Ransomware The Hard Truth about Ransomware

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,420
Author: Kevin Beaumont

Quote: " Houston, we have a (big) problem.

We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. I also want to state upfront that I’ve seen some cybersecurity vendor industry people beating themselves up about the situation. My take: stop that. People have done amazing work over the years on this subject, and incredible amounts of attacks are stopped due to said work. The reality is, however, the threat is becoming overwhelming and I believe an existential crisis for the security industry, and so their customers. We are stuck in a self eating circle, and it’s time to ask for help.

Before I begin, I do specifically want to highlight this tweet for non-technical audience, to explain what the experience of an organization going through a ransomware attack is like: I want to give a specific example. You’ve all heard of the pipeline attack, where panic buying lead to gas shortages. I don’t want to talk about that one.

I want to talk about hospitals in Ireland. Here’s a photo, provided by one of the impacted hospitals in the past few days, with army officers drafted in to help restore Windows 7 PCs:

1-V11i-R55w-Y10-D1-IBw-Pw-Enng.png


That attack happened several weeks ago, caused by the ransomware group Conti, who encrypted systems across HSE — Ireland’s national healthcare system. Those officers are working to restore the system using a decryption key, reportedly provided for free by the Conti gang. You can read HSE’s website describing impacts to patients and staff — for example, Emergency Departments have “significant delays”, and staff are warned that internet access is completely unavailable, and some email systems have been lost. The fact that a nation has their army helping restore Windows 7 PCs for emergency services for weeks should be a wake up call. This example is not abnormal. It is the new normal. In the first 3 days of last week alone, I tracked 23 new ransomware and extortion victims, who are fighting attacks (most have not disclosed to the media). This Monday, I tracked 43 new organised ransomware gang incidents — before mid-day. One is a US law enforcement division. The organizations impacted are across all sectors, including critical infrastructure and healthcare. "

Quote: " Ransomware and data extortion attacks have something in common — money. There is a very well developed money ecosystem, which allows, for example:
  • The monetization of obtaining initial access to a desktop PC (e.g. an email) or an insecure internet connected service
  • The monetization of selling that access — initial access brokers
  • The monetization of market places — eBay style websites where anybody can buy access to networks worldwide, many of which feature access to thousands of organizations
  • The monetization of selling generic offensive security tools — for example, “macro builder” tools to add malicious content to Microsoft Office documents, “crypter” tools to try to evade anti-virus solutions etc.
  • The monetization of selling and reselling remote access trojans and botnets — for example, Locky and Trickbot, providing remote access to endpoints.
  • The monetization of selling ransomware software and access to Ransomware-as-a-Service platforms.
  • The monetization of hiring developers and staff for marketplaces, developing generic offensive security tools, remote access trojans, botnets, ransomware payloads etc.
  • The monetization of hiring ‘pen testers’ to break into organizations.
Essentially, this is serious organized cybercrime at a global scale. Some of these groups have HR and payroll departments. While it is seen as operating primarily out of Russia, it is in fact not just operators in Russia.

Big game ransomware gangs are attracting payment amounts of hundreds of millions of dollars each year. As an example, leading cybersecurity insurance provider CNA Financial itself got hit by ransomware — and paid their suspected Russian attackers a $40m fee. CNA Financial Paid Hackers $40 Million in Ransom After March Cyberattack — Bloomberg

Monetization doesn’t just apply to ‘the bad guys(tm)’:
  • Some Cyber Threat Intelligence providers scrape, infiltrate and sell access to botnet data, victim data etc.
  • Security vendors are booking record sales for technology and services — a minority with bizarre, almost Theranos style claims which overpromise what they can deliver, for huge budgetary sums.
  • Some product owners are using security woes in their own products to upsell their security services and offerings.
  • Cryptocurrency markets are facilitating transactions and earning transaction fees.
  • Some insurance companies offer protection policies for ransomware.
  • Specialist negotiation companies exist within the US to facilitate payment to ransomware gangs.
  • Cybersecurity companies make many of the ‘red team’ tools reused by ransomware gangs.
This is not to say, for example, that CTI providers do not add value. They’re on the front line of notifying law enforcement a lot of the time. This is not an argument that organizations should do things for free, nor saying XYZ thing is bad (in fact, many of these companies are kick ass). It is simply an observation that a money cycle exists here, with record profits for ransomware operators and the cybersecurity industry (Cybersecurity Market worth $248.3 billion by 2023) every year.

The status quo is… not quo. "


Quote: " The truth is, while governments are pushing frameworks such as Zero Trust, the amount of orgs who successfully implement these are… not many. Many companies can barely afford to patch SharePoint, let alone patch the the tens of thousands of application vulnerabilities shown in a vulnerability management program, and really struggle with accurate asset lists. A majority of organizations do not have a single person responsible for security still. Truthfully, the situation in the trenches is vastly different from what you’ll read in a management PowerPoint about InfoSec theory. A way to support organizations is to recognize that, perhaps, shouting at companies to “just patch” and “implement Zero Trust” is not actually practical right now. It’s by far the biggest disconnect I’ve seen, and the reality is organisations need support — e.g. international law enforcement action on ransomware, at scale.

