www.extrahop.com
Open in
urlscan Pro
54.148.157.239
Public Scan
Submitted URL: http://app.wiredata.extrahop.com/e/er?utm_campaign=2022-q1-february-newsletter-general-dynamic-noam-uk&utm_medium=email&utm_sourc...
Effective URL: https://www.extrahop.com/resources/learning/ransomware-retrospective/?utm_campaign=2022-q1-february-newsletter-general-dy...
Submission: On February 18 via api from US — Scanned from DE
Effective URL: https://www.extrahop.com/resources/learning/ransomware-retrospective/?utm_campaign=2022-q1-february-newsletter-general-dy...
Submission: On February 18 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form>
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
* The Platform
EXTRAHOP
REVEAL(X) 360
CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
FOR THE HYBRID ENTERPRISE.
Learn More
Explore Reveal(x)
How It Works
Competitive Comparison
Why Decryption Matters
Integrations and Automations
Cybersecurity Services
What is Network Detection and Response (NDR)?
Cloud-Native Security Solutions
Reveal(x) Enterprise: Self-Managed NDR
* Solutions
--------------------------------------------------------------------------------
SOLUTIONS
With the power of machine learning, gain the insight you need to solve
pressing challenges.
FOR SECURITY
Stand up to threats with real-time detection and fast response.
Learn More >
FOR CLOUD
Gain complete visibility for cloud, multi-cloud, or hybrid environments.
Learn More >
FOR IT OPS
Share information, boost collaboration without sacrificing security.
Learn More >
BY INITIATIVE
* Advanced Threats
* Ransomware Mitigation
* Multicloud & Hybrid Cloud Security
* Implement Zero Trust
* Security Operations Transformation
BY VERTICAL
* Financial Services
* Healthcare
* e-Commerce and Retail
* U.S. Public Sector
Featured Customer Story
WIZARDS OF THE COAST
Wizards of the Coast Delivers Frictionless Security for Agile Game
Development with ExtraHop
Read More
See All Customer Stories >
* Customers
--------------------------------------------------------------------------------
CUSTOMERS
Our customers stop cybercriminals in their tracks while streamlining
workflows. Learn how or get support.
COMMUNITY
* Customer Portal Login
* Solution Bundles Gallery
* Community Forums
* Customer Stories
SERVICES
* Services Overview
* Reveal(x) Advisor
* Deployment
TRAINING
* Training Overview
* Training Sessions
SUPPORT
* Support Overview
* Documentation
* Hardware Policies
Featured Customer Story
WIZARDS OF THE COAST
Wizards of the Coast Delivers Frictionless Security for Agile Game
Development with ExtraHop
Read More
See All Customer Stories >
* Partners
--------------------------------------------------------------------------------
PARTNERS
Our partners help extend the upper hand to more teams, across more platforms.
CHANNEL PARTNERS
* Channel Overview
* Managed Services Providers
* Overwatch Managed NDR
INTEGRATION PARTNERS
* CrowdStrike
* Amazon Web Services
* Security for Google Cloud
* All Technology Partners
PANORAMA PROGRAM
* Partner Program Information
* Partner Portal Login
* Become a Partner
Featured Integration Partner
CROWDSTRIKE
Detect network attacks. Correlate threat intelligence and forensics.
Auto-contain impacted endpoints. Inventory unmanaged devices and IoT.
Read More
See All Integration Partners >
* Blog
* More
* About Us
* News & Events
* Careers
* Resources
* About Us
* The ExtraHop Advantage
* What Is Cloud-Native?
* Leadership
* Board of Directors
* Contact Us
* Explore the Interactive Online Demo
* Take the Hunter Challenge
* Upcoming Webinars and Events
* Newsroom
HUNTER CHALLENGE
Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
style event.
Read More
* Careers at ExtraHop
* Search Openings
* Connect on LinkedIn
* All Resources
* Customer Stories
* Ransomware Attacks in 2021: A Retrospective
* White Papers
* Datasheets
* Industry Reports
* Webinars
* Cyberattack Glossary
* Network Protocols Glossary
* Documentation
* Firmware
* Training Videos
Login
Logout
Start Demo
THE PLATFORM
SOLUTIONS
CUSTOMERS
PARTNERS
BLOG
MORE
START THE DEMO
CONTACT US
Back
EXTRAHOP
REVEAL(X) 360
Cloud-native visibility, detection, and response
for the hybrid enterprise.
Learn More
HOW IT WORKS
COMPETITIVE COMPARISON
WHY DECRYPTION MATTERS
INTEGRATIONS AND AUTOMATIONS
CYBERSECURITY SERVICES
WHAT IS NETWORK DETECTION AND RESPONSE (NDR)?
CLOUD-NATIVE SECURITY SOLUTIONS
REVEAL(X) ENTERPRISE: SELF-MANAGED NDR
Back
SOLUTIONS
Learn More
SECURITY
CLOUD
IT OPS
USE CASES
EXPLORE BY INDUSTRY VERTICAL
Back
CUSTOMERS
Customer resources, training,
case studies, and more.
