Big-game ransomware isn’t like earlier, indiscriminate ransomware attacks. This wave is coming from attackers who are more sophisticated and organized and deploy their ransomware as part of well-planned campaigns to make money. Unfortunately, big-game ransomware victims have more to worry about than just getting their data and systems back. I’ll discuss why that is, and why early detection has become that much more important for your company.
Small-time criminals go for the quick buck. They don’t have the time or skill to pull off an enterprisewide cyberattack while covering their tracks. Big-game ransomware groups are not small-time criminals — they have time, skills and motivation. That means they’ll get in, figure out what matters and then burn things to the ground only when they’ve maximized their return.
Earlier Waves Were Different
Early ransomware campaigns, like Locky, were indiscriminate and unsophisticated relative to today’s attacks. Attackers spread ransomware to anyone they could target, often in large-scale phishing campaigns. Unsuspecting recipients would click a malicious link and become infected. They would end up with ransomware-encrypted files on their workstations and, for corporate users, in their data centers. Cryptocurrency then made it possible for attackers to collect their ransom anonymously.
Attackers didn’t need to use fancy exploits — they only needed to get an average user to click on a malicious link in a phishing email. From there, the ransomware could expand, encrypting every file the user could open. This was usually enough to collect a healthy ransom for very little effort. Infections were frequently traceable to one or a handful of users who clicked on the link, and there was rarely evidence to suggest the attackers had done more than a smash and grab — no stealthy reconnaissance, no high-level access, no data theft.
A second wave of ransomware began with the well-publicized WannaCry attack. This wave propagated indiscriminately but was more powerful in that it also used a sophisticated exploit. WannaCry and NotPetya spread peer to peer and across company boundaries, taking over unpatched systems and holding both system and data for ransom. Even though the attackers didn’t monetize their efforts efficiently, these attacks were devastating and a sign of things to come.
What To Expect From Big-Game Ransomware
Ransomware still isn’t subtle, like someone slowly siphoning funds from your bank account or stealthily spying on your corporate communications. It’s an in-your-face stickup. See me; fear me; pay me. Or else.
Ransomware isn’t very stealthy, either, especially once it starts encrypting files or disabling systems. Big-game ransomware, on the other hand, quietly infects many systems in its victims’ networks before making any noise, so it remains silent prior to its final destructive phases.
Our company recently analyzed a new strain of ransomware, called “Save the Queen,” that distributes its ransomware from its victim’s Active Directory Servers (known as Domain Controllers). Domain Controllers hold the keys to your digital kingdom. They are important systems that pretty much every other system connects to, making them ideal for distributing ransomware. Because of their importance, manipulating Active Directory Servers requires a very high level of access — and that’s exactly what these attackers had.
Access is one thing that makes big-game ransomware so scary. For attackers, getting past the network perimeter is just another day at the office. They can easily gain access to high-level applications or administrative accounts. They can use your own infrastructure against you, like the attackers responsible for Save the Queen did.
If big-game hunters have all this access, why wouldn’t they also grab financial information or intellectual property? Trade on insider information? Grab copies of important files before they encrypt them so they can threaten to leak them later?
It would be naïve to think they don’t. And that should be a board-level worry. Some attackers might not want to bother sifting through data when they can do a quick smash-and-grab ransomware job. But as these groups get more organized and efficient at monetizing your property, it’s more likely that they’re not going to leave any money on the table.
If you look at the price of Monero, a newer cryptocurrency, you can see how economics comes into play. When the price of Monero was high, attackers would commandeer your systems to mine Monero (cryptomining) for as long as they could. We found miners that had been working for over a year. With Monero so pricy, it was more lucrative to shear the sheep than slaughter it. As the price of Monero fell, well, the sheep got nervous.
Four Ways to Protect Your Organization
1. Know where your intellectual property, financial information, personal data and sensitive emails are stored before attackers start looking to steal, leak or encrypt them. Restrict access to only those who need it to reduce your attack surface.
2. Think about the worst time for a system or dataset to be unavailable, like right before your busiest week. Attackers are thinking of that, too. You’ll be in better shape if you’ve worked through a plan to compensate instead of having to improvise under pressure.
3. A lot of ransomware preparedness centers on backups. Backups are, of course, essential. The struggle is in determining what backups you need to recover, especially when it comes to files. Many companies don’t track file system activity, so they don’t know what got encrypted when without hunting for ransom notes. If you don’t have a record of file activity, you should consider keeping one so you can see what the infected users were up to.
4. Make automation work for you. With the right activity logs and analysis, automation can detect and stop potential attacks before they spread. Make sure to prioritize logging and analyzing activity on critical datasets and systems like large, important data stores, Active Directory and other telemetry that can tip you off when an attacker has snuck into your network.
Remote workers are now easy conduits to corporate resources, and most organizations are unprepared to spot unusual activity generated by these remote users. Your goal should be to detect attackers who are looking to take advantage of remote workers as early as possible.