By Jamie MacColl
In this blog, one of our analysts examines one of the key trends for 2020 (and one of our 2020 predictions): the increasing prevalence of ransomware operations that also steal and sell or leak data.
Despite frequent predictions of its demise, ransomware techniques have continued to innovate and evolve to remain among the pre-eminent threats for most organisations. In 2020, one of the key trends in the cybercriminal threat landscape is the rise of ransomware operations that also affect the confidentiality of data by stealing it and then threatening to leak or sell it to extort victims. As organisations have become more adept at implementing back-up policies, cybercriminals have started to tailor their ransomware operations to increase their chances of monetising a successful compromise of a victim’s networks. In our 2020 Forecast, we argued that the number of ransomware incidents of this kind recorded in our intelligence report database would double by the end of the year (see figure 1).
In fact, these types of operations have been so popular that by the end of June our intelligence reporting database suggested that our 2020 prediction had already been met halfway into the year (see Figure 2).
In light of this, our 2020 prediction is actually likely to be exceeded. In this blogpost, we explain why these types of operations have become so popular and what the future holds for ransomware.
Exfiltrating data before encrypting it provides ransomware operators with additional leverage when trying to extort a victim. Although many organisations have become more adept at implementing back-up policies, the consequences of a successful data breach can cause significant reputational and financial damage, particularly if attackers are able to access sensitive personally identifiable-information (PII) of customers or clients.
Data exfiltration can also shift the balance of control of an incident in favour of the attacker: while organisations can control data backups or recovery, as soon as data leaves their perimeter they are faced with the dilemma of negotiating or confronting the commercial, regulatory and financial consequences of a public data breach. In August 2020 CWT, a US-based travel management company, faced this choice. It paid USD 4.5 million to the operators of Ragnar Locker ransomware after they encrypted the company’s files and stole more than 2 TB or sensitive data related to CWT’s corporate clients, including payment card data and other financial information that could be monetised if leaked or sold on the deep and dark webs.
Exfiltrating data also increases options for ransomware operators in cases where they have been unable to successfully encrypt their victim’s endpoints or data. Put another way, this approach offers flexibility: if attempts at encrypting data are thwarted, attackers can pivot and use breached data as leverage. In May 2020, for example, a ransomware group was able to extort a ransom payment after stealing data from Blackbaud, a US-based provider of software and cloud hosting solutions, despite the company preventing their systems from being encrypted. This flexibility can also serve to increase the potential impact on victims where the threat to the confidentiality of their data is greater than the threat to its availability.
The rise of “big-game hunting”
The popularity and success of encrypt and leak operations is also being driven by a broader trend in the cybercriminal landscape: the rise of “big-game hunting” ransomware groups. In contrast to ransomware delivered via mass phishing campaigns, “big-game hunting” operations are highly tailored and target large organisations. Groups that engage in such operations often spend several months in a victim’s network before waiting to deploy ransomware or exfiltrate data at a time of their choosing. As Figure 4 demonstrates, these types of operations have become increasingly popular in the last two years.
This type of approach lends itself to encrypt and leak operations because it allows attackers to identify their target’s most sensitive data. As big-game hunters will typically spend prolonged periods on a victim’s network, they can exfiltrate data which is likely to cause embarrassment and therefore increase leverage for extortion demands, or find PII or financial information that can be monetised on cybercriminal forums or markets.
Regulation such as the GDPR has also effectively increased the sensitivity and value of PII to its processors – and therefore also the potential leverage it provides to extortionists – owing to the substantive potential fines that many be issued as a result of breaches.
This is part of the reason why encrypt and leak operations target organisations in sectors – particularly professional services, healthcare, technology and financial services – that are likely to process significant amounts of sensitive data (see Figure 5 below).
Dedicated data leak and auction sites
Cybercriminals also now post this data on dedicated leak sites to increase the pressure on victims and publicly shame them into paying ransoms. In February, operators of the DoppelPaymer ransomware variant became the first group to set up a dedicated website – Dopple Leaks – for leaking victims’ data. Actors behind Sodinokibi, Maze, Nefilim, Clop and other ransomware strains quickly followed suit, and now nearly all cybercriminal groups that engage in encrypt and leak operations have dedicated data leak sites. This trend even extends to ransomware-as-a-service (RaaS) strains such as Netwalker, which has a dedicated website that automates data leaks, with countdown timers included to increase the pressure on victims to pay (see Figure 6).
