Dr Jamie Collier
Mentioned just once in the UK Government’s Integrated Review, recent events highlight that ransomware is undoubtedly a crucial matter of national security. As Ciaran Martin has already discussed in The Alert, ransomware has recently disrupted oil and meat supplies, education infrastructure, and healthcare operations during a global pandemic. Offensive cyber might be typically associated with state operations, yet we are increasingly witnessing just how pernicious criminal operations can be.
Yet, the public conversation around ransomware is lopsided. Discussion has focused almost exclusively on the impact of ransomware and how it might be stymied via policy solutions – banning payments and enforcing mandatory victim disclosure are two regularly proposed antidotes.
Meanwhile, the drivers that have led to the current ransomware scourge have received much less attention. Ransomware has been going on for years and was long regarded as a mere nuisance. Why is it therefore significantly more devastating today than five years ago? We must understand the genesis of its current rise.
Ransomware’s ascent to policymakers’ agendas and CISO’s darkest nightmares is best explained outside of academic journals and policy briefs. This blog will instead draw on cyber threat intelligence (CTI) to explore ransomware’s prolific growth. By continuously tracking cyber criminals groups and responding directly to ransomware operations, the CTI community possesses unparalleled experience and the relevant data to fully grasp how the threat landscape has evolved.
Understanding the key ransomware developments is an important foundation for anyone thinking about the implications of ransomware and how to design meaningful policy responses. These trends will undoubtedly be well understood by many readers of The Alert already, yet it remains important ground to cover given that ransomware’s ascent to a matter of national security means that many of those interested in the topic may not have a cyber security background.
Rather than provide an entry-level primer into ransomware, however, the primary intention of this blog is another: to highlight that engagement with frontline insight and operational realities provides vital context at a far more strategic level. The primary function of commercial CTI will always be to assist network defenders and inform the decision making process across security functions. Yet, it has untapped potential to inform cyber security policy and broader debates within social science.
Shifts in the Ransomware Landscape
The nature of the ransomware threat has fundamentally shifted over the past five years. It is imperative we understand why.
The shift to post-compromise ransomware deployment is arguably the most significant development within the cyber criminal landscape to date.
The traditional approach to ransomware operations relied on a “shotgun” or spam-like approach. Indiscriminate campaigns would target an eclectic mix of victims. Targets might be selected from generic databases with the emphasis on sheer volume. Anything and everything was on the menu at this point. Ransomware might have encrypted a government official’s policy brief on their work laptop, yet could have equally encrypted a pensioner’s family photos on their personal device.
Cyber criminals did not necessarily know where their phishing emails were landing. This spread of targets meant there was only a slim number of high-value targets. Average extortion fees therefore sat between $500 to $1,000 dollars. There would also be a good chance that any important data or systems could be restored from backups. Ransomware was, at this point, seen as more of a nuisance than anything else.
The anatomy of today’s ransomware operations could not be more different.
In post-compromise ransomware incidents, cyber criminals adopt a far more patient and methodical approach. A medley of downloaders, backdoors, and modular malware, as well as credential stuffing tactics and the exploitation of vulnerabilities, are all used to gain access to a target. Threat actors then move laterally and escalate privileges within a victim environment. Rather than deploying ransomware on the first system found, attackers instead search for the most critical and sensitive areas of a network. Operators will often attempt to delete backups as well as exfiltrate data. The security processes used to detect and prevent ransomware are often disabled at this point. It is only then, and at the end of a far more complex attack lifecycle, that ransomware is finally deployed. This is typically focused on core domain infrastructure and the systems that allow a network to function.
The overall severity of a ransomware incident is far higher when threat actors cast a wider net and impact a victim’s most critical systems. This post-compromise approach is increasingly the norm and is the primary reason why ransomware incidents are so devastating today.
A Cyber Crime Ecosystem
Ransomware operations now frequently involve multiple threat actors working together. One threat group may gain access to a victim network, before selling their access on (often via a separate initial access broker). A different group would then leverage that initial access to move around within a network, conducting much of the activity discussed above, before deploying a ransomware variant, which is often developed by a separate group again.
The ransomware affiliate model has also become more prominent in recent years. MAZE ransomware (now defunct) was one example of this approach in practice. Here, MAZE affiliates represent the individuals and groups working under the MAZE umbrella brand. Affiliates are recruited to compromise victims and deploy MAZE ransomware. These entities will lean on the central infrastructure, systems, and communications tools that MAZE ransomware service operators have set up.
