Ransomware is a constant threat to both businesses and individuals. The potential for all critical data necessary to run an organization or a family to be locked is terrifying; and the global malware situation doesn’t show any signs of slowing down in the future. Added to the threat of data loss to encryption is the recent surge in so-called “double-extortion attacks” where the data is not only encrypted but also stolen. Let’s take a look at the anatomy of these types of ransomware attacks.
Initial Foothold
Double-Extortion attacks begin with traditional ransomware attacks. The initial vector can be infiltration via exploitation or email, both of which have their own methods of attack. Email vector infiltration can take the form of a direct attachment or a link to a Command and Control (C2) site that hosts a file for download. Once a user executes the file, the first stage of the malicious code begins to look for potential roadblocks to complete execution of the attack. Modern ransomware attempts to detect and subvert anti-malware solutions through both obfuscation and direct manipulation. Obfuscation is mainly used to subvert signature and heuristics detection by obscuring code components that can be identified by these methodologies – typically by encrypting the code itself in one of several ways – from simple substitution to more complex cipher technologies that decrypt on-the-fly during code execution. This limits the ability of more traditional methods of malware detection to properly identify known or suspected malicious code.
Overcoming behavioral-based detection systems is more complex but advances in threat technologies over the last 18 months have shown that it is very much possible. The RIPlace malware – as one example – simply subverted a known Windows operation using known Windows binaries to create the ability to overwrite known-good files with encrypted versions. As none of that operation set was considered “suspicious” by the behavioral detection systems, the ransomware was highly successful in its attack until the anti-malware/EDR vendors altered algorithms to properly detect the behavior.
Direct infection by leveraging a vulnerability is more complex than the social-engineering tactics commonly used for attack promulgation, but definitely being seen more often as high-profile vulnerabilities are reported but not patched for extended periods of time in some organizations. This method is also difficult to predict without extensive intelligence gathering ahead of time. Scanning of systems and infrastructure to detect the availability of a vulnerability is necessary if the attack is targeted – since otherwise there is no way to tell if a particular exploit is even viable. It should be noted that this form of attack has gained popularity in non-targeted, automated attacks in recent months, as attackers become less concerned with who is hit, but rather are simply hoping to attack as many organizations as possible. That being said, vulnerability exploitation does remain a methodology more commonly used in targeted attacks designed to cripple a specific organization directly.
In both cases, the initial attack method is successfully launched, allowing access to user elevation to superuser or even administrator-level before the defensive tools properly react to the situation. From there, the threat code seeks out anti-malware/EDR systems and disables them – prohibiting these systems from properly recognizing the continued activities of the threat code, and opening the pathways the threat code needs to perform the remainder of the attack.
Network Propagation
During this period, the vast majority of ransomware attacks (double-extortion or traditional) will attempt to propagate throughout the network to any other machines possible. There are three common methods for this propagation: Direct propagation through standard network communications, spread through known vulnerabilities, or spread through common protocols after the attacker’s code acquires credentials, tokens, or hashes in much the same way as the initial victim was infected.
Direct propagation and spread through common vulnerabilities are the most common methods seen, as they do not require the inclusion of additional custom code to accomplish. Movement of attacks by leveraging social engineering is accomplished through many means, but the most common is Business Email Compromise once the initial victim’s machine is under the control of the attacker. Additional users are presented with attack emails or other messages appearing to be from the original victim, and are therefore more likely to comply and infect their own machines; at which point the process repeats. Common vulnerabilities in SMB and RDP are also extremely popular as they can quickly be leveraged to distribute the malware to many other devices within one organizational environment. Movement by credential theft (credentials, tokens, and hashes) is not new or technically difficult – but these methods are extremely well known and easily detected by even signature-based anti-malware tools if not completely obfuscated. They also add additional data to attack packages, which can make initial infection more difficult.
