Listen to the podcast to hear Anthony Freed, Director of Strategic Communications and Threat Intelligence at Halcyon, discuss top threat agents and current trends influencing the underground ransomware-as-a-service industry.
Corey Baumgartner
Welcome back to CarahCast, the podcast from Carahsoft, the Trusted Government IT Solutions Provider. Subscribe to get the latest technology updates in the public sector. I'm Corey Baumgartner, your host from the Carahsoft production team. On behalf of Halcyon, we would like to welcome you to today's podcast focused around learning about and combating the underground economy around ransomware. Anthony Freed, Strategic Communications Leader at Halcyon, will discuss how ransomware-as-a-service groups operate, why ransomware is evading security tools and what can be changed to stop it.
Anthony Freed
Good morning or afternoon, everybody, wherever you happen to be. My name is Anthony Freed, Director of Communications for the Intelligence with Halcyon. And just as quick level set so you know who's talking to you. I am not reverse engineer for malware. I'm not a traditional analyst in the threat intelligence space. I'm a former security journalist and a researcher and I work with many threat intelligence teams at different organizations to produce some of the research that's come out last few years silence at BlackBerry at Cybereason, and now at Halcyon. So we're going to talk to you a little bit today about the business ransomware. This is a huge problem. Obviously, if you're here, you know that. And what makes us even more concerning is recently the FBI was investigating the hive ransomware group and they were in their systems for somewhere around seven months. And based on their observations, they determined that probably only as much as 20% of the ransomware attacks that are occurring daily, ever get reported to the bureau. So you can imagine, we 5x A lot of these numbers, we're talking, this is probably the most significant threat to any organization out there. Depending on the size of the organization, a ransomware attack can seriously impact their viability as far as being able to do business on a day-to-day basis. And as well, smaller organizations run the risk of this absolutely ruining their business. So let's move into this just a little bit on kind of the ransomware economy.
Corey Baumgartner
So Anthony, how is the ransomware ecosystem evolved?
Anthony Freed
What started out years ago, as kind of a spray and pray email spam campaigns drive by infections, we were seeing individual boxes, or maybe a small number get locked up by a ransomware attack, the attacker would typically request something like half a Bitcoin. This is back when Bitcoin was only $2,000. So these were really small operations kind of mom-and-pop operations. What's interesting is that the business model was so successful that we've seen a great deal of specialization within the ransomware economy here. So you have initial access brokers who their sole business model is just to basically infiltrate, targeted networks get move laterally through as much of the network as possible, expose it, they might be in their initial access brokers like lemon duck, who might be in there doing some Mineiro coin mining while they're at it. And then they sell this access to other threat actors. Then you've got of course, at the center of all this is the RAS the ransomware as a service operators, so they basically build out the platform for carrying out the attack, provide the ransomware payload, all kinds of services. There's lots of specialists within each of these different organizations that are contributing to these attacks.
Corey Baumgartner
Okay, so how would you say ransomware operations have evolved to be more like legitimate SAS companies?
Anthony Freed
Some of the more advanced ransomware as a service providers have customer service to service their affiliate attackers have negotiators to walk through the process of negotiating final ransom demand with the targets of money launderers? who work to move those funds secretly to reduce any chance of attribution for the attacks. And then of course, there's the RAS affiliates now, these are the folks that actually carry out the attack and we see a lot of variance in in the skill sets in the RAS affiliates. Some of these platforms are so advanced somebody with very, very Few skills can quickly go to the rasp providers spin up a campaign, get the malicious code that they need, and then go out and decide how they're going to go target and infect victims.
Corey Baumgartner
Could you explain how the evolution of the ransomware economy mirrors legitimate emerging markets?
