How Are Ransomware Groups' Shakedown Tactics Evolving?Also: Black Hat 2022 Highlights; Helping Those Below the 'InfoSec Poverty Line'
The latest edition of the ISMG Security Report discusses how ransomware groups continue to refine their shakedown tactics and monetization models, highlights from this year's Black Hat conference and why helping those below the "InfoSec poverty line" matters to businesses.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss how ransomware-wielding attackers continue to seek new ways to maximize profits with minimal effort;
- ISMG's Michael Novinson share the latest technology innovations and business initiatives announced at Black Hat USA 2022;
- Security leader Quentyn Taylor of Canon explain why the information security community must help organizations that are "below the InfoSec poverty line."
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Aug. 4 and Aug. 11 editions, which respectively discuss what we know and don't know about ransomware and how cyberattacks and operations tied to the Russia-Ukraine war continue to affect civilians.
Anna Delaney: Ransomware groups refine their shakedown and monetization models, and highlights from Black Hat USA 2022. These stories and more on this week's ISMG Security Report.
Delaney: Hi, I'm Anna Delaney. Ransomware groups continue to refine their shakedown and monetization models. For the latest on criminals' illicit moves, I'm joined by Mathew Schwartz, executive editor for DataBreachToday and Europe. Matt, what are the ransomware groups getting up to and what's their rationale?
Mathew Schwartz: Illicit moves are the order of the day still, for ransomware-wielding attackers. The impetus they have is clear. They're trying to maximize the profits with minimal efforts, like any kind of cybercrime. Some of the top tactics we've seen them using are continuing to tap initial access brokers to help them get into victims' networks. There's been a bit of working with botnet operators as well to accomplish the same thing. And then we're seeing some other strategies being employed, as you said, new monetization models to help them realize profits in ways that previously they might not have been able to do so. There's a thriving cybercrime-as-a-service ecosystem as ever, which keeps evolving and maturing, to provide services that helped criminals do these sorts of things with minimal effort, and just a little bit of investment.
Delaney: Cybersecurity researchers in recent years have continued to highlight the service being offered by initial access brokers. What's changed?
Schwartz: Unfortunately, very little has changed and we still have a huge amount of supply. Apparently, a lot of these access brokers acting with no concern that they're going to get shut down by law enforcement. Stepping back a little bit, this service shows how much the cybercrime-as-a-service economy has gotten specialized. Basically, you don't need to be an expert at network penetration or moving laterally once you get in or getting access to Active Directory, dumping databases, exfiltrating data, developing your own malware or ransomware, negotiating with victims: all these different skills can be procured as a service for a price. Initial access brokers are taking care of finding of victim part. They're hacking into organizations, often via a remote desktop protocol that has been poorly secured or phishing attacks that give them access to an endpoint, which they parlay into greater access. Once they've got that remote access, they sell it at a price determined by how lucrative this victim seems. If you're a ransomware-wielding affiliate, and you are looking for a lucrative target, you might see something in the manufacturing sector, or $1,200, you will get access and you think, "Well, maybe I could ransom them for $100,000 or a million dollars." That initial investment is very small and we see a lot of ransomware-willing attackers deciding this is a worthy investment.
Delaney: Matt, what else have you been tracking on the ransomware front?
