[BreachExchange] Innovation In The Ransomware Supply Chain

[Audrey McNeil]

http://www.businesscomputingworld.co.uk/innovation-in-the-ransomware-
supply-chain/


A classic feature of an economy experiencing high demand for its products
and services is the evolution and specialisation of the supply chain; the
ransomware market has proved no different. The economy itself has become so
much more robust because of the now-existing service layers or tiers. These
services drive down the barrier to entry and attackers no longer need to
have multiple specialisations. In fact, they don’t have to have any. They
just need some Bitcoin. This enables anyone who is inclined to launch
attacks. Recent research uncovered three distinct service tiers that are
further contributing to ransomware’s boom and economy development.

Mapping Out The Landscape

At the low-risk/high-reward end are authors who create malicious code. Tier
1 is all about weaponisation and creating the code for the criminals.
Authors generally never use it themselves, but instead offer it for sale
for criminals to deploy. In our research, we identified authors earning in
excess of $100,000 per year through selling complete ransomware toolkits or
the individual components required to run a campaign. This compares with an
average annual salary of $69,000 earned by legitimate software developers.

In the second tier we see providers offering distribution of this software.
Tier 2 providers, through reconnaissance, decide what machines to exploit
and sell access to Tier 3 criminals. This specialisation effectively
creates a turnkey offering, requiring minimal technical knowledge, and can
be used by anyone with a target list. The split of revenue from the
activity is agreed in advance and the provider tracks the campaign, handles
payment, and even delivers performance metrics, enabling future campaigns
to be targeted at the most profitable victims. Supporting this evolution of
the supply chain is greater customer service from providers and authors. We
even identified helpdesk services available to support budding cyber
criminals.

The Defenders Inherent Advantage

The silver lining when it comes to breaking this kill chain is that
defenders have an inherent advantage. If defenders can break or interrupt
even one link of the chain, the entire attack falls apart. However, taking
down distributors and operators is just chasing the tail of the problem. To
begin to put a serious dent in the underground economy, efforts should be
enacted to disrupt the supply chain upstream and change the incentive for
malware authors. By decreasing the ROI for attackers, defenders can
decrease the financial incentive for the crime.

Additionally, where ransomware is concerned, we need to STOP paying
ransoms. The system only works if victims choose to pay. Until people
decide not to pay, this problem will only continue to grow. As it stands
right now, law enforcement cannot scale to the problem. Companies are
largely on their own when it comes to stopping ransomware attacks.

Targeted Attacks

Ransomware will become more targeted by looking for certain file types and
targeting specific companies such as legal, healthcare, and tax preparers
rather than “spray-and-pray” attacks we largely see now. There is already
ransomware that targets databases, preying on businesses, and small tweaks
to their code can target critical, proprietary files such as AutoCAD
designs. A focused targeting of extensions can allow many ransomware
samples to hide under the radar of many defenders.

Because of specialisation, ransomware attacks are more likely to succeed.
The frequency and severity of the attacks will also increase. The power to
attack is no longer in the hands of a few experts, but in the hands of
anyone looking to make illicit money. Ransomware can no longer be perceived
as small groups of criminals performing stick ups and kidnappings; instead
think of ransomware more like the consumer of a cloud service. You simply
need to know how to put the pieces together. Startup CEOs no longer hire
tons of IT staff or invest heavily in infrastructure. They achieve speed to
market by utilising existing services. So do cyber criminals. The criminals
are jumping right to the point of profit.

Attackers will continue to go where the money is. Right now, with
ransomware, there is money to be made hand over fist. To begin to shift the
economic tide, organisations should take careful inventory of their
security best practices and look to implement user education programs in
order to close any gaps that may exist.

The rapid growth in the underground ransomware economy highlights a few
unsettling trends. Namely, as an industry, we are often getting the
fundamentals of security wrong. In too many instances, we are failing to do
the basic blocking and tackling of security such as: backing up files and
systems, testing restorations, patching, having adequate, enterprise-wide
visibility and implementing outdated prevention measures, such as legacy
antivirus.

In conjunction with user education, these organisations should turn to
security software that can provide full visibility across the enterprise
and prevent ransomware attacks before they cause any damage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171208/8134f485/attachment.html>