Encrypt and Exfiltrate or Just Encrypt
From here, double-extortion attacks begin to diverge from standard ransomware attacks. While one component of the attack is the same (encryption of data and a demand for a monetary renumeration for decryption assistance), double-extortion attacks siphon data out of the environment as well. How this is done varies from attack to attack, but some common patterns have been witnessed.
A memory-resident attack component (automatically re-launched on termination or reboot) is often used to ensure that anti-malware defenses and automated backup solutions are disabled or otherwise inhibited from properly performing their operations. This same component can be used to covertly upload files to a C2 server (or set of servers) configured for that purpose by the threat actor. Since this allows a threat actor to operate over a longer period of time before detection, it has become a popular method of both attack and theft. Both the attacker’s own binaries and processes along with the gradual upload of files at a rate that does not arouse suspicion allows for a nearly invisible attack.
Alternately, a threat actor who is less concerned about detection (because they believe their target’s defenses are less robust or can be obfuscated by other means) could attempt to mass-upload data from victim machines as quickly as possible. While this method has the drawback of being extremely “noisy” if proper network monitoring is in place, it could easily be viewed by administrator as simply higher-than normal data transfer and potentially ignored. Especially as more and more users are working remotely; spikes in data transfer are becoming more commonplace and easier to dismiss as nothing more than users adapting to the new normal.
This phase of a double-extortion attack can last for weeks or months, with the attack code running silently in the background; uploading each newly created file and continuing the upload of existing files. Since there is little chance of detection through anti-malware means at this point, the time period of monitoring and upload is limited only by the attacker’s patience.
Exfiltration can be over a wide variety of protocols, from simply HTTP put to more advanced methods such as DNS-based exfiltration techniques. More common than others are uploads to Cloud service providers – either to object storage or to known online file storage repositories. This allows the attacker to know the targeted repository will be online to receive whenever the attack code is ready to send; but still permits the use of advanced transmission methods to avoid detection at the same time.
Once the attacker has obtained all of the data they wish – or dare to without arousing suspicions – the last phase of the attack begins. Using either native tools within the victim Operating System (OS), or custom binaries and executions built by the attacker, all files deemed not required for the operation of the OS itself are encrypted using various techniques. 2048-bit encryption is common, with even 4086-bit being seen, as those encryption tools become more widely distributed; but 512- and 1024-bit are still surprisingly common – even knowing that these lower-entropy encryption methods are much easier to manually decrypt.
Impact
After this, a notification and/or message is commonly displayed to the victim on the screen of the device which has now been rendered unusable. Common tactics are to display a modal window with the message on the user’s desktop, and/or to force a text file to be opened and “always on top” for easy display to the user. At this stage of the attack, the damage has already been done and all files are both stolen and encrypted.
Double-Extortion tactics typically include the standard notification that the victim has a period of time (ranging from a few days to several weeks, with 3-4 days being most popular), but also notes that the data has been stolen and copies are in the possession of the attacker. If the victim refuses to pay, some or all of the stolen data will be publicly published after the timer expires. If the victim pays the ransom, the local data will be decrypted (or a decryption tool and key will be provided) and the remote data will be destroyed. Ransom amounts range from several hundred US dollars to over five million US dollars in recent examples of these forms of attacks; with remit typically expected in one form or cryptocurrency or another. Bitcoin was the primary currency requested in the past, but others have been gaining prominence since the attacker community realized that Bitcoin was much more traceable than other forms of cryptocurrencies.
To encourage prompt payment, it has become common for the attacker to publish a subset of the data – typically a small percentage of the total amount stolen – curated for impact. This is typically a small amount of highly sensitive data such as several dozen customer records or significant financial numbers to prove that the data in question is truly in the possession of the attacker. Pastebin and other difficult-to-trace online publishing platforms are commonly used, obscuring the attacker’s identity but definitively proving that the attacker has possession of the data cache they claim to have.
