We could start with technical cliché that ransomware is a type of destructive malware… but reality is that ransomware is a business model – where our mistakes generates huge demand on RaaS(Ransomware as a Service) market. According to Cybersecurity Ventures, the global ransomware damage costs, which in 2021 have reached $20 Billion, are estimated to raise to $265 Billion by 2031.
Despite great effort, done by Cybersecurity community, we have still some works to make RaaS less lucrative and easy to “invest in”. Otherwise, Ransomware groups will take hands into their hands and “benefit all the companies in the world and make them safer and more secure.” (Interview with LockBit)
A brief history of ransomware gangs
The history of ransomware gangs dates back to the late 1990s, with the earliest attacks targeting individuals and small businesses. However, as technology advanced, these attacks began to target larger organizations, causing significant financial losses. Today, ransomware attacks continue to be a prevalent and harmful threat to businesses of all sizes.
So how do these cybercriminals carry out such elaborate ransomware operations successfully?
One of the key strategies used by these gangs to maximize profits is to target high-value organizations. These include healthcare providers, government agencies, large corporations or any organization with the resources to pay the ransom. Many are quite likely to pay to avoid public embarrassment or disruption to their operations.
Let’s take a look at some of the tactics used by top ransomware groups:
Tactics and strategies of top ransomware groups
Exploiting the log4j library
Ransomware groups look to exploit known vulnerabilities in software and systems. Therefore, keeping your software and systems up-to-date with the latest patches and security updates is very important. This includes not only the operating system but also software and all the included libraries that are used in it. One example of a known vulnerability that ransomware groups are exploiting is the log4j library — a Java-based logging utility. In 2019, a vulnerability was discovered in this library (CVE-2017-5645), which allowed attackers to execute arbitrary code on the server. Ransomware gangs have been known to exploit this vulnerability to gain access to servers and encrypt files. This vulnerability underscores the importance of keeping software updated — not just the operating system but also any library or third-party software that is in use.
The Khonsari ransomware group uses the log4j vulnerability to download malicious .NET files designed to distribute Khonsari — a ransomware written in C# that encrypts files with the .khonsari extension. After the encryption is complete, the ransom note is left commonly in the directory C:\Users\<user>\Desktop\HOW TO GET YOUR FILES BACK.TXT.
This file contains information about the encryption and instructions on how to get the files back.
Figure 1: A Khonsari ransomware group note
Phishing for fear with ransomware threats
Ransomware gangs also use a variety of methods to distribute their malware. One of the most common methods is through phishing emails. These emails may contain malicious links or attachments, and may be designed to look like they are from a legitimate source. Spear-phishing is another common tactic, where the attackers target specific individuals within an organization, often using information obtained from social media or other sources.
A leading ransomware group that uses spear-phishing is the GOLD SOUTHFIELD group. This group is linked with REvil, one of the most dangerous ransomware programs. It uses the spear-phishing technique to distribute ransomware via malicious e-mail attachments, such as MS Word documents, to gain access to the victim’s device. REvil was commonly used against organizations in sectors like manufacturing, transportation and electricity.
Figure 2: REvil ransomware in action
Stealing sensitive data
Another tactic that ransomware gangs use is double extortion, which involves both encrypting the victims’ files and stealing sensitive data — threatening to release it if the ransom is not paid. This makes it even harder for the victim to decide whether to pay the ransom or not as the consequences of not paying could be more severe. Conti is a ransomware that uses this double extortion tactic and steals sensitive data. Files are encrypted after the original extension and a .CONTI extension is added. For example, after encryption file1.jpg will read as file1.jpg.CONTI.
Another one of the most dangerous ransomware programs is Maze, previously known as ChaCha ransomware, wherein operators steal the data and post it online before encrypting it. Maze was released in 2019 and affects only Windows OS. After encryption, Maze leaves a ransom note in the text file named DECRYPT-FILES.txt.
On the guard with bulletproof hosting
Bulletproof hosting is another tactic utilized by cyber gangs to evade detection and maintain access to their infrastructure. These hosting providers are often located in countries with weak laws and enforcement, or they may be operating in a legal grey area. They may also have a reputation for being friendly to cyber gangs and may not take any action against illegal activities on their networks.
Ransomware groups often use bulletproof hosting to host their command-and-control servers, as well as to store stolen data. By subscribing to a threat intelligence service supported by threat hunters, organizations can gain valuable insights into the activities of top ransomware groups and take proactive measures to protect against their attacks. For example, organizations can block known malicious IP.
How to protect your organization from ransomware gangs
To provide active cyber defense techniques against these types of attacks, organizations need to have a robust incident response plan in place. This should include procedures for identifying, containing and mitigating an attack, as well as procedures for communicating with stakeholders such as employees, customers and the media. It’s also important to have a plan in place for restoring normal operations after an attack, which may include restoring from backups or other measures.
It’s also important to note that while known vulnerabilities are often patched by software vendors, it’s not always possible for organizations to apply these patches immediately. This is why it’s important to have a process in place for identifying and managing known vulnerabilities, including assessing risk and prioritizing patches based on the severity of the vulnerability. Additionally, organizations should also consider implementing network segmentation or — even better — a robust zero-trust strategy to contain attacks and minimize their impact.
Security awareness for employees
In addition to having a solid incident response plan, organizations should also invest in security awareness training for employees. This will help them recognize and avoid phishing attacks and other types of social engineering tactics. It’s also important to have a process in place for reporting suspicious emails and other types of attacks.
As businesses aim to build and maintain a secure IT network, they should consider advanced threat detection software for real-time responses. AI penetration testing and vulnerability assessments help identify existing security breaches and potential gaps that can be exploited by ransomware groups. These self-assessments help organizations understand their strengths and identify weaknesses before attackers do, enabling them to take proactive steps before an attacker can breach their environment.
Self-defense and self-awareness pave the way for cybersecurity
In conclusion, ransomware gangs are becoming increasingly successful in their attacks by using sophisticated tactics and technologies, financial incentives and social engineering. To protect against ransomware attacks, organizations need to implement a multi-layered approach to security, including keeping software and systems up to date, having incident response plans in place, investing in security awareness training and having a process for reporting suspicious emails. All these active cyber defense techniques will help protect them more effectively against top ransomware groups.