Multiple entities working together (either through an ad hoc or affiliate approach) create chronic headaches around attribution. They also highlight the complexity of the current cybercriminal threat and the need to focus on far more than just ransomware developers. My colleague Cian Lynch has written an excellent article on this topic that I consider essential reading for anyone serious about understanding the current ransomware landscape.
Ransomware operations rarely involve just ransomware, with criminals now deploying a variety of coercive tactics. It is well documented that today’s ransomware operations often involve data theft and extortion (made possible by a post-compromise approach). Victims refusing to pay an extortion fee find not only their systems rendered unusable, but also that their sensitive data has been plastered all over criminal data leak sites. Some actors also request separate fees for non-distribution and decryption tools. The rise of these data theft and leak threats has led to ransomware now regularly framed as “double extortion” in the popular media. Yet, this is an oversimplification of a far more multifaceted threat.
Today’s extortion operations often combine a wider variety of coercive tactics. Cyber criminals understand that they can impose additional pressure by drumming up press coverage around an incident. Ransomware groups have subsequently become more proactive in reaching out to journalists and the media in a quest to create headlines and PR headaches. Not stopping there, these criminal groups have also notified business partners and suppliers, thereby increasing the strain on a victim’s third party relations during a crisis period. Upping the ante even further, ransomware groups have been known to directly call and harass an organisation’s employees. But the list doesn’t stop there, with distributed denial of service (DDoS) attacks having also been thrown into the mix.
Growing Impact on Operational Technology
Ransomware is also increasingly impacting operational technology (OT) – that is the systems interacting directly with physical processes, machinery, and infrastructure. This includes power grids, water treatment facilities, and factory plants.
The criticality of OT systems means they are typically segmented from an organisation’s traditional IT network, yet they are increasingly still impacted. Part of this is explained (again) by the shift to post-compromise operations. With cyber criminals spending more time moving around within a target network, their odds of reaching OT assets increase.
Many critical infrastructure providers also have small security budgets. Rather than sophisticated means of obtaining access via complex malware and purchasing zero day exploits, it is often simple and well known misconfigurations or vulnerabilities that provide easy access. This also explains why more unsophisticated threat actors are now exploiting OT systems.
Disrupting OT assets is always a serious concern, yet it is also important to approach the issue with a measured perspective that avoids the all too common cyber doom mongering or unhelpful calls of a pending ‘Cyber Pearl Harbour’. The exploitation of basic vulnerabilities and misconfigurations is certainly frustrating. However, it also provides grounds for optimism given that much of the security solution is already known and straightforward to implement provided that adequate security resources are in place.
Much of the ransomware activity impacting on OT assets also appears inadvertent. Many of the cyber criminals behind this activity likely do not clearly differentiate between IT and OT networks or have a particular interest in OT assets. Instead, the impact on OT systems is most likely caused from coincidental asset scanning in victim networks by ransomware operators.
Strategy and Policy Informed by Frontline Insight
The shifts in the ransomware landscape outlined above explain why ransomware has become such a serious matter of national security in recent years. Yet, they also demonstrate why insight from the frontlines should play a more fundamental role in informing today’s policy and strategic debates.
Public debate has largely focused on ransomware encryptors themselves, yet the emergence of post-compromise deployment means network defenders will quickly find themselves on the backfoot if they neglect to consider initial access and lateral movement vectors. Recommendations and security best-practice advice must therefore urgently emphasise the importance of introducing defensive measures across the entire attack lifecycle. This will be a key priority for any government that is serious about tackling the ransomware threat.
Within the payment debate, an inordinate amount of time and attention has cast doubt on whether cyber criminals will even provide a working decryptor for victims paying up. There has also been understandable concern on how extortion payments incentivise future ransomware attacks. Yet, operational insight adds valuable colour to this discussion.
Those with extensive ransomware incident response experience will tell you that it is rare for a decryptor to not be provided to a paying victim. Rather, the more pertinent issue in the majority of responses is whether the decryptor provided is scalable. There is a big difference between a decryptor that can be rapidly deployed across an entire network and one that requires manual installation on each impacted system. There are countless examples like this where frontline experience provides valuable context to broader debates.