Learn More
CUSTOMER PORTAL LOGIN
CYBERSECURITY SERVICES
TRAINING
EXTRAHOP SUPPORT
Back
PARTNERS
Partner resources and information about our channel and technology partners.
Learn More
CHANNEL PARTNERS
INTEGRATIONS AND AUTOMATIONS
PARTNERS
Back
BLOG
Learn More
Back
ABOUT US
NEWS & EVENTS
CAREERS
RESOURCES
Back
ABOUT US
See what sets ExtraHop apart, from our innovative approach to our corporate
culture.
Learn More
THE EXTRAHOP ADVANTAGE
WHAT IS CLOUD-NATIVE?
CONTACT US
Back
NEWS & EVENTS
Get the latest news and information.
Learn More
TAKE THE HUNTER CHALLENGE
UPCOMING WEBINARS AND EVENTS
Back
CAREERS
We believe in what we're doing. Are you ready to join us?
Learn More
CAREERS AT EXTRAHOP
SEARCH OPENINGS
CONNECT ON LINKEDIN
Back
RESOURCES
Find white papers, reports, datasheets, and more by exploring our full resource
archive.
All Resources
CUSTOMER STORIES
RANSOMWARE ATTACKS IN 2021: A RETROSPECTIVE
CYBERATTACK GLOSSARY
NETWORK PROTOCOLS GLOSSARY
DOCUMENTATION
FIRMWARE
TRAINING VIDEOS
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RANSOMWARE RETROSPECTIVE
RISE OF THE ADVANCED
EXTORTIONATE THREAT
* Intro
* Timeline
* Tactics
* Infrastructure
* Insurance
* Kill Switch
* Conclusion
RANSOMWARE RETROSPECTIVE 2021
ansomware is not new. Since 2016, the United States Department of Justice
estimates that more than 4,000 ransomware attacks have been perpetrated against
US organizations every single day. While that number is staggering, the scope
and severity of the problem is even larger. Chronic underreporting of attacks
means that the daily number is likely far greater. The nature of ransomware
attacks have also changed dramatically over the last eighteen months, with
advanced nation-state tactics making their way into for-profit cybercriminal
activity. In this report, we explore the ways in which ransomware has become an
advanced threat with the "hat trick" of exfiltration, encryption, and software
exploitation; how governments are changing their treatment of ransomware
attackers; and what organizations can do to reclaim the advantage.
INTRO
TROUBLING
RANSOMWARE TRENDS
In March 2021, the cybercriminal syndicate known as REvil (aka Sodin, aka
Sodinokibi) detonated an attack on Acer, the Taiwanese computer giant. At the
time, it was the highest ransom demand ever made—$50 million. But while the
price for the decryption keys was itself noteworthy, this attack drew attention
for another reason. The "double extortion" model used by REvil—first exfiltrate
the data, then encrypt it—wasn't new. But during the ransom negotiations, REvil
claimed to have gone one step further, indicating that they had introduced an
exploit into Acer software. If true, this would have allowed REvil to use Acer
software to perpetrate attacks on Acer customers, in much the same way that
SolarWinds Orion software had become an attack vector just a few months earlier.
What REvil was alleging was a worst-case scenario: a Cyber Hat Trick including
exfiltration, encryption, and exploitation that—if successfully executed—would
not only have done considerable damage to the original victim, but given the
attackers easy access to thousands, if not tens of thousands, of other
organizations.
Unfortunately, in July, the REvil attack on Kaseya confirmed the cybersecurity
communities' fears. A ransomware gang had compromised a build server for a
widely used enterprise software and introduced an exploit that enabled them to
conduct a ransomware attack on a massive scale. It was SUNBURST—for profit.
With the attacks on Acer, Colonial Pipeline, and Kaseya in just six months,
ransomware gangs have thrown the increasing use of advanced nation-state tactics
into sharp relief. These attacks should no longer be called ransomware, but
rather a new class of advanced persistent threat.
In this report, we'll look back at the evolution of the advanced ransomware
techniques in 2021, and what governments and private organizations can do to
combat the threat.
THE NEW CLASS OF RANSOMWARE THREATS
HEADACHES AND HEADLINES
In late 2020, a large retailer based in North America received an alert in
ExtraHop Reveal(x) 360 that ransomware activity had been detected. The same
devices were also seeing alerts for detections on SMB data staging and
suspicious file reads. The customer's security team determined that the
attackers were also in the process of exfiltrating data before they encrypted it
in an effort to inflict maximum damage—a double extortion technique that has
become increasingly common over the last eighteen months.
By detecting this pre-ransomware deployment kill chain activity, the customer
was able to quickly identify and quarantine affected assets and accounts, and as
a result, the attackers were only able to encrypt a small percentage of targeted
files.
According to a recent ExtraHop survey of 500 CISOs and other IT security leaders
in North America and Europe, many are not so lucky.