Anthony Freed
This is a very complicated ecosystem. It's still evolving, it's all very new. And it's very much similar to what we see in in all kinds of disruptive technologies that come out. And as you saw, it's kind of an interesting observation. So within a disruptive industry, one of the first things you see is an attempt to kind of self-regulate. So we saw last year, some of the rasp providers saying, don’t attack at us don't attack hospitals, we're only going to go after companies that probably have cyber insurance, or well-heeled and able to pay these large ransom demands. And what usually happens in disruptive industries that fail to self-regulate when you get an attack, like we saw with Darkseid hitting Colonial Pipeline, I think the Russian government was not too thrilled to have President Biden standing up there, in a press conference talking about a ransomware attack against critical infrastructure and mentioning Russia and in the Putin government in the same breath. So when the attempts to self-regulate and industry fail, we see government stepped in and what happened the dark side soon after that attack, they were slapped down by the Russian government, crypto profits that were there were taken, and they were disbanded. Now, that's not to say that Russia is overly concerned about ransomware attacks against non-Russian aligned entities. It's to say they didn't like the overlap between Russian government state sponsored operations and the cyber-criminal activities to be exposed. But definitely what we saw at the beginning of the Ukraine conflict was a market a decrease in the number of attacks happening in early 2022. And throughout the rest of the year, and a lot of folks speculated, perhaps that means ransomware, as a business model is losing some favor. But that's absolutely not the case. As we just saw this last March, smashed all records for the volume of attacks. And even during that period, where the volume of attacks decreased, the payouts were still going up. So these threat actors were getting much, much better at being able to infiltrate larger organizations to be able to compromise huge parts of the networks and caused major disruptions that allowed them to get, you know, these ransom demands and have ranged into the 10s of millions of dollars.
Corey Baumgartner
All right, so in terms of power rankings, what was the genesis of the ransomware malicious quartile report?
Anthony Freed
Now to the power rankings, so we thought it would be a nice way to visualize some of the activity that's happening with these threat actors. Now. This first iteration of the report just covers all of 2022. And, you know, there was a lot of movement during that year. So we're thinking of putting out new versions of this report more regularly, because so much happens during the year. So if you notice just from this, and we'll go into each quadrant, individually, so if you look at some of these groups, if you're familiar with them, you'll know some of them are inactive. Now, some don't exist. If you were looking at q1 of 2022, ERP Eisah would have been in the lead locked, it would have been down there visionary quadrant Klop, very much a niche player in 2022, high volume of tax, but they really specialize just on healthcare. And if I were to rework this quadrant today, Klomp would definitely be up there in the leaders quadrant, they I think, is somewhere around 130 organizations in January and February that they compromised, whether or not they would have moved much further to the, to the right as far as their ability to hear their vision. I don't know because they it doesn't look like they were really able to monetize all those attacks. But as far as techniques must have been automated, exploitation of the Go Anywhere vulnerability, even though there's patch out there, they were able to go out there and rapidly compromise a lot of organizations. So that's one of the trends we'll talk about a little bit later in here is these organizations have gotten really good at automating in attacks and exploitations on leveraging vulnerabilities to get into the network and to spread rapidly. So we're seeing the sophistication of both the rasp platforms, what's provided to the attackers and the capabilities of the initial access brokers to expose more of the network to an attack as the years progressed.
Corey Baumgartner
So when it comes to RAS quadrants and attribution to various RAS platforms, how did you arrive at the format for the report?
Anthony Freed
Here's just a few details on how we looked at these groups. Basically, if you're familiar with this model, the X Y axis, the x axis being vision, right completeness of vision. So how mature are these rasp platforms? How mature are the partner programs for the affiliates, the payouts, generous those are profit sharing how much technical support they provide to the attackers how much service they provide to the victims, as far as everything from the negotiation of the ransomware amount to if they do pay, that stuff has to get decrypted. If they want to kind of maintain this business model, if they're not able to return victims to a normal state, then then you're gonna see this business model crash very quickly. The Y axis, of course, is their ability to execute on that vision. And so as I just mentioned, a good example is clop great vision to automate exploitation of that go anywhere bug and get organizations that hadn't yet patched it. But whether or not they actually executed on that vision, and were able to monetize it remains to be seen. As we move into this, we'll start out with the niche players. It's a match and groups basically don't exist. And that's for many reasons. You see, like double paper, there was a number of arrests made by Europol, that group is all but different. But you can't, we can't necessarily rule anybody out until there's inactivity for you know, I'd say at least two quarters, a lot of these groups, when I'm in law enforcement disruptions, when there's, we've had infighting with affiliates, we've had code leaked, decryptors released, there's different reasons that these groups might not be active anymore. And a lot of times we're seeing them simply disband and rebrand, and spin up a new attack infrastructure. But a lot of these groups are reusing code. From other groups. There's a lot of