Schwartz: It's a veritable grab bag of different strategies and ideas. For example, there's a group called Ransom House, which emerged last December, which describes itself as a professional mediators community that will facilitate negotiations, creating dialogue between ransomware groups and victims. So what this appears to be doing is taking victims that haven't paid and giving them a second chance, if you will, or in ransomware speak, extorting them again to see if they can squeeze them a bit more in order to finally get them to pay a ransom. Another post that we've been seeing is from a firm called Industrial Spy, first spotted in April, which runs a marketplace designed to sell stolen data. If you've got organizations that haven't paid, you're looking for ways to monetize that still, so that all of that effort hasn't gone to waste. If you can create a marketplace where somebody will buy the data that you stole as part of the attack, to pressure the victim into paying, then you're at least making a bit of profit on the attack. So those are two of the things I've been seeing. Another couple of things is the use of botnets. For example, Black Basta has been using the QuackBot botnet, to help it get access to victim systems. Instead of paying an additional access broker, they appear to be paying botnet herders to get some kind of a download and run to victim systems, and then they can push the Black Basta ransomware onto the system and extort them. Another trend that we've been seeing ongoing comes via the consultancy Kroll, which works with lots of firms to help them investigate and remediate ransomware attacks. It says that it's seen attacks on healthcare organizations nearly doubled in recent months. A lot of ransomware groups claimed at the start of the pandemic, that they weren't going to hit healthcare, but they continued to do so. It seems like they've decided now that it is even more lucrative for them to hit healthcare. So the final thing I will mention is firms will often claim to do things like to not hit the healthcare sector. But if we've seen anything with ransom groups is that they love to lie. For example, the LockBit group earlier this year claimed to hit cybersecurity firm Mandiant. Mandiant said, "not true," and a lot of experts who looked into it also completely debunked LockBit's claim, saying that it seemed to be trying to big itself up probably just to scare future victims. There's an outright lie from a ransomware group. But another thing I've seen is ineptitude. It's important to remember that most of these attackers are working as quickly as possible to make as much money with the least amount of effort, and they regularly screw up. For example, the Clop ransomware group recently hit a water utility in England and tried to name and shame it. Unfortunately, for Clop, they named the wrong victim. There were all these claims by Clop that the organization was attempting to rip off consumers and it had horrible business practices. It's hard to take those claims seriously when they can't even figure out who the victim they've hit might be. Those are just a few of the trends we've been seeing. Unfortunately, ransomware continues to be pummeling organizations. That part hasn't changed.
Delaney: Indeed, the ransomware world never stops evolving. This has been excellent and I appreciate your updates, Matt.
Schwartz: Always happy to talk cybercrime. Thanks, Anna.
Delaney: ISMG Editor for Business Michael Novinson attended this year's Black Hat USA to interview security executives to discuss everything from open-source intelligence and Web3 security to training new security analysts and responding to directory attacks. I caught up with him to find out what were some of his most interesting takeaways from the event. Michael, this time last week you were in Vegas busily reporting live from the scene at Black Hat. I quote from one of your pieces, "Nowhere did COVID-19 feel more in the rearview mirror than in the Black Hat USA 2022 Business Hall." Michael, how did it feel to be back in the buzz of it all?
Michael Novinson: It felt great. It was so nice to see the people and all the activity at Business Hall but roughly 20 to 25 vendors were very full well north of 10,000 people in attendance. Not the exact numbers but certainly felt more like the pre-COVID version of Black Hat.
Delaney: Michael, I'm not sure how much time you had to eat and/or sleep in Vegas, because you certainly conducted many interviews. Could you share some highlights from the conversations you had?
Novinson: Some of my highlights from the show were the interviews I did with a couple of executives. There I got to speak to Tenable CEO Amit Yoran; Tomer Weingarten, CEO of SentinelOne and Sumedh Thakar, CEO of Qualys. To break down each one of those, got to hear a lot from Amit in terms of the investments they're making around data analytics, as well as their play in the OT space as they expand beyond vulnerability management. SentinelOne's heritage is in the endpoint detection and response market. I got to hear about their push into cloud, starting with cloud workload security, but also getting into agentless cloud protection. On the Qualys side, the big bet has been around fusing vulnerability management and patch management together so that they're not only detecting abnormalities in a client's environment but are actually able to address them ideally autonomously without any manual involvement. So those were some of the key top-level exec conversations I had during the show.
Delaney: There's always something surprising or even bizarre that surfaces at Black Hat. What was that for you this year?