85%
have suffered a ransomware attack in the last 5 years
38%
have suffered
5 or more ransomware attacks in the last 5 years
51%
had impact
to IT infrastructure
46%
attacks targeted
end users
98%
of attacks resulted in downtime, data loss,
fines
57%
paid the ransom
in half of ransomware attacks
Results from an ExtraHop survey of 500 CISOs and IT security leaders
HIGH PROFILE RANSOMWARE ATTACKS IN 2021
JAN
FEB
MAR
APR
MAY
JUN
JUL
AUG
SEP
OCT
NOV
DEC
2.26.2021
3.19.2021
3.20.2021
3.23.2021
4.21.2021
4.26.2021
4.28.2021
5.7.2021
5.31.2021
7.2.2021
8.11.2021
8.15.2021
9.7.2021
12.13.2021
Ransom Report
2.26.2021
Kia Motors
VICTIM
DEMAND
$20M
PERPETRATOR
DOPPELPAYMER
TECHNIQUES
UNKNOWN
In February, multiple media outlets began reporting that a Kia outage was
actually due to a ransomware attack. Bleeping Computer obtained a copy of a
ransom note from DoppelPaymer, the alleged attackers, demanding $20 million in
Bitcoin payments. While there was substantial evidence that Kia had in fact been
the victim of an attack, the company has continued to deny that any such attack
took place.
Ransom Report
3.19.2021
Acer
VICTIM
DEMAND
$50M
PERPETRATOR
REVIL
TECHNIQUES
EXFILTRATION, ENCRYPTION, ALLEGED EXPLOITATION
At the time, the ransom demand on electronics giant Acer ($50 million) broke the
record for the largest ransom demand to date. REvil used multiple extortion
techniques to add leverage to the demand by combining encryption with data
exfiltration and exploitation. As a result of their success with Acer, a newly
emboldened REvil went on to set higher demands months later with an attack on
Kaseya.
According to BleepingComputer, REvil may have leveraged a Microsoft Exchange
Server vulnerability to gain initial access, which would mark the first time a
major ransomware actor successfully weaponized Microsoft Exchange as an attack
vector.
Ransom Report
3.20.2021
Sierra Wireless
VICTIM
DEMAND
N/A
PERPETRATOR
UNDISCLOSED
TECHNIQUES
EXFILTRATION, ENCRYPTION
Ransomware halted production for Sierra Wireless, a Canadian IoT manufacturer
with operations around the world. According to a statement released by the
company, the attack affected internal operations and made the company's
corporate website inaccessible, but the risk did not extend to consumer products
or systems.
Sierra Wireless hired an independent incident response firm to investigate the
attack, but the initial access point, demand, and responsible party are not
publicly known. The impact of the attack is believed to have caused significant
financial damage to the company, who withdrew their Q1 revenue forecast in the
aftermath.
Ransom Report
3.23.2021
CNA Financial
VICTIM
DEMAND
$40M
PERPETRATOR
PHOENIX LOCKER/EVIL CORP
TECHNIQUES
EXFILTRATION, ENCRYPTION
In March, attackers gained a foothold on CNA's network using a fake browser
update—which came from a legitimate website which had itself been hacked.
Attackers maintained access from March 5-21, using living-off-the-land tactics
to avoid detection, disabling logging and security tools, and exfiltrating data
to hold as additional leverage. On March 21, they deployed ransomware,
encrypting more than fifteen-thousand systems and demanding $40 million in
ransom.
It was reported that the source code used resembled that of the sanctioned
WastedLocker ransomware, leading to speculation that Phoenix Locker was another
evasion by Evil Corp to avoid 2019 sanctions, which prohibited any financial
transactions with them.
Ransom Report
4.21.2021
Quanta
VICTIM
DEMAND
$50M
PERPETRATOR
REVIL
TECHNIQUES
EXFILTRATION, ENCRYPTION
REvil (also known as Sodinokibi) accessed the network of technology supplier
Quanta, exfiltrating data and encrypting an undisclosed number of systems. Among
the stolen data was schematics for a number of yet-to-be-released Apple
products, which Quanta manufactures.
When Quanta refused to pay the ransom, hackers then demanded the same amount
from Apple, otherwise threatening to release the stolen blueprints. When Apple
refused to pay, REvil posted the data, which included schematics for the
upcoming MacBook Pro.
While few details of the initial hack were shared publicly, REvil commonly
exfiltrates data for additional leverage, encrypts systems, and modifies backup
software to prevent companies from restoring their data after encryption.
Ransom Report
4.26.2021
Washington DC Police
VICTIM
DEMAND
$4M
PERPETRATOR
BABUK
TECHNIQUES
EXFILTRATION, ENCRYPTION
Attackers exfiltrated sensitive files from the Metropolitan Police Department,
claiming to have more than 250 GB of personnel and case files.
Babuk uses existing tools like Bloodhound, CobaltStrike, and Metasploit to
achieve and maintain the access needed for both encryption and exfiltration
tactics.