basically variety. And what we see with these groups, again, I mentioned that clock here as a niche player, if I was to place them today, definitely a leader, we see groups like E Gregor, who were really active 2021 Going into 2022. And then just kind of fading away. And we've seen some developments like threat actors like character, which is suspected to be a county offshoot kind of helping pioneer this ransomware attacks without the ransomware payload, right, these are just becoming straight data exfiltration and extortion attacks, same with lapsus. Another group that is kind of moving in that direction, whether that trend will stick or not, remains to be seen as we move over to the challengers kind of following the with this mock list. So these were groups that were extremely active had mature RAS platforms were doing high volumes of hits. And for one reason or another, as mentioned, law enforcement or inviting or leaks or decryptors been released, they basically became ineffective, but the infrastructure was still there and a lot of maturity. So whether or not these groups have kind of reemerged under different names, more research needs to be done to make that attribution is extremely hard. In the space. With these challenges, we could see some of these players that were involved with the development rasp platforms reemerge with new offerings, or we could see them just kind of fade out some of those other groups we saw down in the nice player, have the visionaries, this is a space. That's interesting. I think when we do the next report, this is going to be really interesting. A few of these players the reason they landed in the visionary section is they may have been developing Linux versions. I think we saw at least seven ransomware groups in the last year develop Linux versions, which is fairly concerning. Now. Linux is a very small part of the market as far as the number of endpoints out there, running Linux, but those Linux systems run the most important things. We're talking about data centers, the internet background backbone, excuse me, wrinkle infrastructure, or cell communication. As our financial networks, the US government department and fence networks, Linux is extremely important. And to see these, these threat actors start moving in that direction is very concerning the potential for more widespread and extremely disruptive ransomware attacks, most certainly is of concern here. When we're looking at the development of these Linux strains, as well, a couple of these players, if I were to place them today would have definitely moved up into the into leaders, quadrant Roiland play have been extremely active earlier this year. And they're also making some headway as far as developing new TTPs. As we move on to leaders, undisputed lock bit. It's probably the most well-developed rasp platform, a really mature affiliate program with some pretty generous payouts. They are also one that was early in developing a Linux version, as well, Black Cat our fee, not as high a volume of taxes as we see with lock bit but Blackcats very interesting because of the first group to be using the rest programming language which makes detection of these attacks much more difficult. If I had to say the most dangerous ransomware group out there right now it probably the Black Cat out fee and the one to watch as we progress into the summer blockbuster. Another one that was super active in 2022 also has a Linux version. Also automating exploits since we saw a number of attacks targeting vulnerability and VMware is ESXi. And also exploiting known vulnerabilities, like Britain nightmare blackcat. Alfie probably has the best development team out there right now. And, and that's a platform to watch, the TTPs are likely going to get a little more advanced. And again, as I mentioned, the use of the rest programming language is extremely problematic. In the sector today. Like I said, a few players would have popped in there, I think blockbuster definitely super active, but their volume has decreased a little bit, I probably dropped them a little bit. And I think we'll see in the next iteration of this, at least two or three more players pop into the section.
Corey Baumgartner
Could you explain to our audience what ransom ops are?
Anthony Freed
Ransom ops, right. So this is a term I coined a couple of years ago when I was working at Cybereason. Basically, we're just trying to differentiate these more complex, multistage attacks from those old spray and pray, low number of victim load, number of boxes compromised and low ransom demands. Ransom ops, also kind of, as we've seen, more of these groups move towards just the straight data extortion minus the ransomware payload. So we've seen that character, as we mentioned earlier, lapsus them we're kind of helping pioneer this. We've seen a few more groups like recently, the FBI, I think this is just last week or the week before put out an alert that said, beyond Leon was moving to a straight data extortion, kind of mode of operations. Whether or not this trend continues, I don't know, you know, it's kind of hard to get the leverage you need without dropping that ransomware payload. But I think, you know, we should start thinking of these, it's more as data exfiltration attacks with some ransomware thrown into to add pressure, as opposed to what we've been seeing for last two, three years, which are ransomware attacks, with a payload where some data x still was part of the process to add the pressure to the victim to pay. So ransom ops, kind of incorporates both of these kinds of attacks, whether it paid load was involved or not mentioned before 2022 decline, that was something that was very short lived broke all records for attack volume. And with these continued automation, I think we're gonna see attack names continue to increase throughout the year, also mentioned that hive was with MPI was in hive for seven months, only looking at a small portion of these attacks being reported to authorities. And then as far as some of the innovation trends we're seeing, again, Linux, super concerning the potential for attacks on Linux systems could be quite devastating. So we'll kind of see where that goes.
Corey Baumgartner
Well, thank you for that insight there. So ransomware groups. They seem to come and go, who's more recently emerged?