Post-compromise and data theft trends highlight the broader impacts of ransomware operations, regardless of whether an extortion fee is paid. While paying a ransom may prevent data being leaked, the fact it was stolen in the first place still exposes victims to reputational and regulatory implications as well as the possibility that data will be sold on or utilised in further operations.
Thriving cooperation between cyber criminal groups also reinforces the importance of disrupting activity across the entire cyber criminal ecosystem. Much was made of the statement by the developers linked to the BlackMatter ransomware variant that they would avoid targeting critical infrastructure and other sensitive industries. The statement was even touted as a win for President Biden’s warnings to ransomware operators. Yet the affiliate model highlights how BlackMatter developers represent just one part of a ransomware operation. There was little consideration at the time of whether the initial intrusion operators and other actors linked to the deployment of the BlackMatter variant would heed similar levels of moderation, or simply continue targeting critical industries while partnering with alternative ransomware developers.
The cyber criminal community is remarkably fluid and agile. When forums and marketplaces have banned ransomware discussions due to fear of law enforcement action, threat actors have quickly moved onto new ones. Actors have also simply obscured their intent. For example, advertisements “looking for partners to provide access for ransomware operations” becomes “looking for access to major enterprises”. Cyber criminals will alternatively just continue on and rely less on semi-public venues such as forums. These realities are well understood by those on the frontlines tracking cybercriminal developments, yet have clear policy relevance as well. It is therefore vital that cyber security strategy, policy, and doctrine grasp the realities of cyber criminal cooperation. Measures to disrupt and deter ransomware operators should be measured by their impact across the entire cyber criminal community.
It is also important that policymakers grasp the full spectrum of coercive tactics used by cyber criminals. The current narrow focus on ransomware encryptors themselves poses a risk that other forms of extortion are neglected. If it is only encryptors that are associated with added law enforcement heat, then criminals could realistically change up their approach. For example, turning to extortion operations comprising a cocktail of data leakage, DDOS, and employee harassment without actually deploying ransomware. Rather than holding governments and law enforcement agencies to account for what they are doing to combat ransomware, we should be scrutinising what they are doing against all forms of extortion. The public debate must widen significantly.
Frontline insights also provide valuable colour to more abstract and conceptual discussions. They can inform the theories and frameworks we borrow from international relations, security studies, and other social science disciplines. Ransomware is typically framed as a non-state threat by social scientists, yet the distributed network of cyber criminals naturally lends itself to other conceptual tools. Actor network theory and thinking with assemblages represent two apt lenses to dissect today’s cyber criminal phenomena for instance.
In a similar vein of thought, understanding the often inadvertent targeting of OT systems informs our understanding of the relationship between human agency and malware. It highlights the often unpredictable nature of malicious operations as well as their volatility. This also shows that by targeting OT assets, cyber criminals are not necessarily becoming more brazen. They may simply be unaware or incapable of fully anticipating the full consequences of their actions – a finding that is perhaps equally, if not more, concerning.
Understanding the practicalities and operational details of ransomware operations is a crucial yet neglected ingredient in building strategic responses and policy proposals. Both policy and network defence-oriented communities can do better.
Cyber policy thinkers have a huge opportunity to develop more relevant and pragmatic ideas through engagement with CTI. One common misunderstanding among policy and international relations researchers is that their cyber security knowledge gaps can be addressed by working with those that have a technical or computer science background. This is a narrow view of what interdisciplinary research and collaboration represents. An understanding of how cyber operations and attack lifecycles work in practice is a completely different (and arguably more useful) perspective than coding wizardry or computer science know-how.
The CTI and network defence community must also actively engage with academia and policy formulation. CTI can offer so much to these broader debates, yet must also adapt to working with different stakeholders outside of a network defence context. The industry also has plenty of work to do in striking a more accessible and welcoming tone to potential collaborators.
Plenty of challenges and obstacles exist in building better links between different and often disparate cyber security communities. But, they are not insurmountable. When the benefits of cyber security policy that is informed by frontline insight are seriously considered, the opportunities are enormous. The challenge of crafting genuine interdisciplinary perspectives should be fully embraced.
Dr Jamie Collier is a Cyber Threat Intelligence Advisor at Mandiant where he also oversees academic collaboration within Europe. He was the former Threat Intelligence Team Lead at Digital Shadows and has previous experience with NATO CCDCOE, Oxford Analytica, and PwC India.
Leave a Reply