Ransom Report
4.28.2021
Brenntag
VICTIM
DEMAND
$7.5M
(PAID $4.4M)
PERPETRATOR
DARKSIDE
TECHNIQUES
EXFILTRATION, ENCRYPTION
Darkside attacked German chemical manufacturer Brenntag, a company with over
17,000 employees working at over 670 sites worldwide. In addition to locking
Brenntag out of business-critical applications and data, Darkside also claimed
to have stolen 150GB of data during the attack. While Darkside initially
demanded a $7.5 million payment, Brenntag ultimately settled the matter with a
payment of the equivalent of $4.4 million in bitcoin.
Ransom Report
5.7.2021
Colonial Pipeline
VICTIM
DEMAND
$4.4M
PERPETRATOR
DARKSIDE
TECHNIQUES
EXFILTRATION, ENCRYPTION
There is nothing like the spectre of a gas shortage to capture the attention of
the American public or the federal government, and the Darkside ransomware
attack on Colonial Pipeline in May 2020 did just that, rocketing ransomware to
the top of the national agenda. While Darkside made clear in the days following
the attack that they didn't intend to hit such a critical and visible target,
the damage was done. While only Colonial Pipeline's IT systems were hit, the
company nevertheless shut down pipeline operations until it could fully
investigate the scope of the incidents, resulting in hours-long lines and a
panic over access to fuel up and down the Eastern seaboard.
Ultimately, the US government responded by attacking and disabling Darkside's
servers, the first—but not the last—such action the US government would take in
2021.
Watch the Webinar: How to Catch & Stop Next-Gen Ransomware
Ransom Report
5.31.2021
JBS USA
VICTIM
DEMAND
$11M
PERPETRATOR
REVIL
TECHNIQUES
EXFILTRATION, ENCRYPTION
JBS USA is one of the largest meat suppliers in the US. On May 31, 2021, JBS
announced that a ransomware attack required them to temporarily halt operations
at five of their US plants, as well as across parts of their UK and Australian
operations. In order to prevent disruption to grocery supply chains and limit
panic buying, JBS chose to pay the $11 million ransom demand. The FBI attributed
the hack to REvil.
Ransom Report
7.2.2021
Kaseya
VICTIM
DEMAND
$70M
PERPETRATOR
REVIL
TECHNIQUES
EXFILTRATION, ENCRYPTION, EXPLOITATION
While REvil claimed to have compromised Acer's build server, they made good on
the threat when they successfully infiltrated IT solutions provider Kaseya. Not
only was Kaseya locked out of it's systems and data, the malware spread through
Kaseya software to over 1,500 organizations across multiple countries.
The ransom demand—$70 million in Bitcoin to provide the encryption keys—was the
largest in history, handily beating the previous record demanded in REvil's
attack on Acer. Although it's not known how many Kaseya customers independently
paid to have their data released, Kaseya itself opted not to pay the ransom,
instead cooperating with the US government. Kaseya's decision to cooperate in
the investigation would ultimately lead to the takedown of REvil.
Learn More About the Kaseya REvil Ransomware Attack
Ransom Report
8.11.2021
Accenture
VICTIM
DEMAND
$50M
PERPETRATOR
LOCKBIT
TECHNIQUES
EXFILTRATION, ENCRYPTION
In August 2021, news broke that global consulting firm Accenture was the victim
of a ransomware attack by LockBit. The attackers claimed to have exfiltrated
more than 6TBs of data from the company—a detail not confirmed by Accenture for
months and then only in SEC filings. In exchange for this stolen data, as well
as the encryption keys, LockBit demanded $50 million. It is not clear what, if
any, ransom Accenture paid.
Ransom Report
8.15.2021
Brown-Forman
VICTIM
DEMAND
N/A
PERPETRATOR
REVIL
TECHNIQUES
EXFILTRATION
Brown-Forman, the parent company of well-known brands including Jack Daniel's,
Woodford Whiskey, and Finlandia Vodka, announced that it had been hit by
ransomware. Compared to many other organizations, Brown-Forman got lucky. They
detected the activity before their files were encrypted; however, REvil still
made off with more than a terabyte of confidential data that they planned to
auction off to the highest bidder before leaking the rest.
Ransom Report
9.7.2021
Howard University
VICTIM
DEMAND
N/A
PERPETRATOR
UNKNOWN
TECHNIQUES
ENCRYPTION
At the beginning of the 2021-2022 academic year, Howard University was hit by a
ransomware attack that forced the temporary shutdown of online and hybrid
classes school-wide. While the school claimed that no student data was stolen,
the attack disrupted major systems, including taking down the school's wifi
network.
Ransom Report
12.13.2021
Kronos
VICTIM
DEMAND
N/A
PERPETRATOR
UNKNOWN
TECHNIQUES
ENCRYPTION
Kronos, a division of Ultimate Kronos Group, which provides payroll and
timesheet software, was hit by a ransomware attack that crippled its systems and
effectively shut down payroll and timesheet operations for thousands of global
customers. While the perpetrators and the ransomware demand have not yet been
disclosed, the broad impact of the Kronos attack underscores just how costly
ransomware attacks can be, particularly when they affect widely used software
platforms.