If the ransom is paid promptly, then decryption assistance is provided to the victim and the attacker confirms that the exfiltrated copy is destroyed. If payment is not made, the attacker destroys the decryption key and fully publishes the contents of the exfiltrated data cache; causing both massive downtime and extreme levels of confusion and loss of reputation to the organization. In short, the organization suffers two simultaneous forms of extortion: Extortion by locking the in-place files through encryption and extortion by the threat of publication of sensitive data and/or intellectual property; thereby giving the attack it’s name.
Attackers moved to this strategy due to several factors. Most notably, many forms of ransomware encryption – such as MegaLocker and Tesla – are now publicly available from anti-malware/EDR vendors and online assistance groups. This means that re-using one of these attacks does not guarantee payment by the victims. Additionally, many organizations have reinforced backup and recovery tools and methodologies to allow for rapid recovery of encrypted devices and files. While this still creates significant downtime for the organization; if that downtime cost is less than the ransom cost, then the organization is willing to take the downtime and not pay the ransom. Finally, the US Department of the Treasury has reiterated that several existing laws and regulations prohibit the transfer of funds in any form to attackers in nations considered to be rogue states or otherwise restricted in trade with the United States. This has signaled that such payments may be considered illegal (consult with legal representation for full details), and makes it much more likely that the organization will not be reimbursed by insurance payments if they choose to pay the ransom.
With the decline in revenue from organizations unable or unwilling to remit payment of the ransom to recover encrypted data-sets, attackers realized that they needed to provide additional incentives to ensure payment. Exfiltration of data-sets beyond the control of the organization in question, and the threat of exposure through publication of that data, became an effective means of ensuring that victims continued to pay ransoms in a timely manner.
This raises the question of if an organization should pay the ransom or not. As a technology company, Cymulate can only strongly recommend consultation with appropriate legal and insurance resources available to your organization before making that decision. What a cybersecurity organization can advise on is the potential downsides of paying the ransom. Broadly speaking, there are two possible negative technical outcomes: Not receiving the decryption key, and not knowing if the data was actually destroyed.
There are multiple examples of an attacker receiving the ransom payment within the time-limit specified in the attack notification; and then cutting off all contact without providing the decryption assistance promised on payment. This leaves the organization with two problems – the data is still unusable and the organization has just suffered a financial hit as well. While many threat actors do provide decryption keys and even assistance with decryption and defensive techniques against their attack; there is a non-zero number of attackers who do not operate with such honor, and simply steal the ransom and run.
In a double-extortion attack, there is also a copy of all stolen data sitting in the possession of a person or group who has exhibited criminal and dishonest behavior in launching the attack in the first place. What guarantee do you have that they will honor their word and destroy the exfiltrated data? What proof can they provide to you; given that digital copies of the data could easily have been produced before they destroyed the original exfiltrated data-set? Your organization is placing a tremendous amount of trust into a person or group who was very much willing to purposely extort the organization just hours or days before now.
Paying, or not paying, the ransom is a decision that must be taken by the victim organization – in proper consultation with legal and insurance professionals. The downside of not paying is significant and known; while the potential downside of paying (leaving aside the fact that it encourages other threat actors to use these attacks) is still significant, but unknown. Each organization will have to decide which downside is less unacceptable to the company as a whole.
Double-Extortion attacks are on the rise. While they still have not overtaken more traditional ransomware attacks yet; trends indicate that they will in the near future. As the code to perform a double-extortion attack becomes commoditized – by the original malware authors moving on to more intricate versions and selling the older version on the black market – the number of organizations hit by this type of attack will continue to go up. Preparation by continuously testing defenses, regularly and completely patching against vulnerabilities, testing users to ensure they can detect and avoid email attacks, etc. becomes critical in helping to ensure that your organization will not fall victim to these attacks. Having strong data-exfiltration defenses, multi-version backups with the ability to quickly restore systems, and an emergency response plan in place can help to ensure the organization can survive such an attack. Both are required to deal with this growing threat, and to deal with the known and continuing to grow threat of traditional ransomware.
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.
Stay cybersafe!