[BreachExchange] The Ransomware Threat: A Menacing Evolution

[Audrey McNeil]

http://opensources.info/the-ransomware-threat-a-menacing/

Ransomware had small-scale beginnings in the consumer realm but has emerged
as one of the most significant threats organizations across several
industries face, particularly healthcare.

At the end of June 2016, a hacker, with the moniker “The Dark Overlord
(TDO),” claimed a compromise of a medical Software as a Service (SaaS)
company’s product.

As proof, TDO offered to sell source code and other software underlying
infrastructure secrets to the highest bidder, with it being shopped for
approximately 800 bitcoin, or about $500,000.

Why is this significant?  It was simply another hacker holding a company
ransom which happens all the time, right?

Wrong. This incident seems to be a seismic shift from what has been done
previously. It is noteworthy, as it demonstrates a significant move in
motivations and may drive a new strategy to how businesses can avoid
escalation of ransomware activity.

Origin

First, consider the beginnings of ransomware.  Back in 2012-13, the goal of
ransomware was to send a phishing email to a victim, deceive them to click
on a link or open an attachment, then load malicious code that would
encrypt data files (Word, PPT, and Excel).

For a few hundred dollars, threat actors would send keys to victims to
unlock the files.  This was a solid business model for a few years.
However, ransomware actors quickly began targeting small businesses with
the goal to not only lock a user’s machine, but also attempt to affect file
sharing as well as laterally move to other workstations. At this point,
perpetrators were netting thousands of dollars from businesses versus a few
hundred dollars from individuals.

The ransomware actors seemed to be content with a small-business approach
from 2014 until the spring of 2016.  In April/May of this year, threat
researchers detected that ransomware actors were attacking webservers.  For
instance, the SamSam ransomware perpetrators were observed scanning the
internet seeking servers operating vulnerable versions of the JBOSS
platform.

Evolution

Once compromised through vulnerable JBOSS versions, cyber criminals could
then establish web shells at will and hold both servers and data for
ransom.  This became quite the transition as criminals upped their demands
to the tens of thousands of dollars.

It’s now obvious this action by TDO is the next logical step in the
evolution of ransomware as far as outcomes and targets.  By pursuing
software development teams, TDO has likely found a soft target with the
potential for high payoff.  A great deal of medical Software as a Service
(SaaS) companies are small, if not startups, and as a way to control costs,
these growing companies often use the public cloud to host development
environments.

Developers love the public cloud’s agility and ease of environment
orchestration.  Many of these organizations have most likely not budgeted
for security in development environments, making them easy prey for actors
such as TDO.  These consequences are reinforced in security practices known
as “honeypots,” in which non-integrated networks are used to attract
attackers to observe methods and behaviors.  These exercises often result
in malicious scans from hackers occurring within minutes of provisioning.

It appears TDO was able to compromise this particular development
environment with ease due to limited, or zero security, within these small
companies.  Criminals like TDO now have a myriad of paths to generate
revenue and ransom options.  First, they could directly threaten the SaaS
company, holding source codes and “keys to the kingdom” for ransom.  They
could also wait until customers adopt the software, then hold them for
ransom.  Or, offer to sell SaaS source code to other hackers.  TDO has now
established how to execute one or all of these vectors for big money.

Escalation

With this escalation, the next question is: are ransomware actors becoming
more sophisticated or are more sophisticated actors now getting into
ransomware?  It is most likely a combination, but more so the latter.  Why
would sophisticated actors pivot from successful data breaches of millions
of credit card numbers and medical records to become ransomware actors?
The answer is simple: ransomware offers a quicker payoff and an abundance
of opportunity for repeat business.

Consider this: credit card records have a short window of value for
criminals in the Dark Web where stolen data is sold.  Within hours of being
used for illegal transactions, more sophisticated fraud detection engages
from card brands and banks, making stolen credit card data worthless.

Business owners have no real skin in the game other than paying for
incident clean up and letting insurance cover credit monitoring and other
fallout.  So, the guys with all of the cash are not really paying anything
to the cybercriminal.  With criminals shifting operations from data theft
to ransom, more sophisticated actors are obtaining an immediate payoff from
business owners who will do anything to stop the pain and business
disruption.

Horizon

In some of these incidents, thousands of dollars can be lost in minutes,
and business owners are motivated to make the problem go away with payment
as quickly as possible.  As an additional concern, some new ransomware
actors are so advanced, they have customer service websites where victims
can ensure payment and have their data unlocked.  Depressingly, ransomware
actors want to make sure they have “happy, repeat customers.”

With a better understanding about the problem, what is to be done?  The
answer is straight forward.  The tried and true route is to protect against
data theft.  This translates to a solid patching program, engagement of a
threat intelligence team that looks for ransomware attacks against
infrastructure (such as JBOSS), and off-loading the most important data, to
include critical development environments, to experts who specialize in
hosting regulated or “high security” data.

While the outcomes and objectives of cyber threat actors have changed,
their method for getting to those outcomes have not.  An approach to go
back to the basics of protecting data can offer a significant edge to
thwart this metastasizing challenge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161129/447befb6/attachment.html>