COMMON & EMERGING
RANSOMWARE TACTICS
It used to be that the sole endgame of ransomware was encryption. Deploy the
ransomware, encrypt the files, and demand payment in exchange for the keys. In
2021, this was no longer the case.
Ransomware criminals have introduced payment incentives at multiple steps in the
killchain, from exfiltration of data to exploitation of software. The ability to
restore from backup is cold comfort when doing so will result in your customers'
data being sold on the dark web, or your customers themselves becoming the
victims of a ransomware attack.
Here are some of the most common techniques to emerge or become popular in 2021.
LATERAL MOVEMENT: LAND AND PIVOT
Ransomware gangs have adopted advanced east-west maneuvering to amplify damage
and halt business operations, improving their payment calculus. Modern
ransomware exploits IT infrastructures to move stealthily and persist for longer
periods of time before springing its trap (also known as ransomware midgame),
putting security and IT at a disadvantage to prevent large-scale incidents.
LATERAL MOVEMENT: LAND AND PIVOT
Ransomware gangs have adopted advanced east-west maneuvering to amplify damage
and halt business operations, improving their payment calculus. Modern
ransomware exploits IT infrastructures to move stealthily and persist for longer
periods of time before springing its trap (also known as ransomware midgame),
putting security and IT at a disadvantage to prevent large-scale incidents.
ACTIVE DIRECTORY EXPLOITATION
Ransomware playbooks share a common focus on exploiting Active Directory (AD).
Targeting domain admin privileges via AD speeds asset collection and data
compromise. Ransomware now demonstrates shockingly short average dwell
times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report.
Numerous advisories on bad actors like REvil and BlackMatter (rebrand of
Darkside) point to AD as the quickest path of attack.
ACTIVE DIRECTORY EXPLOITATION
Ransomware playbooks share a common focus on exploiting Active Directory (AD).
Targeting domain admin privileges via AD speeds asset collection and data
compromise. Ransomware now demonstrates shockingly short average dwell
times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report.
Numerous advisories on bad actors like REvil and BlackMatter (rebrand of
Darkside) point to AD as the quickest path of attack.
INITIAL ACCESS BROKER
Today, ransomware is in reach of any motivated extortionists. Even the intrusion
phase can be bought through an initial access broker (IAB). Skilled IAB
operators first access business networks through phishing, RDP, supply chain,
vulnerabilities, or brute-force hacking, then sell that access on dark web
forums. Would-be extortionists can choose their victim based on business size,
country of operation, and sector, then slide into the RaaS workflow.
INITIAL ACCESS BROKER
Today, ransomware is in reach of any motivated extortionists. Even the intrusion
phase can be bought through an initial access broker (IAB). Skilled IAB
operators first access business networks through phishing, RDP, supply chain,
vulnerabilities, or brute-force hacking, then sell that access on dark web
forums. Would-be extortionists can choose their victim based on business size,
country of operation, and sector, then slide into the RaaS workflow.
DATA EXFILTRATION
Stealing data is nothing new for cybercriminals. It is naive to believe
ransom-driven criminals promise they didn't make a copy of your data and that
you have the only copy, encrypted but intact. Noisy, data exfiltration is a
critical element of the ransomware playbook. Having your data adds to their ROI
calculus, enabling a double and a bonus sold on the black market.
DATA EXFILTRATION
Stealing data is nothing new for cybercriminals. It is naive to believe
ransom-driven criminals promise they didn't make a copy of your data and that
you have the only copy, encrypted but intact. Noisy, data exfiltration is a
critical element of the ransomware playbook. Having your data adds to their ROI
calculus, enabling a double and a bonus sold on the black market.
COSTS OF RANSOMWARE RECOVERY
Availability of backups is a critical part of the payment calculus.
Unfortunately, the ransom payment has little bearing on the total financial
damage that the attack will inevitably cause. Research suggests that ransom
payments account for 10% of the actual damage to victims. In 2021 the average
ransomware payment was $170,000; the average cost of recovery was $1.85 million.
COSTS OF RANSOMWARE RECOVERY
Availability of backups is a critical part of the payment calculus.
Unfortunately, the ransom payment has little bearing on the total financial
damage that the attack will inevitably cause. Research suggests that ransom
payments account for 10% of the actual damage to victims. In 2021 the average
ransomware payment was $170,000; the average cost of recovery was $1.85 million.
RANSOMWARE +
CRITICAL INFRASTRUCTURE
There is nothing like the specter of a gas shortage to capture the attention of
the American public. When Colonial Pipeline shut down its operations in May 2021
in order to respond to a ransomware incident, drivers up and down the Atlantic
coast rushed to gas stations, waiting in hours-long lines to fill their tanks,
and in many cases filling up any vessel they had available with extra gas. While
the shutdown itself was short-lived, its impact was lasting. Just a few weeks
after the attack was disclosed, the Biden Administration announced that it would
start giving ransomware attacks the same priority as terrorist threats. The
administration has, thus far, made good on that promise.