Another factor which has driven the success of encrypt and leak operations is the ability of some groups to work together on leaking data. The operators of Maze ransomware have been trailblazers in this regard. In June, the group partnered with several of its competitors – including LockBit and Ragnar Locker – by allowing them to publish stolen data on its own data leak blog. Both parties benefit in this scenario: Maze draws further attention to its blog and its own victims’ data, increasing pressure on them to pay, while Maze’s partners are able to promote their activities and take advantage of Maze’s notoriety as the first group to engage in encrypt and leak operations.
Some groups have gone one step further in their efforts to monetise stolen data and launched “auction” features on their websites. This feature has a dual effect: they can increase pressure on victims unwilling to pay, or generate payments from other cybercriminals seeking to use stolen, credentials, PII or payment card data for future operations or fraud. Most notably, Sodinokibi operators have used this feature to try and auction off sensitive legal documents belonging to GSMLaw, a media and entertainment law firm that represents many prominent celebrities. The extensive media coverage that followed this breach also served as a form of marketing for Sodinokibi, which in turn will lead to the further proliferation of encrypt and leak operations and dedicated leak and auction sites.
Remote access vulnerabilities
The growth of encrypt and leak operations has been enabled by the broader shift towards exploiting remote access vulnerabilities in remote working tools, VPN gateways, Remote Desktop Services and Firewall administration. As these vulnerabilities tend to exist on the edge of networks, scanning for them allows attackers to identify and prioritise targets more easily. Vulnerabilities such as CVE-2019-11510, which affects Pulse Secure VPN Gateway, and CVE-2019-19781, which affects Citrix Gateway, provide a high level of access and can give attackers an immediate foothold in core business networks.
In addition, they may store a large number of current user and administrator credentials, which allows attackers to ensure persistence and enables them to build up a detailed understanding of the target organsation. This, in turn, allows for the identification of the most sensitive data to encrypt and steal.
The availability of these types of remote access vulnerabilities has also been exacerbated by circumstances imposed by COVID-19, which has forced more organisations to use corporate VPNs and other remote access tools, and disrupted the patching process. As this disruption looks set to persist for the near future, encrypt and leak operations will continue to take advantage of companies inability to protect their changing attack surface.
The trickle-down effect: the spread of tactics, techniques and procedures (TTPs)
The early success of the operators of Maze and Sodinokibi – along with their ability to market this success – is another reason why encrypt and leak operations have spread so quickly. As we detailed in a previous blog post, like any successful business, cybercriminal enterprises learn from the best, and adopt strategies and TTPs that succeed. Research suggests that the shift to “big-game hunting” and encrypt and leak operations is paying off, with the average ransom payment rising significantly in Q4 2019, Q1 2020 and Q2 2020. In short, the momentum of encrypt and leak operations have grown as returns have proven to be higher.
The future of ransomware operations
Given the success of encrypt and leak operations, we expect ransomware groups will continue to exfiltrate data to maximise leverage and financial gains. Indeed, we assess that the scale of data exfiltration is likely much greater than reported, with some operators using the data, either themselves or in partnership with other cybercriminals, for future operations, including fraud. In some cases, the cybercriminals will wish to remain covert: breaking victims’ trust inhibits the ability to receive payments from them in the long run.
Moreover, as big-game hunters are gaining the kind of access that allows them to remain persistent, victims face the prospect of rolling leaks, as ensuring the complete removal of attackers is challenging. The access provided by the internet-facing vulnerabilities means that threat actors are able to spread through an environment and affect email servers, endpoints, inboxes and a variety of applications. More broadly, this strategy is likely to trickle down to less sophisticated cybercriminals and a wider variety of RaaS and commodity strains.
As always, mitigating the threat from ransomware requires a threat-led and risk-based approach. Risk holders and boards need oversight tools to allow them to verify that their own IT operations and critical third-party IT operations teams are actually patching and securing the assets that are most frequently targeted in these operations. This is where real-time passive vulnerability and threat reporting services can help.
They will show the vulnerable systems as the attackers see them and they detect the attackers’ discussions of new vulnerabilities, exploits and targets. They also give a unique, independent view of an organisation’s attack surface over time and convert this into accessible metrics that can be easily understood and processed by senior risk holders. These tools are critical to managing the risk and verifying its proper management.
Jamie MacColl is an Orpheus researcher.
 https://www.computerweekly.com/news/450420298/Infosec17-WannaCry-could-be-demise-of-ransomware ; https://www.siliconrepublic.com/enterprise/ransomware-intel-mcafee-threat-cyberattack ; https://www.securityweek.com/downward-trend-healthcare-ransomware-attacks-may-be-temporary