How ransomware gangs went pro

Paid Feature Ransomware has come a long way since the early days. When it first started out, it spread indiscriminately and often used poor code. Over the years, it has become more sophisticated and is now an efficient business. How did it become so professional?

In 1989 the first ransomware, PC Cyborg (also known as AIDS), did the rounds via the sneakernet, distributed using floppy disks. There was no cryptocurrency infrastructure to handle the $189 fee, so victims had to send cash to a Panama post box.

It was an interesting experiment, but ransomware didn't resurface in any significant form until the mid-2000s, with a flurry of tools that used encryption to lock up users' data. It wasn't until cryptocurrency started going mainstream that organized cybercriminals jumped on this and invested heavily in upping their game. Ransomware encryption code improved. It began making smarter moves, such as infecting network-attached storage. It graduated from a mere irritation into a significant threat.

Cybersecurity company Darktrace notes this in its 2021 Ransomware Threat Report. "Attackers are acutely aware of the defensive tools they are trying to evade and know better than anyone the limitations of the legacy, siloed approach that the majority of organizations still rely on," it says. "And in every area they are innovating, developing new techniques to bypass these - such as creating fileless malware and new methods of lateral movement."

These innovations span more than technology. Ransomware thieves have levelled up across the board, becoming more professional in their criminal relationships, their monetization techniques and - if you can believe it - their ethics.

Technology improvements

Cybercriminal groups started deploying post-intrusion ransomware in 2015, which involved human attackers gaining initial access to the system and moving laterally through the organization until it found the appropriate target. This was more labour-intensive, but meant that criminals could go deep into an organization to cause the most damage.

Since then, attack groups have repeatedly upped the ante, evolving with JavaScript-based ransomware and fileless attacks. Attackers have started to use open-source obfuscation tools in their malware build processes to help cover their tracks. One group, Wizard Spider, is especially advanced. Not only has it used these techniques but has also tweaked the Ryuk ransomware to remove obsolete code.

Other developments include the targeting of virtualized systems. DarkSide deployed Linux versions of its ransomware on VMware ESXi hosts, for example.

There has also been a marked increase in software sophistication in the last year, with the Lockbit, Ryuk, and Conti groups all adding automated capabilities into their attacks.

Wizard Spider excels at this, adding new automation into Ryuk that uses Wake-on LAN functionality to discover hosts before spreading the ransomware payload on its own. It also uses the technology to power on systems so that it can infect them.

This could enable ransomware thieves to rely less on affiliates, switching from extended human operations back to faster, higher-volume attacks which could increase revenues.

New ways to monetize attacks

One of the most important developments in the history of this cybercrime model was ransomware as a service (RaaS). This expanded the criminal ecosystem beyond the ransomware authors to include affiliates who would find and attack the targets before installing the malicious software. The affiliates would then pay the ransomware authors a cut of the profit.

The affiliates don't always work alone. Often, they'll turn to outsourced providers of vulnerable attack vectors. These groups make it their business to scour the internet for accessible network points via vulnerable RDP endpoints, domain admin accounts, or other credentials.

Affiliates are becoming more nuanced and professional in their attacks. Many now use bots to automate the initial attack that gets them a foothold on the system. Once in, Darktrace warns that they're increasingly timing their attacks with weekends or holidays so that security staff don't get a chance to react.

These criminal groups' extortion tactics have also evolved, moving beyond the simple payment-for-decryption model seen in earlier attacks. Some have diversified into DDoS attacks, while others have opted for data theft, accompanied by name and shame tactics.

Data thieves threaten to publish victims' data if they don't show up, usually doing so on their own dark web-based leak site. Often, they'll auction off the data to make a profit from others who want to mine its intellectual property.

More recently, groups have sent emails to their victims' customers, warning them that their data is part of the stolen set and urging them to pressure the victim into paying. Insiders at REvil have hinted that they will expand these tactics, using open-source intelligence (OSINT) to track down their victims' senior executives and bully them into paying.

This model is profitable enough to warrant further development, as the Babuk group now focuses entirely on data exfiltration rather than encryption.

Darktrace has also seen attackers use the threat of security non-compliance to extort victims. It cites a threat that REvil published implicitly warning its victims of regulatory damages: "Each attack is accompanied by a copy of commercial information," the group said. "In case of refusal of payment, the data will either be sold to competitors or laid out in open sources. GDPR. Do not want to pay us – pay x10 more to the government. No problems."

A complex industry structure

Ransomware groups are constantly shifting, inheriting software from other groups while vanishing from view to avoid scrutiny from law enforcement only to resurface under other names, warns Darktrace. For example, the company notes a variety of aliases for ransomware group Evil Corp, and tracked the evolution of Maze into Egragor.

Secureworks has identified the threat group that created the REvil RaaS (aka Sodonokibi) as a former affiliate of GandCrab, which retired in 2019. The group claims to have purchased the GandCrab source code. In turn, the Darkside ransomware came from a former REvil affiliate that evidently decided to move up. And DoppelPaymer came from a tweaked version of BitPaymer.

And according to reports, five ransomware groups in Russia have formed a cartel to exchange data and ‘best’ practices. These groups include Wizard Spider, linked to the Ryuk and Conti ransomware strains, Twisted Spider (which developed Maze and also uses Egregor), Viking Spider (which is behind Ragnar), and LockBit.

It isn't just organised crime groups that jumped on the ransomware train. State actors have also been busy deploying these attacks. Experts pegged WannaCry, one of the most famous ransomware attacks in history, as a North Korean venture. It was also one of the first attacks to combine ransomware with a wormable vulnerability.

The UK's National Cyber Security Centre attributed the 2017 NotPetya attack to the Russian military, arguing that it was "almost certain" this was an attempt to disrupt Ukraine's financial, energy, and government institutions. The attack wasn't as professional as it could have been, though, given the fallout as it spread around the world.

Some criminal groups and ransomware forums dictate sectors that their affiliates must avoid, with several groups signalling their unwillingness to hit the healthcare industry.

What's next?

Darktrace warns that the automation we're already seeing in some ransomware attacks will evolve, becoming more adaptive over time. The use of offensive AI will make it harder than ever for defenders to identify an emerging attack.

"Deep-learning analytics will enable AI to increase the personalization of attacks, leading to greater accuracy and a higher success rate," it says. "At the same time, cybercriminals will be better able to predict the layout and defensive strategy of victims' digital infrastructure and data."

The company warns that those wanting to mitigate ransomware attacks will increasingly need to use AI as a defensive tool. It points to its own self-learning AI technology as a way to spot novel attack tactics not yet seen. By creating a baseline of normal behaviour in a company's infrastructure, it can spot anything out of the ordinary, even if it doesn't match a software signature or attack traffic pattern on record.

The technology goes beyond this to respond automatically to emerging ransomware threats by taking the appropriate action. Its Antigena system, which customers can switch on when they gain enough confidence in its protection, will use AI to mount a proportionate response when facing suspicious activity. That could mean severing an obviously infected machine from the network.

"Today, cybersecurity is no longer a human-scale problem," the company adds. "It is a machine-on-machine fight. It is critical that organizations adopt defensive AI to protect against this new generation of automated ransomware."

The ransomware industry will never be legitimate, but it has started acting as though it is. From outsourcing deals to industry partnerships, its members are behaving like regular businesses with a criminal product. Some, such as REvil and Twisted Spider, have even taken to giving journalist interviews or issuing press releases.

As the money keeps flowing and attackers get ever-bolder, companies should be taking the ransomware threat seriously. As online blackmailers keep raising their game, the onus is on us to reciprocate with elevated defenses.

Sponsored by Darktrace.