DECISIVE ACTION
In a May 2021 press conference on the Colonial Pipeline attack, President Biden
stated: "We have been in direct communication with Moscow about the imperative
for responsible countries to take decisive action against these ransomware
networks. We're also going to pursue a measure to disrupt [ransomware
attackers'] ability to operate."
Early the following morning, news broke that Darkside—the ransomware group
responsible for the Colonial Pipeline attack—had itself gone dark, with access
cut off to its blog, payment processing, and distributed denial-of-service
(DDoS) operations. While the US government did not claim responsibility for the
takeown, within minutes of the news breaking, the 780th Military Intelligence
Brigade quietly retweeted, without comment or context, a blog from Recorded
Future about the shutdown. It wouldn't be the last time.
within minutes of the news breaking, the 780th Military Intelligence Brigade
quietly retweeted, without comment or context, a blog from Recorded Future about
the shutdown. It wouldn't be the last time.
Just before the July 4th Holiday, news broke that software provider Kaseya had
been hit by ransomware. But this was no ordinary ransomware attack. Not only had
REvil, the syndicate responsible for the attack, exfiltrated and encrypted
Kaseya's data, they had exploited a vulnerability in Kaseya's software to
propagate their ransomware out to thousands of Kaseya customers. In
consideration for pulling off the first known Cyber Hat Trick, REvil demanded a
$70 million ransom to provide the encryption keys to Kaseya and its customers.
On Tuesday, July 13, 2021, REvil disappeared from the internet. While
speculation ran rampant that either the US, Russia, or some combination of the
two governments was responsible for the takedown, there was no official comment
from either country. But as in the case of the Darkside takedown, there wasn't
complete silence. At 11:23am ET on July 13, as news was breaking that REvil was
down, the twitter account for the 780th once again quietly retweeted the news.
Within a matter of weeks, REvil had managed to restore its servers and was back
online. Then in mid-October, news once again broke that REvil had been taken
down, and this time, speculation about who was responsible didn't last long. On
October 21, Reuters confirmed the involvement of US Government agencies in both
the July and October shutdown operations.
about who was responsible didn't last long. On October 21, Reuters confirmed the
involvement of US Government agencies in both the July and October shutdown
operations.
According to Tom Kellermann, head of cybersecurity strategy at VMware and
adviser to the U.S. Secret Service on cybercrime investigations, "The FBI, in
conjunction with Cyber Command, the Secret Service and like-minded countries,
have truly engaged in significant disruptive actions against these groups. REvil
was top of the list."
BLOCKING CRYPTO RANSOMWARE PAYMENTS
In September 2021, the US Treasury Department announced its own set of actions
aimed at disrupting ransomware actors, notably a set of sanctions against
virtual currency exchanges known to facilitate ransomware payments. According to
the Treasury Department's press release, virtual currency exchanges are
"critical to the profitability of ransomware attacks." In some cases, the
exchanges themselves have been exploited by ransomware criminals in order to
facilitate payments. In many other cases, however, the currency exchanges
themselves engage in the facilitation of illicit transactions for their own
illicit purposes.
In addition to the sanctions, the Treasury department also announced new efforts
to help private sector organizations combat ransomware, as well as increase
reporting on ransomware attacks and payments.
ANALYSIS OF KNOWN SUEX TRANSACTIONS SHOWS THAT OVER 40% OF SUEX'S KNOWN
TRANSACTION HISTORY IS ASSOCIATED WITH ILLICIT ACTORS.
Press Release, US Treasury Department
THE RANSOMWARE DISCLOSURE ACT OF 2021
In October 2021, both the Biden Administration and the US Legislature announced
several major steps aimed at combating the ransomware advanced extortionate
threat.
On October 5, US Senator Elizabeth Warren and US Representative Deborah Ross
introduced a bill called The Ransom Disclosure Act. The bill, if enacted, would
require any organization that pays the ransom in a ransomware attack to disclose
that payment to US authorities within 48 hours.
that payment to US authorities within 48 hours.
The disclosure requirement is an important step in understanding the scope of
the ransomware threat. According to the recent ExtraHop CISO survey, of the
nearly three-fourths of respondents whose organizations had paid a ransom at
least once in the last five years, nearly 61% stated that they attempt to limit,
as much as possible, any public disclosure of either the attack or the ransom
payment. This affirms what most already suspect: ransomware—and ransom
payments—are far more common than is reported.
public disclosure of either the attack or the ransom payment. This affirms what
most already suspect: ransomware—and ransom payments—are far more common than is
reported.
According to the same survey, while 61% avoid any disclosure of ransomware, a
full two-thirds of respondents believe that it's actually good for companies to
disclose when ransomware attacks happen to increase awareness and improve the
ability to respond to future attacks.
ability to respond to future attacks.
Senator Warren and Representative Ross agree, and their bill is designed to take
the decision out of the hands of the victim and make it a requirement. "The data
that this legislation provides will ensure both the federal government and
private sector are equipped to combat the threats that cybercriminals pose to
our nation," said Ross as part of a joint statement about the legislation.
