It had been a quiet night at the offices of Colonial Pipeline. As most Americans slept, this pipeline network had been quietly pumping vast quantities of oil up and down the Eastern Seaboard of the US. By day’s end, over 2.5 million barrels of it should have been poured into gas stations, factories and power stations – a process that came to a juddering halt in the early hours of 7 May, 2021.
The cause of the shutdown was quickly established by a ransom note that appeared on an IT technician’s computer screen at 05:00: “Your computers and services are encrypted,” it read. “Backups are deleted.”
Colonial called the FBI for help. Quickly establishing that the pipeline had been disabled by ransomware from DarkSide, a cybercriminal gang based in Russia, the Bureau told the company to pay the ransom. It was a short-lived triumph for DarkSide. Within months, the FBI had recovered most of the ransom and disabled the gang’s operations.
DarkSide’s demise, however, was more than the collapse of a single criminal operation. In time, it would become apparent that the age of impunity for ransomware groups was over, as a flurry of arrests in Europe and Russia triggered an extinction event among the largest and most notorious operations.
Since then, a new breed of ransomware gang has emerged out of the ashes. Five or six persons strong, these groups keep a low profile and mimic western syntax to lure employees into downloading malware, and barely hesitate in using zero day vulnerabilities to burrow into cloud storage and gain access to some of the planet’s largest IT systems. In short, they are more ambitious, more technically proficient and more dangerous than ever before.
Smaller ransomware groups are forming to avoid law enforcement
By the end of 2021, high-profile groups including REvil, Conti and Blackmatter had joined DarkSide in collapsing under the weight of scrutiny from international law enforcement. All that was left of these networks, explains Advanced Intelligence’s head of research Yelisey Boguslavskiy, “was the operational side of it”.
Those that have been working as gang affiliates for a while were the ones who weathered the storm, adds Allan Liska, an intelligence analyst at Recorded Future. “They know the operations in and out,” he says. “They know how to do the negotiations. They know how to make code adjustments and all that other stuff. So, they’re fine without a big umbrella group to support them.”
These criminals, in turn, became the leaders of a new set of ransomware groups, including the likes of Hive, which is thought to include hackers from Conti and has grown infamous for extorting healthcare providers. Hive exemplifies the new breed of gangs, which are smaller, “more effective and they are more high-profile when it comes to targeting,” says Boguslavskiy.
Their new prey, explains Liska, are cloud providers and large companies, using attacks that place much greater emphasis on the psychological manipulation of key employees within corporate structures. “That’s where ransomware is going next,” he says. “Rather than technological innovation, it’s an evolution of social network analysis.”
For many of these gangs, adds Liska, the deft use of psychological manipulation is an easy way to get ahead. “As one of the actors said during internal communications,” he continues, “’We can’t win the war on the technology side because we’re competing with companies that have budgets of tens of billions of dollars. We can never win that, but we can win the social side of things.’”
Ransomware groups – particularly those operating from Russia – are also more alert to the need to adopt ‘Western’ standards of behaviour to more easily dupe employees in US, British and European companies during these phishing campaigns. “If you want to weaponise the social aspect of the Western community, you need to sound like a Westerner,” says Boguslavskiy.
Russian-based gang Black Basta has been particularly adept at these types of operations, in some cases gaining access to corporate systems using fake DocuSign attachments. Operating since April of this year, the group has hit almost 50 victims across the US, UK, Canada, Australia and New Zealand.
New ransomware gangs, new tactics
This isn’t to say that this new generation of cybercriminals is lacking in technical acumen. In some ways, they are more dangerous than their predecessors. “All these groups are focused on targeted attacks, on extremely well-developed phishing campaigns with very clear methodologies for infection, dissemination and use of customised malware,” explains Boguslavskiy.
Western companies are better at backing up their own data and plugging holes in their defences. But ransomware gangs have found new ways to undermine these efforts, as well.
The increasing use of zero-day attacks, exploiting vulnerabilities that have no patch, indicate the growing sophistication of this new generation of cybercriminals. A report by security company Crowdstrike found that, in 2021, Chinese threat actors were soundly exploiting zero-vulnerabilities in platforms such as Atlassian’s Confluence and ManageEngine, among others.
One such actor called DEV-0401 is described by Microsoft as a China-based lone wolf turned affiliate of LockBit 2.0, another ransomware gang. This actor has been found targeting internet-facing systems using exploits including Log4Shell.
Hackers may also start attacking cloud storage for sensitive data, states a report into ransomware by Unit42, the research arm of security platform Palo Alto.
“A majority of attacks on cloud workloads are known vulnerabilities. That’s why it’s critical to ensure that vulnerabilities are patched and misconfigurations, like privileged containers, are remediated before and through run time,” the report explained. “Given the amount of valuable data in the cloud, it is only a matter of time before we see ransomware groups target cloud environments.”
Data extortion dominance
Initially, ransomware gangs plied their trade by encrypting files and demanding money for the encryption key. As ransomware became more popular, other extortion techniques became prominent, but ultimately did not last, explains Boguslavskiy. “Data encryption is too messy on the technical level. It could still go wrong and corrupt the data instead of encrypting it,” he explains.
Now, ransomware gangs focus on stealing data before extorting targets. In June, CISA and the FBI released a joint advisory about Karakurt Lair, a gang whose data extortion attacks were typically accompanied by ransom demands of between $25,000 and $13m in Bitcoin. As of May, the group has posted several terabytes of data allegedly belonging to victims across North America and Europe, naming and shaming the recalcitrant targets who had refused to pay and issuing instructions for participation in ‘auctions’ of their corporate secrets.
Implementing extortion-only tactics may be another way of avoiding law enforcement, agrees Liska. “I think there’s a lot of interest in extortion-only as a tactic because it’s easier. You don’t have to do as much work and there’s less chance of getting caught. It does seem like law enforcement right now isn’t paying close attention to the extortion-only groups versus the ones that actually deploy ransomware.”
A new era of ransomware
There are still ways for companies to shore up their defences against this increasing ransomware risk. Keeping up to date on patching, for example, will prevent systems from becoming low hanging fruit. It’s also possible, albeit more difficult, to protect staff from succumbing to the social engineering evident in many of the latest attacks.
These include “breaking the loop” of ransomware attempts, according to Kaspersky, where an employee contacts the source of an exciting or worrying email directly rather than replying in the thread. They can look at the source of the URL or the email to ascertain if it is trustworthy, or just ask for proof of the sender’s identity.
While these might sound like straightforward responses to attempted subversion, getting employees to react in this way requires rigorous training. But with technology skill shortages plaguing employers, extensive training in how to spot and appropriately deal with social engineering attacks may be nearly impossible to implement successfully. As such, companies around the world should brace themselves for a new era in ransomware – one more dangerous and unpredictable than the last.