Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

The view from the attacker's side - How ransom gangs operate and why they are so successful

We could start with technical cliché that ransomware is a type of destructive malware… but reality is that ransomware is a business model – where our mistakes generates huge demand on RaaS(Ransomware as a Service) market. According to Cybersecurity Ventures, the global ransomware damage costs, which in 2021 have reached $20 Billion, are estimated to raise to $265 Billion by 2031.

Despite great effort, done by Cybersecurity community, we have still some works to make RaaS less lucrative and easy to “invest in”. Otherwise, Ransomware groups will take hands into their hands and “benefit all the companies in the world and make them safer and more secure.” (Interview with LockBit)

A brief history of ransomware gangs

The history of ransomware gangs dates back to the late 1990s, with the earliest attacks targeting individuals and small businesses. However, as technology advanced, these attacks began to target larger organizations, causing significant financial losses. Today, ransomware attacks continue to be a prevalent and harmful threat to businesses of all sizes.

So how do these cybercriminals carry out such elaborate ransomware operations successfully?

One of the key strategies used by these gangs to maximize profits is to target high-value organizations. These include healthcare providers, government agencies, large corporations or any organization with the resources to pay the ransom. Many are quite likely to pay to avoid public embarrassment or disruption to their operations.

Let’s take a look at some of the tactics used by top ransomware groups:

Tactics and strategies of top ransomware groups

1

Exploiting the log4j library

Ransomware groups look to exploit known vulnerabilities in software and systems. Therefore, keeping your software and systems up-to-date with the latest patches and security updates is very important. This includes not only the operating system but also software and all the included libraries that are used in it. One example of a known vulnerability that ransomware groups are exploiting is the log4j library — a Java-based logging utility. In 2019, a vulnerability was discovered in this library (CVE-2017-5645), which allowed attackers to execute arbitrary code on the server. Ransomware gangs have been known to exploit this vulnerability to gain access to servers and encrypt files. This vulnerability underscores the importance of keeping software updated — not just the operating system but also any library or third-party software that is in use.

The Khonsari ransomware group uses the log4j vulnerability to download malicious .NET files designed to distribute Khonsari — a ransomware written in C# that encrypts files with the .khonsari extension. After the encryption is complete, the ransom note is left commonly in the directory C:\Users\<user>\Desktop\HOW TO GET YOUR FILES BACK.TXT.

This file contains information about the encryption and instructions on how to get the files back.

Figure 1: A Khonsari ransomware group note

2

Phishing for fear with ransomware threats

Ransomware gangs also use a variety of methods to distribute their malware. One of the most common methods is through phishing emails. These emails may contain malicious links or attachments, and may be designed to look like they are from a legitimate source. Spear-phishing is another common tactic, where the attackers target specific individuals within an organization, often using information obtained from social media or other sources.

A leading ransomware group that uses spear-phishing is the GOLD SOUTHFIELD group. This group is linked with REvil, one of the most dangerous ransomware programs. It uses the spear-phishing technique to distribute ransomware via malicious e-mail attachments, such as MS Word documents, to gain access to the victim’s device. REvil was commonly used against organizations in sectors like manufacturing, transportation and electricity.

Figure 2: REvil ransomware in action

3

Stealing sensitive data

Another tactic that ransomware gangs use is double extortion, which involves both encrypting the victims’ files and stealing sensitive data — threatening to release it if the ransom is not paid. This makes it even harder for the victim to decide whether to pay the ransom or not as the consequences of not paying could be more severe. Conti is a ransomware that uses this double extortion tactic and steals sensitive data. Files are encrypted after the original extension and a .CONTI extension is added. For example, after encryption file1.jpg will read as file1.jpg.CONTI.

Another one of the most dangerous ransomware programs is Maze, previously known as ChaCha ransomware, wherein operators steal the data and post it online before encrypting it. Maze was released in 2019 and affects only Windows OS. After encryption, Maze leaves a ransom note in the text file named DECRYPT-FILES.txt.

4

On the guard with bulletproof hosting

Bulletproof hosting is another tactic utilized by cyber gangs to evade detection and maintain access to their infrastructure. These hosting providers are often located in countries with weak laws and enforcement, or they may be operating in a legal grey area. They may also have a reputation for being friendly to cyber gangs and may not take any action against illegal activities on their networks.

Ransomware groups often use bulletproof hosting to host their command-and-control servers, as well as to store stolen data. By subscribing to a threat intelligence service supported by threat hunters, organizations can gain valuable insights into the activities of top ransomware groups and take proactive measures to protect against their attacks. For example, organizations can block known malicious IP.

5

How to protect your organization from ransomware gangs

Incident response

To provide active cyber defense techniques against these types of attacks, organizations need to have a robust incident response plan in place. This should include procedures for identifying, containing and mitigating an attack, as well as procedures for communicating with stakeholders such as employees, customers and the media. It’s also important to have a plan in place for restoring normal operations after an attack, which may include restoring from backups or other measures.

Zero-trust strategy

It’s also important to note that while known vulnerabilities are often patched by software vendors, it’s not always possible for organizations to apply these patches immediately. This is why it’s important to have a process in place for identifying and managing known vulnerabilities, including assessing risk and prioritizing patches based on the severity of the vulnerability. Additionally, organizations should also consider implementing network segmentation or — even better — a robust zero-trust strategy to contain attacks and minimize their impact.

Security awareness for employees

In addition to having a solid incident response plan, organizations should also invest in security awareness training for employees. This will help them recognize and avoid phishing attacks and other types of social engineering tactics. It’s also important to have a process in place for reporting suspicious emails and other types of attacks.

Threat detection

As businesses aim to build and maintain a secure IT network, they should consider advanced threat detection software for real-time responses. AI penetration testing and vulnerability assessments help identify existing security breaches and potential gaps that can be exploited by ransomware groups. These self-assessments help organizations understand their strengths and identify weaknesses before attackers do, enabling them to take proactive steps before an attacker can breach their environment.

Self-defense and self-awareness pave the way for cybersecurity

In conclusion, ransomware gangs are becoming increasingly successful in their attacks by using sophisticated tactics and technologies, financial incentives and social engineering. To protect against ransomware attacks, organizations need to implement a multi-layered approach to security, including keeping software and systems up to date, having incident response plans in place, investing in security awareness training and having a process for reporting suspicious emails. All these active cyber defense techniques will help protect them more effectively against top ransomware groups.

Sources

Images from:

Figure 1: New ransomware now being deployed in Log4Shell attacks

Figure 2: Revilransomware

Figure 3: Bulletproof-Hosting

Share this article

All articles


The view from the attacker’s side – How ransom gangs operate and why they are so successful


The changing face of ransomware


The impact of ransomware attacks on business


The role of cybersecurity hygiene in a ransomware incident


Countering ransomware: how to build the right cyber governance strategy


How to protect your cloud from ransomware


Zero Trust: the key to stopping ransomware in its tracks


A comprehensive approach to ransomware defense


Cyber resilience against ransomware: fiction or reality?


How government and law enforcement can help prevent ransomware attacks


Ransomware infections: lessons learnt from the trenches


Batting ransomware: front-line insights from a CTO and a CISO