WHEN IT COMES TO RANSOMWARE, DISCLOSURE TO US AUTHORITIES IS A CRITICAL FIRST
STEP, BUT IT'S NOT ENOUGH.
If the victim organization happens to be part of critical infrastructure, then
they should also be required to report the attack and subsequent payment to any
associated departments that have regulatory authority or interest over that
infrastructure. If the ransom disclosures are subject to FOIA, the bill should
also require that companies provide notice to shareholders and to their board of
directors. Finally, even if individual ransom payments are not subject to public
disclosure via FOIA, the government should be required to report aggregate data
about ransom attacks and payments to Congress, the GAO, and other interested
parties.
Mark Bowling, VP, Security Services, ExtraHop
Just a week after the Ransom Disclosure Act legislation was announced, the Biden
Administration continued its own campaign to increase transparency,
accountability, and collaboration against ransomware. The administration
convened the largest multinational gathering on ransomware to-date, bringing
together law enforcement, national security, and cyber intelligence personnel
from thirty countries. The gathering produced a statement of intent to cooperate
across areas including disruption of ransomware organizations through law
enforcement and strengthening cybersecurity across the public and private
sectors, with special emphasis on hardening critical infrastructure.
THE FUTURE OF RAN$OMWARE INSURANCE
The primary philosophy behind insurance is that risk held collectively is
smaller than risk held individually—otherwise put, that bad things will happen
to some, but not to all. By paying a small amount of money into a system, every
participant gains access to a pool of money larger than what they put in, that
they can tap into if necessary.
But the system only works if the pool has more money in it than the sum of its
claims. And when the claims begin to exceed the pool, insurance becomes either
prohibitively expensive, or altogether unavailable.
When cyber insurance was originally introduced to insurance portfolios, it was
seen as a low risk means of diversification. However, over the past several
years, loss ratios in cyber policies have drastically outpaced those in the
broader casualty industry, prompting cyber insurers to urgently reassess their
risk appetites and premiums. And it looks like ransomware is to blame.
According to Insurance Journal, ransomware claims rose by 35% in 2020 and
accounted for a whopping 75% of total cyber claims (Insurance Journal). Early
predictions for 2021 appear even more grim.
The recent ExtraHop CISO survey supports this assertion. Of the 85% of
respondents whose organizations experienced at least one ransomware attack,
nearly three-quarters paid the ransom at least once. In most, if not all, of
those cases, insurance was likely involved.
This rise in claims has alarmed insurers. If the number of claims continues at
the current rate, ransomware is on track to become an uninsurable risk for
insurance providers, who will grow to view it like they see a fire in California
wine country or a flood in New Orleans—an inevitable risk. For California
wineries and New Orleans residents, the solution is obvious, if painful. If the
property you rely on for shelter or livelihood can't be protected financially or
otherwise, relocation may be the only option.
But cyberattacks are not natural disasters. They are calculated efforts made by
actors across the globe with very little to lose and everything to gain. And in
our increasingly connected and interconnected world there is nowhere to move,
and nowhere to hide.
So what happens when ransomware is deemed an uninsurable risk, as it seems
likely it will be?
It's possible that the cost burden of ransomware will fall on the taxpayer. Much
like the housing crisis of 2008, enterprises deemed "too big to fail" that are
hit by ransomware will either need to be bailed out or risk extinction.
It's also possible that governments decide to much more aggressively target
ransomware syndicates with counter-cyberterrorism measures. Following the
attacks on Colonial Pipeline and Kaseya, the US and other governments took out
the operations of Darkside and REvil. But this approach has its limitations.
It's cost prohibitive and would likely be reserved to only the most serious
attacks.
BUT THERE IS A THIRD OPTION:
SECURITY ORGANIZATIONS SIMPLY GET BETTER AT DEFENDING AGAINST THESE ATTACKS.
THE
KILL SWITCH
IN THE RANSOMWARE KILL CHAIN
he best chance organizations have to protect themselves and their customers,
avoid paying the ransom, and maintain their reputations, is to build defenses
that interrupt attackers before they spring their extortion trap. Ransomware
actors have the first-mover advantage and will likely gain initial access to the
network. Having 100% intrusion prevention is an impossible goal. Winning the
fight against ransomware requires SecOps teams to be strategic by extending the
detection window. It requires organizations to expand their attention, focusing
on damage prevention instead of intrusion prevention to establish ransomware
resilience.
The number one resource that modern ransomware attackers have on their side is
the ability to slink around the enterprise environment, just out of sight,
accumulating as many assets and data to prime their payment calculus. Therefore,
a defensive strategy must include the ability to shine a light on the dark
corners where they're hiding and living off of the land.
The good news is, extortion driven intruders are not the type to stay in place.
Their shameless drive for profit means that they're regularly moving around,
looking for meaty data to damage, steal, and dangle over victim organizations.
