittner Hello, everyone, and welcome to episode 202 of The Recorded Future podcast. I'm Dave Bittner from The CyberWire. For this week's show, we welcome back Allan Liska, a member of Recorded Future's CSIRT security team. Allan updates us on the latest trends he and his colleagues are tracking on the ransomware and online extortion fronts. We discuss the growing sophistication of the tools and tactics attackers are using and the remarkable brazenness with which they do their business. Stay with us.

Dave Bittner Allan, we're going to be talking about ransomware today as we often do and some of the things that you're tracking. Before we do though, for folks who may be new to the show and don't know you so well, even though I think at this point you are our returning champion, can you give us a little insight onto the work you do there at Recorded Future?

Allan Liska Yeah. I am actually part of the Recorded Future's CSIRT team, so I'm part of the security team, but I also, let's say moonlight as an analyst at Recorded Future, so I do a lot of research around ransomware, ransomware attacks and other sort of cyber criminal activities. Some of that tied into the CSIRT work, others is just, let's say a morbid fascination with the topic.

Dave Bittner Fair enough, and I think it's worth pointing out too, that we say, "Well, so-and-so wrote the book on something." You actually have written a book on ransomware, which is available.

Allan Liska Yes. Yeah, so I co-authored a book with Tim Gallo who works over at FireEye several years ago, back in the sort of nascent stage, phase of the current types of ransomware attacks in 2015 and '16, but in addition to that, many, many articles, many reports on ransomware.

Dave Bittner Well, let's dig into it then today. I mean, there was a recent article over on The Record, which is Recorded Future's news organization, your colleague Adam Janofsky wrote, and it's titled Double Extortion is Becoming Ransomware's New Normal. Can you give us a little bit of the backstory here about the history of how we got to this point where we're seeing this tactic from the ransomware folks?

Allan Liska Yeah. It's interesting in that for years and years, we, we as the security community have been beating it in people's heads, "Hey, you need to do backups in order to protect yourself from ransomware," and they can't just be backup sitting on your network because the ransomware actors will find those and they will encrypt them. What I think started to happen is it started to sink in, and that more people were doing this, which meant fewer people were paying the ransom, so starting in 2019 and leading over into 2020 and '21, what we saw were ransomware actors would set up what we call extortion sites. They would not only encrypt files as part of their action, as part of their ransomware deployment, they would actually steal some of the files before encrypting them, and then if you didn't pay the ransom to unencrypt your files, they would upload those stolen files to these extortion sites, and it's been fascinating watching the history of this. One of the earliest threat groups to do this was the Maze thread group, and they initially hosted their ransomware site on a hosting provider in Ireland.

Well, that didn't last very long because the law got involved and it not only shut them down, but wound up shutting down the entire hosting provider, so ransomware actors have had to move to bulletproof hosting and other sources in order to host those sites in a way that they can't be easily taken down by law enforcement.

Dave Bittner Can you take us through the evolution here because I think simultaneous to this, we've also seen ransomware shift to being much more targeted and aiming for higher value targets. Is that coincidental or do the two kind of go hand in hand?

Allan Liska Yeah, the two go hand in hand. I mean, so what we've seen is up until the fourth quarter of last year, what we saw was a steady rise not only in ransom demands, but in ransom payments, so ransom payments would go up 20, 30% each quarter, and if you look at Proofpoint or Coveware or other companies to track these, you see a steady rise in ransom payments because ransomware actors are getting better at what they do and they're going after bigger and bigger targets. In the fourth quarter, we actually saw ransom payments dropped off and there's kind of a variety of reasons for that, but that means that when the ransomware actors are in hands-on keyboard mode, when they're in their, before they deploy the ransomware stealing the files, there's more and more sensitive files to steal because again, you're dealing with larger organizations, and so because of that, there was a better treasure trove of going after these organizations, a better treasure trove of files to steal.

Dave Bittner Can you take me through the difference in the sophistication of what it takes to pull this off, being able to run the type of ransomware campaign that we saw in the early days versus the greater scope of capabilities that they're showing today?

Allan Liska What's interesting is most of the ransomware actors don't actually need to be more sophisticated than in the early days. You and I have used this analogy before, if you go back to 2015 and '16, the types of ransomware attacks were kind of smash and grab attacks, like knocking over a liquor store, no planning involved. You distribute widely, you hit as many people as you can, and you land on that one machine and encrypt it, and then you're done. These type of ransomware attacks take a little more planning, but the thing is the ransomware actors have access to more sophisticated tools and the more sophisticated ransomware actors have scripted out what needs to be done, and so the less sophisticated actors, often the affiliates for the ransomware as a service programs just rely on those scripts, so we'll often see really kind of mismatched things where they're using these really sophisticated tools, but the more novice actors won't necessarily know once they're in their network to grab, so they'll just grab files willy-nilly and they can actually work against some of the extortion sites because they'll publish files and the companies go, "Okay, great. You publish those files, we don't care."

