{"id":18754,"date":"2021-06-26T00:07:00","date_gmt":"2021-06-26T00:07:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=18754"},"modified":"2023-03-20T20:55:24","modified_gmt":"2023-03-20T20:55:24","slug":"ransomware-as-a-service-raas-ttp-protections","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/ransomware-as-a-service-raas-ttp-protections\/","title":{"rendered":"Ransomware-as-a-Service (RaaS) Is the Latest Evolution in Ransomware Threats"},"content":{"rendered":"

At first glance, the report this week from cybersecurity software vendor McAfee showing that the incidence of ransomware<\/a> dropped by half in the first quarter seems like good news to a world that continues to feel the repercussions of the seemingly ubiquitous malware<\/a>.<\/p>\n

However, the 50 percent decline in ransomware during the first three months of 2021 has less to do with cybercriminals finding other modes of stealing data and more because of an evolution away from mass multi-target ransomware attacks that come with low returns to ransomware-as-a-service (RaaS) campaigns that target fewer but larger organizations with more customized ransomware, which in turn deliver more lucrative results.<\/p>\n

McAfee researchers addressed the shift in ransomware strategy this week in their McAfee Threats Report: June 2021<\/a>. In the report, the researchers also talked about how the proliferation of 64-bit CoinMiner applications fueled the 117 percent growth in cryptocurrency-generating coin mining malware<\/a> as well as an increase in new Mirai-based malware variants that helped drive a 55 percent jump in malware targeting Internet of Things (IoT) devices<\/a> and a 38 percent increase in attacks on Linux systems.<\/p>\n

Ransomware is the Focus<\/h2>\n

But as it is with much in the cybersecurity world, there was a focus on ransomware in the report. According to Raj Samani, McAfee Fellow and chief scientist, cybercriminals are constantly evolving their techniques in order to get the highest monetary returns with the least amount of risk. The transition in ransomware has been away from trying to extract small payments from millions of individual targets to RaaS campaigns that support many more bad actors in attacks on fewer but larger organizations and extorting them for more money.<\/p>\n

While 2021 has been noteworthy for headline-grabbing ransomware attacks like the one on Colonial Pipeline<\/a>, the trend toward bigger targets had been underway before then, Samani told eSecurity Planet<\/em> in an email interview.<\/p>\n

\u201cThis is a number of years old,\u201d he said. \u201cWe saw from 2018 Ryuk began targeting organizations, but preceding this was GandCrab and SamSam.\u00a0It was really GandCrab that embraced the RaaS model. Likewise, circa 2019\/2020, we saw the introduction of leak sites. Ultimately, many of these groups copy the approaches from other groups that are proving successful.\u201d<\/p>\n

Leak Sites<\/h2>\n

Leak sites are part another relatively new tactic for ransomware groups looking to put more pressure on organizations to pay the ransom. Cybercriminals typically would grab hold of a victim\u2019s data, encrypt it and then demand payment, with the promise \u2013 not always fulfilled \u2013 that once the ransom was paid, they would send a key to the victims to decrypt the data.<\/p>\n

However, bad actors now tend to put another spin on their methods. They will steal data from their victims before encrypting it and threaten to publish the stolen data on the \u201cleak sites\u201d and then alert the media about the attack. The names of the dozens of groups that threaten to leak data include MAZE, AKO, REvil, DarkSide, Ranzy Locker and Ragnarok.<\/p>\n

DarkSide in particular has a high profile these days. Most researchers say the Russia-based group was behind the ransomware attack on Colonial Pipeline, a company responsible for much of the gas distribution in the Southeastern United States. The company had to shut down some of its operations, which led to shortages and long lines at gas stations throughout the region. Colonial eventually paid almost $5 million (75 Bitcoins) to the attackers for the decryption key, which turned out to decrypt so slowly that the company had to rely on its own backups<\/a> to restore service.<\/p>\n

According to reports, the group had also stolen about 100 gigabytes of data from Colonial servers before the onset of the malware attack.<\/p>\n

Ransomware Subject of High-Level Talks<\/h2>\n

In their report, McAfee researchers noted that ransomware in general \u2013 and DarkSide in particular \u2013 \u201cresulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.\u201d<\/p>\n

Further reading<\/strong>: U.S. Issues Ransomware Guidance, Cybersecurity Executive Order<\/a><\/p>\n

The McAfee researchers also wrote that while the Colonial Pipeline attack got a lot of the headlines, attacks ransomware groups Babuk, Conti, Ryuk and REvil preceded DarkSide\u2019s campaign, with RaaS schemes that targeted larger organizations, most of whom were hit with custom-created variants of a ransomware family. REvil \u2013 which federal law enforcement said was behind the recent attack on JBS Foods \u2013 was the most detected ransomware group in the first quarter, according to the McAfee report.<\/p>\n

RaaS affiliate networks enable bad actors to reduce the risk of large organizations\u2019 cyber-protection technologies detecting them, which in turn improves the chances of the attacks working and the ransom being paid. Campaigns that use a single type of ransomware to target many victims tend to be \u201cnoisy,\u201d which leads to systems eventually beginning to recognize and block them.<\/p>\n