But, hidden in their greed is opportunity. Bad actors move laterally around your
network. Organizations have ownership and visibility over their environment. If
security teams are watching for the expansion tactics and lateral movement
common to ransomware, it's possible to identify indications of compromise before
the breach occurs.
Meet Ransomware
HOW TO MITIGATE RANSOMWARE
The modern ransomware playbook is executed in three acts. Each act has its
unique specialization, tooling, and as-a-service ecosystem.
OPENING
INITIAL INTRUSION
Attackers gain a foothold through a wide range of techniques proven effective
over time, including phishing emails.
MIDGAME
POST-COMPROMISE
The attacker pivots through your infrastructure, accumulating assets and
compromising data before springing their extortion trap.
ENDGAME
EXTORTION
It's too late, and the damage is done.
Traditionally, security operations centers (SOCs) have relied heavily on
endpoint detection and response (EDR) and security information and event
management (SIEM) tools for incident management and response. But those tools
don't provide the real-time visibility into East-West traffic that is essential
for spotting ransomware in its midgame, expanding through your infrastructure.
Target
enumeration
Lateral
movements
Domain
escalations
SMB files system
& DB exploits
Command &
control
Data
staging
EDR has come a long way from an easily evaded anti-virus tool and plays an
essential part in preventing initial access. But as the leaked Conti playbook,
as well as real-world attacks like Solarwinds SUNBURST, remind us, attackers
evade EDR or avoid managed endpoints altogether. Moreover, the exclusive
dependence on EDR leads to extensive coverage gaps across servers, IoT,
3rd-parties, and other unmanaged endpoints. Equally, SIEM technology offers
essential security controls, including alerting, compliance, and dashboarding,
but the fuzzy view from logs present limited actionable insight to respond to
laterally moving intruders.
ExtraHop Network detection and response (NDR) leaves no such gaps.
*Requires advanced agent on the targeted host **Dependent on the data source
NDR solutions passively capture network communications across every device,
including servers, Linux hosts, unmanaged IoT, and 3rd-party software, and apply
advanced , behavioral analytics and artificial intelligence to identify both
known and unknown attack patterns.
NDR does not depend on other technology's telemetry quality like SIEM log
collection or the technical and operational friction of deploying agents on
hosts and things, as does EDR. NDR's traffic visibility even works as a
compensating control for the prevalence of servers, Linux hosts, and IoT devices
that continue to present challenges to EDR coverage gaps.
This complete midgame visibility with advanced analysis gives real-time
detection insights into today's modern ransomware campaigns, so you can stop the
intruder before the real damage is done.
Learn more about ExtraHop's Ransomware Mitigation Solution
CONCLUSION
TAKE ACTION
By all measures, 2021 was a landmark year for ransomware. From record-setting
ransom demands, to attacks on critical infrastructure and the first known supply
chain-based ransomware attack, to the actions taken by the US government and its
allies to take down perpetrators, it has become clear that we are facing an
entirely new class of threat.
This new class of ransomware is sophisticated, well-funded, and its perpetrators
are ruthless in the pursuit of illicit profit.
While there is no panacea for ransomware, there is hope. The scope and severity
of attacks in 2021 brought new focus, urgency, and transparency to the problem
of advanced cyber extortion.
New government initiatives aimed at curtailing the ability of ransom attackers
to gain access to funds, combined with countermeasures that included shutting
down major ransomware syndicates, represent an important shift in how
authorities intend to treat attacks.
Likewise, private organizations and individuals are waking up to the reality of
ransomware. From initiatives aimed at training employees to accurately spot
phishing emails, to growing investment in cybersecurity, companies around the
world are acknowledging the increasing severity of this evolving threat—and
beginning to take action.
AddThis Sharing Buttons
Share to TwitterTwitterShare to LinkedInLinkedInShare to Hacker NewsHacker
NewsShare to RedditRedditShare to EmailEmail
+
ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More
Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States
EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom
APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190
PLATFORM
* Reveal(x) 360
* How It Works
* Competitive Comparison
* Why Decryption Matters
* Integrations and Automations
* Cybersecurity Services
* What is Network Detection and Response (NDR)?
* Cloud-Native Security Solutions
* Reveal(x) Enterprise: Self-Managed NDR
SOLUTIONS
* Security
* Cloud
* IT Ops
* Use Cases
* Industries
CUSTOMERS
* Customer Portal Login
* Services Overview
* Training Overview
* Support Overview
PARTNERS
* Channel Overview
* Technology Integration Partners
* Partner Program Information
BLOG
MORE
* About Us
* News & Events
* Careers
* Resources
* Copyright ExtraHop Networks 2022
* Terms of Use
* Privacy Policy
* Facebook
* Twitter
* LinkedIn
* Instagram
* YouTube
What do I do for a living?
1:00
Close
suggested results
AddThis Sharing Sidebar
Share to LinkedInLinkedInShare to TwitterTwitterShare to Hacker NewsHacker
NewsShare to RedditReddit
, Number of shares
Share to EmailEmail
Hide
Show
Close
AddThis