Other times, with some of the more sophisticated actors or if the affiliates get lucky, they'll actually take things that the company cares about, but it is that dichotomy definitely exists between having really sophisticated tools, but often not having the knowledge to know what you're looking for.

Dave Bittner Isn't it, it's sort of by necessity a noisier process though? I mean, I'm imagining to be able to get into someone's network and have the amount of persistence necessary to look around and start moving files out of that network, which I would imagine would, is certainly a way to draw attention to yourself, and that's different than just starting to encrypt things, yes?

Allan Liska Right. It's a much noisier process. That's why I'm a big advocate for threat hunting, looking for these telltale signs of these actors, so again, they're using the same tools across multiple different variants, so they're using Cobalt Strike, they're using AdFind, they're using Mimikatz, things that you can build threat hunting signatures for often using the same commands no matter which ransomware variant it is, so there are definite ways to detect them, and generally speaking, they're not subtle when they're exfiltrating the files, when they're taking files out of the network. We see this all the time where you'll see a blip in the network traffic because they tend to work weekends, they tend to work rushing hours for some unknown reason. Yeah, I know.

Dave Bittner Wow, what a mystery. Yeah.

Allan Liska Who knows?

Dave Bittner Yeah.

Allan Liska Basically, they're working off-hours and they're working weekends and there's, sending out 500 Gigs of files all at once. They find the file server, they zip things up and they shoot them out to their command and control server, and they're generally not subtle about it, so if you're doing things right, if you're monitoring for network traffic, especially during off-hours, if you're monitoring for your admins, doing weird things, and weird things, of course varies from network to network, that's why I can't say specifically what it is, and if you're monitoring for the same tools that they're using, the same commands that they're using, you can often detect this activity that we're not ... Well, again, they do have sophisticated tools, we're not always talking about sophisticated actors.

Dave Bittner Can you give us an idea of the kind of the spectrum for ransomware as a service offerings that are out there? I mean, what are the ones that are the, your greatest hits, the ones that get the most use?

Allan Liska It's interesting that what we're seeing is we're seeing an increase in the number of viable ransomware variants that are used at any given time. It used to be there were five or six different ransomware variants that we would see at any one time. In 2020 alone, we saw a few hundred ransomware variants that were introduced. Most of them are awful. We're not going to see a lot of activity out of them, but there are probably 15 that are making legitimate impact that we're actually seeing them hit targets in a way that is concerning.

Allan Liska The biggest ones that we saw in 2020, the biggest one by share of reported attacks is Egregor. Egregor was taken down earlier this year, or some of its affiliates were taken down, but that has effectively stopped all Egregor attacks, so we haven't seen any new ones since the takedown, which is great news. Other than that, the big ones that we see right now are Conti, Sodinokibi, which has been around for a couple of years now, Clop, we see Ragnar Locker. PYSA has been going after schools and governments. That's been pretty big. Mount Locker has some ups and downs, like we've seen some of them, and then not seen others, so there are quite a few out there that are currently active and engaged in this type of activity.

Dave Bittner Are those low-level folks still out there who are running those sort of spray and pray operations, they're just trying to go after massive amounts of people for low dollar values?

Allan Liska Yeah. Probably, the biggest number of infections that happens for any ransomware variant is STOP DJVU. It's called STOP and/or called DJVU. Same ransomware family. They are those pray and spray operations.

That is what they do, and there are probably thousands and thousands of victims that get infected by that. We just don't hear a lot about that primarily because our world is primarily focused on corporate or organizational structure, and they're usually hitting either really, really small business or home users or something like that.

Dave Bittner I see. Now, the advice in the early days was, of course, as you mentioned, to have good backups, to have robust backups, backups that were offline from your systems, and we really beat that drum for a while. Is there a similar type of defense for this exfiltration thing? I'm thinking like if you're encrypting your data at rest, is that a viable solution to protecting yourself against this?