Anthony Freed
Some new grad groups and Regina Rorschach just weeks ago emerged. Now with been observed with a faster encryption speed than, than we saw with luck bit three, that garnered a lot of attention in the media, fast encryption is only one concern with them. They're also using really advanced techniques like DLL side loading. That's kind of stuff you saw on and attacks like solar winds, the attack on Casaya these are really advanced kinds of techniques that we're more used to seeing and abt style operations than in cybercrime. So when you see things like groups like Rorschach emerge, using these kinds of TTPs, we're seeing more and more overlap between what were traditionally abt style operations and what these cybercriminal operations are doing. And on that note, you know, there's really kind of three basic models that we're seeing out there ransomware attacks. So the first is that Russian model where there's definitely overlap between nation state operations and objectives and, and some of the attacks that the cyber-criminal groups are doing. So there's, there's more than enough evidence out there to see that there's some direct influence, if not control between the Russian government and some of these Russian aligned rasp providers and attackers.
Corey Baumgartner
So I'm going to put the spotlight on Mac OS attacks. Do ransomware gangs target Mac OS and Linux?
Anthony Freed
the MacOS two weeks ago, lock been released the version, super buggy, didn't really work. So this is like a beta out there in the wild that they're testing but it's not gonna be long before they have the bugs worked out in that one. So, you know, basically, between the scripts expanded beyond windows to include Linux and macOS, they're expanding their addressable targets, the more targets they can hit, the more pain for the victim organization, the more pain the more gain for the attackers, they can demand higher and higher ransom amounts.
Corey Baumgartner
Okay, well. With automation of RAS, how are ransomware operators leveraging exploits?
Anthony Freed
mentioned the automation of exploits. So we've seen ransomware have been delivered through Palo Alto Networks cortex XDR tool, the exploitation of the Go Anywhere bugs, Ibn s verify aspects as well, not quite as much volume, as we saw with the go anywhere, but it's, it's still a known vulnerability out there for which many organizations have not patched against for one reason or another. The exploitation against the VMware ESXi is still ongoing, high volumes. And then we've seen some tax explaining some vulnerabilities and Microsoft SQL automation just means they can compromise more organizations faster doesn't necessarily mean we've seen evidence yet that they've been able to monetize that very well. And clop was a great example.
Corey Baumgartner
Alrighty. Well, what about zero days?
Anthony Freed
Another surprising thing is we see a group like Nokia DHA, which was burning a zero day. So you don't typically see ransomware groups using zero days. Again, that's something that's usually kept in the back pocket for nation state sponsored attackers. zero days are very, very valuable, in fact that ransomware gangs have started using them in their attacks is, is more than concerning as well, we're definitely gonna see exploitation of vulnerabilities be a major factor in how these groups operate. We also saw a lot of advances in in the tooling that they're using custom tooling. So some of the groups have developed tools like Oculus and backstab to bypass EDR, the CRISPR, and VSS copying tools for bad exfiltration. This is more automation making some of the earlier stages of these attacks. Much more efficient, much more stealthy. And then we've seen some custom PowerShell used with all these tools.
Corey Baumgartner
When it comes to organizations responding to breaches and persistence of attackers, can't victims just restore systems from backups?
Anthony Freed
if your organization do you think we're just gonna go in and restore from backups you know that's getting access to your data is one thing but the attacker is still on your network. Big Just reinfect you in fact, we've seen a high amount of organizations, even those that have paid a ransom demand get reinfected within a few months of the initial infection, and sometimes even before they fully recovered from that first attack. And then persistence, as I said, these, these groups are getting really deep into the networks, we even saw reports of one of the groups seeing that kind of watching the whole incident response play out and using that to their advantage to maintain persistence on the network. And it really became a game of whack a mole for the responders to try to get them out on the network. So.
Corey Baumgartner
Well, Anthony, you've provided us with some great information today. With everything we've talked about, what can we expect moving forward?
Anthony Freed
This is just a few of the advances we've seen. We're going to see more this year, I'm sure these organizations have a lot of money, a lot of resources, even after those resources may have been hit by the by the crypto crash a little bit. And that's another thing to think about my team incentive for ramping up the volume of these attacks. They have the money to go out and hire best developers, they've got the money to expand their Eros platforms to become even more disruptive to target organization. So oh, I know, we kind of saw what looked like might have been encouraging news, but the reduction in the volume of attacks last year, what we've seen so far, in 2023, is that's just not the case. ransomware is it's extremely profitable business. And we're going to continue to see these attacks for the foreseeable future.
Corey Baumgartner
Thanks for listening and thank you to our guest, Anthony Freed. Don't forget to like comment, and subscribe to CarahCast and be sure to listen to our other discussions. If you'd like more information on how Halcyon can assist your organization, please visit www.carahsoft.com/halcyon or email drew.berry@carahsoft.com. Thanks again for listening and have a great day.