Novinson: One of the things that was very interesting to me was when talking about the threat landscape, talk from the top both from Chris Krebs, the former head of CISA as well as from some of my interviews around the shift in the threat landscape, particularly seeing a slowing down of innovation from those nation state-backed advanced persistent threat groups, less zero-day development, less new and different activity for them and more innovation from the cybercriminal groups, particularly the ransomware groups, who've been able to use all of the proceeds from the ransom payments into getting into the zero-day game themselves and trying different ways to extort people to get them to pay money. So certainly the feeling from Chris Krebs was that we as a country post-2016, and post the U.S. election, pivoted probably too hard toward focusing on APT groups and didn't pay enough attention to the cybercriminal groups. There's an effort now to try to recalibrate and to put those cybercriminal groups threatened center understanding, of course, that espionage has been a part of international relations for millennia. But allowing people to potentially shut down critical infrastructure, make a couple million bucks has to be intolerable. We need to impose risk and repercussions on those criminals, ideally, with the cooperation of the countries, they're operating out of.
Delaney: If this is one of the conferences that sets the tech agenda for the year ahead, what technology trends or trends will you be keeping your eye on over the next few months?
Novinson: What I was hearing a lot about in different contexts was supply chain. One area was the privatization of IT companies both established vendors like Zscaler, as well as some of the emerging startups trying to figure out what they can build from a technology standpoint to help companies gain visibility into who are their suppliers, who's supplying them, what does that process look like? How can you get more visibility into the security of your third parties? From a policy standpoint, a lot of dialogue was around SBOM or the software bill of materials, what that looks like, how feasible it is and what extent it can help with security. One of the things Sam Curry, who's the chief security officer at Cybereason, brought up with me is that it's challenging because you're dealing with unknown unknowns that if there is a supply chain breach, you typically aren't aware of it. If you think back to the SolarWinds incident, the Russian Foreign Intelligence Service sat stuffily for many months on people's networks without them knowing. In that way, it's going to be challenging to evaluate the efficacy of an SBOM, since you don't know if an adversary is sitting there since that is something a nation-state group would do maybe more for espionage purposes than a financially-motivated adversary. I think if this does come to pass, one of the challenges is going to be figuring out how well is this working. To what extent is this keeping us as an ecosystem safer?
Delaney: Michael, thanks so much for sharing these updates. I almost feel like I was there with you, too.
Novinson: You're very welcome. Anna. Thank you for the time.
Delaney: The security poverty line is a term first coined by Cisco's Wendy Nather, referring to organizations that lack the budget and or resources to be able to effectively implement the cybersecurity measures they need. This is a topic that also concerns director of security for Canon in Europe, Quentyn Taylor. Here he is offering thoughts as to how we can address one of the biggest security challenges of our time.
Quentyn Taylor: What it means, for me, at least, is that there are a lot of companies who don't even have an information security team. This is the problem. A lot of us hang around on various social media chatting to each other about what's going on in the information security world. A lot of us go to conferences, and we're seeing the CISOs and other senior security boards. We forget that there's an awful lot of companies who are not represented out in front of us. So you tend to then completely forget about this whole sector of society who are not at this exact same level that this is worrying because ignore those people at your peril. Because they form part of your supply chain, they form part of your supply chain's supply chain. Their systems can be used to attack you and your supply chain. An example I was just thinking about is I did a situation this week where I, on my personal mail, received some quite compelling phishing emails. They're from a major car manufacturer who I have no relationship with, whose mail server is misconfigured. Someone's using it to bounce mail out and bounce us some quite interesting phishing emails. They are part of someone's supply chain. That security failure is impacting other people. Even if you've got the small companies where you go, "Well, if they go bust if they have security problems, that's not going to affect us." No, but their infrastructure can be used to attack you. I do believe in starting to look at your supply chain, your supply chain's supply chain and start to work out how can I take some elements of our education, some elements of our information and start to pass it down the chain to hopefully for the good of society, improve their information security, knowing that they may have one person doing IT, they may have no one doing IT and it all to being the most tech-literate person in the company and therefore no one doing information security.
Delaney: That's it from the ISMG Security Report. I'm Anna Delaney. Until next time!