The evolution of ransomware from high volume, low return, spray and pray consumer attacks to lower volume, high value, targeted attacks against business is well documented. The intent now is not to simply encrypt local files, but to find and encrypt network shares in order to inflict the greatest harm in the shortest time.
Achieving this requires higher technical skills from the attacker, and a longer reconnaissance dwell time on the victim system to locate the shares. The result, however, can be devastating; and a single infected host in a volume-sharing system can have a global impact through encrypted network shares. This is the primary motivation in the shift of ransomware towards targeted attacks, with attackers basing the demand on the amount of damage done and the perceived ability and willingness to pay.
Vectra, a San Jose, California-based provider of automated threat management solutions, has analyzed (PDF) the telemetry of its own customers to examine targeted attacks. Vectra’s infection detection process uses artificial intelligence to detect network behaviors indicative of an intrusion — it neither knows nor really cares which ransomware is in play so long as it can detect and stop ransomware behavior.
The migration from encrypting local files to encrypting network shares is behind what Chris Morales, head of security analytics at Vectra, believes will be the next focus for targeted ransomware: cloud providers and MSSPs. “Why attack one company when you can attack its thousands of customers simultaneously through the shares?” he said to SecurityWeek. He cited the ransomware attacks against iNSYNQ and DataResolutions as two examples that have already occurred within the last nine months.
“With iNSYNQ you can access all of your desktop and cloud-based applications on one user-friendly dashboard any time and from anywhere,” says the iNSYNQ website — except, of course, when it has a ransomware infection. “Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings,” wrote Brian Krebs in July, “as these businesses are completely unable to serve their customers while a ransomware infestation is active.”
DataResolutions was infected by what was thought to be Ryuk ransomware on Christmas Eve 2018. Luis Corrons, security evangelist for Avast Software, told SecurityWeek, “The attack strategy is similar to those of SamSam in the way that the attackers gain access to the network. Before attacking the first compromised system they do a full exploration of the network to identify the key systems and then launch a full-scale attack. By doing this, the attackers can ask for higher ransoms.”
Meanwhile, Vectra’s telemetry confirms this shift towards more damage and more ransom by the attackers. The industry sectors most affected by network file encryption in North America since January 2019 were not surprisingly finance and insurance, and education. Finance is targeted because it has a highly prized brand image that it might pay to maintain, and is perceived to be able to afford the payment.
Education could be seen as an anomaly, and could easily be subject to the old spray and pray tactics because of the number of students at each institution. Students are transient and not likely to have as much invested loyalty as a long-term employee. They are also bright, inquisitive and entrepreneurial. And, commented Morales, “From hearsay, many foreign Chinese students arrive with mobile devices pre-loaded with malware, courtesy of the Chinese state.”
One interesting detail from the statistics is that manufacturing has now overtaken healthcare as a targeted industry. For several years, healthcare was the preferred target. This was probably due to poor inherent security and high reliance, in some cases life-critical reliance, on systems — and the criminals felt this would make healthcare an easy target likely to pay the ransom. Over the years, healthcare has improved its security, and the criminals seem to be turning to manufacturing.
Again, poor security — especially on the operational technology (OT) side of the systems — seems to be a motivation. Another motivation is the high cost to the victim if it has to shut down manufacturing for just a couple of days. Morales cited the attack against the Taiwan Semiconductor Manufacturing Co (TSMC) in August 2018. In this instance, the malware appears to have been a WannaCry variant that was not part of a targeted attack, but nevertheless brought production to a halt for two days. It seems that the company was operating unpatched Windows 7 systems — and a disinclination to patch systems that appear to be running smoothly is a long-standing characteristic of operational technology. At the time, TSMC estimated that the effect of the ransomware would cost it $170 million.
More recently, ransomware attacks against manufacturing have definitely been targeted. In Europe (where, incidentally, the shift towards targeting manufacturing is more marked), Norwegian aluminum giant Norsk Hydro was successfully attacked in March 2019. Early estimates of cost were up to $40 million, with long term estimates at up to $75 million. In this case, the ransomware did not affect the operational technology, but the incident demonstrates that widespread encryption — best achieved through network shares — can bring the business side of manufacturing to at least a temporary shutdown.
Criminals are going straight for the business jugular, which is the network shares. Targeted attacks can spend weeks on the network, looking for that jugular. Apart from the ability to detect and stop the attack before the damage is done, Vectra recommends improving privilege account management. “Comprehensive knowledge about the systems and users that access specific services will enable security operations teams to monitor misuse of privileged access and respond when that access is compromised — well before network file encryption occurs.”
San Jose, Calif-based network threat detection and response firm Vectra closed a $100 million Series E funding round in June 2019, bringing the total raised since the firm was founded in 2010 to $222.5 million.
Related: The Growing Threat of Targeted Ransomware
Related: Aircraft Parts Maker ASCO Severely Hit by Ransomware
Related: Eurofins Scientific Paid Up in Response to Ransomware Attack