IT and cybersecurity being hard, and noisy. For example, business tend to lack robust Disaster Recovery (DR) plans capable of coping with ransomware actors. Most organizations will say they have tested DR — but have they tested it, for example, a malicious actor deleting their DR environment and/or backups? Attackers have got wise that traditional backups and DR can be deleted or bypassed. "

Quote: " With ransomware gangs running around with multi-million dollar budgets, it gives them the ability to buy exploits and tools from exploit brokers at a scale normally reserved for states and nation states. While states take calculated risks in cyber intrusion operations — for example, covert spying — ransomware gangs are driven by operational impacts. In short, it is like giving rocket launchers to teenagers. This problem is not going to suddenly, magically stop. It is going to get worse. The recruitment cycle for more capabilities is accelerating, to the point where small groups of gangs are finding ways around security controls and exploring zero day exploits, which vendors have always struggled to realistically detect. Many remote access broker marketplaces list network access, behind firewalls, to thousands of organizations worldwide. As ransomware gangs continue to scale up, they have an incredibly fertile ground of future victims. Compared to nation states, who maintain global reach in usually an incredibly controlled fashion, these guys are already calling from inside the house of hospitals, police stations, TV networks and more. This is a fast growing problem. "


Quote: " Cybersecurity products need to be as easy to implement and maintain as possible. The best product on paper isn’t always the best for the organization. Customers have a responsibility to vet what they’re buying, and make operationalizing it a key buying factor (“how many people do I really need to run this?”). In short, product owners desperately need to stop sprinting for profit as the primary goal and start sprinting for customers.

Microsoft need to take more responsibility for their products and security landscape. Not as an upsell, but as a product owner. Microsoft’s Security efforts should complement and integrate with their products — security is not a value add for many organizations; it is a fundamental requirement for the customer to exist as a business.

For example, malicious use of macros in Microsoft Office is one of the single largest cybersecurity issues impacting their customers — for decades — and I believe represents a real business risk to Microsoft in terms of undermining customer faith and their security operation. In theory Microsoft are aiming to replace macros with Office Scripts, however the reality is many customers will be using Office 2013, 2016 etc and Office Scripts (requiring complete redevelopment of customer documents to function) are about as real as their customers traveling on Mars right now. It simply isn’t an answer to the problem. How could Microsoft address macros? Scrap Protected View, and add high risk functions — some macro functions shouldn’t be able to run by default in certain areas of documents (for example, AutoOpen). Basically, work the problem with radical engineering — much like Adobe Reader now has high risk functions, for example. Think differently, and radically, as if the product depends on answers about the same old techniques malware authors have used for decades within macros. Any changes should be across all supported versions, and enabled by default.

I’m not saying it would be easy. I am saying it would be right. "

Full source:
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,126
It is not the hard truth about ransomware, but also about any malware. The organizations use the private & confidential data of many people. The growing ransomware market shows indirectly how poorly our data is protected and how easily people's privacy is exposed to risk. This can be used in identity theft.
 

plat1098

Level 25
Verified
Sep 13, 2018
1,418
Ireland has the right idea about getting the military involved. Did this also happen with Colonial Pipeliine and its restoration efforts? No, of course not. In fact, it was reported to the FBI "hours" after the fact.

I was angrily questioning why this urgency about implementing hardware security, leaving many users scrambling and hustling and paying thru the nose to get compliant. Then I saw on 60 Minutes last night what is at least partially the reason: Solarwinds. Microsoft got hacked and part of its source code was stolen. Russian hackers behind many of these large-scale attacks were already using the Ukraine as their testing ground, including the means to make infected computers self-destruct.

So, the responsibility is shifted much more to the end-user now in the form of Secure Boot, TPM, DEP, etc whether we like it or not. It's a jungle out there. 🥶
 
Last edited:

SpiderWeb

Level 6
Aug 21, 2020
253
These should be optional for users to enable it or not. When you force it against user's free will of choice then it will be a problem.
No they shouldn't be. These things should have been enabled in every computer since 2010. It's ridiculous how far behind PCs are. Everything we do is encrypted except our hard drives. What gives. All Chromebooks have made TPMs mandatory and all data is encrypted. All modern smartphones have fTPMs and locked bootloaders. Apple has M1. Microsoft? Still wrangling with their end users to implement essential security. Windows is really the last platform where malware has a chance to do any major damage. For anyone else, malware is not even worth discussing.
 
F

ForgottenSeer 85179

Ireland has the right idea about getting the military involved. Did this also happen with Colonial Pipeliine and its restoration efforts? No, of course not. In fact, it was reported to the FBI "hours" after the fact.

I was angrily questioning why this urgency about implementing hardware security, leaving many users scrambling and hustling and paying thru the nose to get compliant. Then I saw on 60 Minutes last night what is at least partially the reason: Solarwinds. Microsoft got hacked and part of its source code was stolen. Russian hackers behind many of these large-scale attacks were already using the Ukraine as their testing ground, including the means to make infected computers self-destruct.

So, the responsibility is shifted much more to the end-user now in the form of Secure Boot, TPM, DEP, etc whether we like it or not. It's a jungle out there. 🥶
Attack like Solarwinds have nothing to do with consumer security.
The responsibility is always on user side as the user control the PC. OEMs and companies can only decrease that with security features but now users blame them for which reason?

DEP is used since Windows XP. BIOS/ uEFI call that NX bit (No-eXecute bit)
 

plat1098

Level 25
Verified
Sep 13, 2018
1,418
The responsibility is always on user side as the user control the PC. OEMs and companies can only decrease that with security features but now users blame them for which reason?

You've pointed out multiple times that hardware security features are nothing new and yes: they've been dormant in the Windows 10 system at least, for years. So why couldn't MS phase in making these mandatory--for Enterprise to start? It's just this sudden, blanket-type of iron-clad policy with no differentiation among the various user categories.

If the user installs Windows, Microsoft bears partial responsibility. It's symbiotic, not one-sided.

What users are blaming whom? Microsoft? OEMs? Let them blame; it doesn't seem to have an effect anywhere. :D Microsoft has its reasons and isn't revealing them. So it's up to forums like this to address these speculative issues. :cool:
 
Top