Allan Liska I'm a big fan of encrypting data at rest. I think that goes a long way toward this. Although, sometimes that doesn't work because if they're able to get admin credentials and can log in to your file server say, and that automatically decrypts the files that they're accessing, then that could be a problem. The other thing I'll say is that sort of the extortion ecosystem has really expanded, so they're not just stealing files at this point. There was an interview recently in The Record with Unknown, who is one of the leaders of the Sodinokibi group, and one of the things they say, which we can confirm that we've seen, we can corroborate as having seen happen is they don't just steal files for extortion, they will also do things like call your customers, so they'll hit a victim, victim doesn't want to pay, they'll start calling the customers and saying, "Hey, they were hit with ransomware, and so your files have probably been encrypted," and so there's other types of extortion that they're engaged in, so yes, definitely encrypt your files.

Definitely monitor for large files being taken out of your network, but know also that these ransomware actors are looking for other ways to engage in extortion activities.

Dave Bittner Yeah. It's interesting to me how there's almost, I don't know, there's kind of a whisper network as well. You hear about these big incidents where folks get hit, but then you'll hear about, "Oh, someone's systems went down," but they won't necessarily confirm that it was ransomware, but kind of behind the scenes, people are saying, "Yeah, it was probably ransomware," and I suspect ... I mean, that's something that you're pretty plugged into, right?

Allan Liska Right. Absolutely. A lot of that is bluntly the ransomware activists themselves will reach out to press contacts. They'll reach out to Bleeping Computer and other well-known cybersecurity reporters that cover the speed and say, "Hey, we want you to know that we hit this company," because they want to get that name out. That's part of that extortion process, and most of the reporters won't just straight up reports, "Hey, this happened."

There's some people on Twitter that will do that, that they'll get a note from the ransomware actors and they'll rush to publish it, but most reporters are going to do their due diligence, follow up and actually confirm and so on, but that's part of that process. I mean, again, we've seen the ransomware actors threatened to go to stock exchanges and let the stock exchange know, in an attempt to hurt the value of the stock price, so really, they will do anything they can in order to force payment.

Dave Bittner Do you suppose this is the shape of things to come here? I mean, as long as this is successful, are these the tactics we can expect for the foreseeable future?

Allan Liska I think so. I think we actually saw a couple of ransomware attacks earlier this year, where nobody's been able to confirm that any files were encrypted, just that files were stolen from the targets, so we don't know whether the ransomware actors just failed in their encryption and just went ahead and released the files or what happened, and it happened with a couple of different groups. That extortion is again, becoming much, much more important and a bigger part of the picture than even the actual encrypting of the files is.

Dave Bittner Right. Yeah. That's fascinating. I mean, I guess when you're operating with that degree of brazenness, you can put the heat on the organization from multiple directions. Might we see a time when they don't even bother with the encryption?

Allan Liska It could very well be. I mean, the whole DDoS extortion gambit has been around for a while, where you email a company and say, "I'm going to hit you with a DDoS attack unless you give me money." Now, most of those are empty threats, but we know that bad guys like extortion because it's less work for them. I mean, if you can just steal files and publish those and not have to worry about give me an encrypter and maybe that encrypter doesn't work, and maybe they don't know how to use it and all this other stuff, you're just saving yourself time and energy. Again, not that it's a great thing, but it is that extortion can be easier in some ways than the actual encryption.

Dave Bittner What are we seeing in terms of law enforcement here? Are they upping their efforts to fight this?

Allan Liska I think it's interesting. What we've seen so far this year, and to me, this is, I think it's a new strategy. I don't know for sure. We see law enforcement going not after the main ransomware actors, but going after their affiliates. We already talked about Egregor. When the NetWalker infrastructure was taken down, was seized earlier this year, they also arrested an affiliate, a Canadian living in Florida, and then for Sodinokibi, just a couple weeks ago, they arrested an affiliate in South Korea.

I think the idea is you go after the affiliates and use the affiliates to gain access to the main threat actors, because there's a lot of information that's shared between affiliates and threat actors, and some of the main threat actors are not as good at OPSEC as they think they are, and so there may be information that can be gleaned by the affiliates, so I think we may see more of that from law enforcement. At the very least, if you can scare off affiliates, you're taking away a big part of the revenue stream of the ransomware threat actors.

Dave Bittner Right. Right. Good thing to have these folks feeling like they need to be looking over their shoulders.

Allan Liska Absolutely.

Dave Bittner Our thanks to Recorded Future's Allan Liska for once again joining us. Don't forget to sign up for The Recorded Future's Cyber Daily​email, where every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. You can find that at recordedfuture.com/intel. We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future Podcast production team includes Coordinating Producer Caitlin Mattingly.

The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.