Ransomware attacks are like a multi-level marketing scheme run by criminals whose allegiances shift in response to changing incentives involving costs and profits, according to a cybersecurity expert who has published a report on ransomware gangs.
Initial access brokers sell back doors that give footholds inside networks to ransomware gangs that hold data and systems hostage until victims pay up. Several gangs rely on a ransomware-as-a-service model in which developers of malicious software share a portion of the victims’ payments with affiliates that deploy attacks.
Chad Anderson, a researcher at cybersecurity company DomainTools, published a new report mapping the ransomware gangs in hopes that network defenders will better understand what they are up against.
“DomainTools researchers feel that it is important to remind readers that all of these groups make alliances, share tools, and sell access to one another,” Mr. Anderson wrote in the report. “Nothing in this space is static, and even though there is a single piece of software behind a set of intrusions, there are likely several different operators using that same piece of ransomware that will tweak its operation to their designs.”
The three ransomware families responsible for the greatest number of victims, according to the report, are Conti; Maze and Egregor; and REvil, which is also known as Sodinokibi.
Conti was first observed in December 2019. What makes it unique is the speed of its attacks, DomainTools said. By the time network defenders notice a Conti infection on any machine, it is already too late to fight back, Mr. Anderson said.
Two months ago, the FBI published an alert saying it observed 16 Conti ransomware attacks “targeting U.S. healthcare and first responder networks” during the previous year. Of the more than 400 organizations hit by Conti, 290 were in the U.S., the FBI said.
The Maze ransomware group infected so many systems that its victim count still numbers in the top 10 infections of all time even though the gang announced its “retirement” in November 2020, according to Mr. Anderson‘s report. Many of the Maze affiliates then reportedly moved to a ransomware group called Egregor.
REvil recently garnered headlines when the FBI attributed the cyberattack on major meat producer JBS to it. Mr. Anderson’s report noted that REvil’s software disguises its work to make analysis difficult for reverse engineers and noted that its malware is “particularly sinister.”
Given the difficulty in fighting a ransomware attack after it has begun, Mr. Anderson urged network defenders to focus on the vulnerabilities exposed by the initial access brokers’ hacks.
“The problem space to look in for a robust defense solution isn’t necessarily at the ransomware itself, but the methods of initial access through spam email campaigns, brute force attacks, and vulnerability management,” Mr. Anderson said. “Rarely are the affiliates behind the ransomware infection actually the same entity acquiring initial access.”
While the ransomware gangs are running rampant, the U.S. remains the best-positioned nation to respond and is in a league of its own in the cyber realm, according to the International Institute for Strategic Studies. The think tank’s analysis of cyber capabilities and national power published this week put the U.S. in a top tier, followed by a second tier including a slew of allies and adversaries including the United Kingdom, Australia, Canada, Russia, China, France and Israel.
The analysis measured the nations’ cyber capabilities through several categories involving strategy, cyber offense and defense, intelligence capabilities, and governance. The U.S. maintains world-leading strengths in all categories.
Ransomware gangs operating from the U.S. are likely to get picked up by law enforcement. If other countries adopted a harder line against the groups, finding the criminals would prove far less difficult, he said.
“In general, ransomware, and particularly the kind where you’re exfiltrating a lot of data that you’re going to use for double extortion later, is extremely noisy,” Mr. Anderson told The Washington Times. “You have to set up infrastructure to pull that to, you have to set up infrastructure that can store all of that data. And once that infrastructure starts getting taken down or those servers get found and can get mirrored, people are going to be able to see where you came from very quickly.”