Shift to RaaS<\/h2>\n

This ongoing shift to RaaS also can be seen in the decrease in prominent ransomware types<\/a>, from 19 in January to nine by March.<\/p>\n

Such RaaS efforts shows that cybersecurity researchers and the IT world as a whole should be looking more at the impact of ransomware attacks rather than the volume, McAfee\u2019s Samani said.<\/p>\n

\u201cWhilst the volume of ransomware families may not be at the same prevalence as before, those groups that still remain in operation are finding more innovative approaches to compromise and extort higher payments,\u201d Samani said.<\/p>\n

Feds Step Up Response<\/h2>\n

The federal government has become increasingly involved<\/a> in pushing back against cybercrime, particularly ransomware. The Department of Homeland Security (DHS) for a couple of years has urged ransomware victims not to pay the ransoms, fearing that the money would help fund even more attacks. In addition, the National Security Council earlier this month sent a memo to U.S. companies urging them to take the threat seriously and outlining steps they can take to protect themselves.<\/p>\n

In addition, the U.S. Cybersecurity and Infrastructure Agency (CISA) and FBI issued an alert with\u00a0guidance<\/a> based on the MITRE ATT&CK framework for protecting critical and the Biden Administration issued an\u00a0executive order<\/a>\u00a0to review and improve the federal government\u2019s cybersecurity preparedness and response. DHS issued cybersecurity requirements<\/a>\u00a0for critical pipeline owners and operators.<\/p>\n

Ransomware Isn\u2019t Going Anywhere<\/h2>\n

Rita Gurevich, founder and CEO of cybersecurity firm Sphere, said businesses can expect ransomware attacks to continue, noting another change in strategy.<\/p>\n

\u201cA few years ago, ransomware was primarily focused on targeting consumers, but recently we have seen the switch to the more lucrative corporate arena,\u201d Gurevich told eSecurity Planet<\/em>, reacting to news of new REvil attacks on clothing firm French Connection and medical diagnostic company Grupo Fluery. \u201cThese attacks have become more sophisticated, transitioning from the known phishing strategy using a bulk email approach to a spear-phishing strategy, which are highly targeted, harder to detect and have a much higher success rate. The ease of which ransomware can be conducted is also an issue as ransomware software can easily be purchased on the darknet.\u201d<\/p>\n

She also noted that \u201crecent actions by the federal government and corporate initiatives have changed the narrative from one of response to prevention of ransomware attacks. The focus for IT and security<\/a> professionals is now on ensuring backups are in place, increasing training for users and [leveraging] an effective access governance model. IT and security professionals also need to adapt to their new environment where the skillset they successfully employed a few years ago may not suffice against the sophisticated ransomware attacks of today.\u201d<\/p>\n

While the rise of RaaS is the primary driver for the drop in overall ransomware instances in the first quarter, it\u2019s not the only one, according to Samani.<\/p>\n

\u201cWe see that trend in cybercrime almost every year after Christmas and holidays,\u201d he said. \u201cThere is a post-holiday slowdown, then the first quarter shows a ramp up, then a dip during summer as cybercriminals need a vacation, too. Then we see a ramp up again towards the end of the year, perhaps as criminals need money to buy Christmas gifts.\u201d<\/p>\n

Top Ransomware TTPs and Defensive Steps to Take<\/h2>\n

Adversary emulation vendor Scythe this week released a report on the top ransomware tactics, techniques and procedures (TTPs). Below is a table of the MITRE ATT&CK TTPs followed by protection steps recommended by Scythe.<\/p>\n

\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n
 <\/p>\n

Top 10 ransomware TTPs or behaviors used by Conti, DarkSide, Egregor, Ryuk, and Maze ransomware<\/strong><\/td>\n<\/tr>\n

Initial Access<\/td>\nT1078 – Valid Accounts<\/td>\n<\/tr>\n
Execution<\/td>\nT1059.001 – PowerShell<\/td>\n<\/tr>\n
Command and Control<\/td>\nT1071 – Application Layer Protocol and T1573 – Encrypted Channel (HTTPS)<\/td>\n<\/tr>\n
Discovery<\/td>\nT1082 – System Information Discovery<\/p>\n

T1057 – Process Discovery<\/td>\n<\/tr>\n

Privilege Escalation<\/td>\nT1053.005 – Scheduled Task\/Job: Scheduled Task<\/td>\n<\/tr>\n
Collection<\/td>\nT1074.001 – Data Staged: Local Data Staging<\/p>\n

T1560 – Archive Collected Data<\/td>\n<\/tr>\n

Exfiltration<\/td>\nT1041 – Exfiltration Over C2 Channel (HTTPS)<\/td>\n<\/tr>\n
Impact<\/td>\nT1486 – Data Encrypted for Impact<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\u200dScythe’s 10 ransomware recommendations<\/h3>\n