New Ransomware Tactics and Strains Emerge, Including Public Auctions of Stolen Data
As many have learned over the last several years, ransomware is a type of malware that denies affected users access to critical data by encrypting it. Attackers profit handsomely by requiring victims to pay substantial sums, typically tendered in a cryptocurrency such as Bitcoin. A look at some of the numbers over the past two years is troubling. And, perhaps even more troubling, as in all “industries,” products evolve and there are new entrants to the marketplace.
MAZE and Sodinokibi
A comprehensive report by Coveware analyzing ransomware developments during the first quarter of 2020 highlights several interesting trends. In addition to calling attention to the uptick following the coronavirus COVID-19 outbreak, the report explains the rise in average ransom payments and the most common attack types and vectors. It also points to a disturbing new trend – data exfiltration.
For some time, the general view of ransomware has been that attackers encrypt their victims’ systems and files believing that many will be without good backups, increasing pressure to pay the ransom in order to recover critical business information, despite the risks that come with such transactions. That view is shifting. According to the Coveware report, and what we are seeing in our own experience:
Data exfiltration, where data is downloaded from victim computers and is threatened to be released publicly, became a prevalent tactic during ransomware attacks in [the first quarter of 2020]. This was a big change from the previous quarter where it was virtually non-existent.
Two popular variants driving this new trend in ransomware attacks are MAZE and Sodinokibi. Tactics include auctioning off stolen data and/or publicly shaming victims into paying the ransom. (This Krebsonsecurity post includes a snapshot showing such an auction on the dark web by the REvil ransomware group). The expectation is that these kinds of attacks will continue.
As part of managing the data breach response services we provide to our clients around the country, we maintain relationships with forensic experts, such as Arete Advisors, LLC. These experts work with us to support our clients’ incident response needs, while tracking emerging threats. Arete recently reported on a new variant, “WASTED,” that appears to have certain features to be aware of:
- Ransom demands have been nonnegotiable, and have been in the range of 40 BTC to 1,000 BTC. As of this writing, that means between approximately $360,000 to over $900,000, and the attackers threaten to increase the ransom every 24 hours.
- The attackers sometimes enter through VPN with compromised credentials. As Arete suggests, using multifactor authentication on VPN connections can help prevent these and other attacks.
- Ransomware payloads are customized to the victim’s environment. The file extension will have 3 characters that represent the victim’s company name along with a reference to the variant, e.g., “abcwasted.”
- The attackers can be slow to respond, 12+ hours in some cases.
Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends. There also are several steps organizations can take to minimize the chance and impact of a successful attack.