by Mark Bagley, VP for Product; Greg Newman, former Manager for Customer Success; and Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy at AttackIQ.
Ransomware is one of the most prevalent threats observed by AttackIQ today and is now a multi-billion dollar industry for the criminal and nation-state actors that use it. Given the prevalence of ransomware, we keep track of how adversaries’ tactics and techniques change so that we can help our customers optimize their security programs as these behaviors evolve. While we once primarily saw “commodity” variants of ransomware, adversaries are getting more effective in using this class of behavior to their advantage.
Adversaries are taking advantage of the current stresses of the pandemic, increasing the volume of ransomware campaigns on organizations of all types, many of whom are stretched in their response to the situation. We expect such opportunistic campaign targeting to continue, especially on healthcare organizations, as adversaries seek the greatest illicit gain. With targeted ransomware, adversaries can gain a foothold on a network with greater precision and conduct their campaign through a variety of automated and manual follow-on behaviors. Rather than relying on small ransom payouts from victims chosen at random, modern targeted ransomware attacks follow a complete kill chain — from gaining initial access to the network through to encrypting files for ransom.
If you can break this kill chain before it gets to the encryption phase, however, you can save your files and data, as well as the expense associated with incident response and restoring business function. The goal is to plan and get ahead of the threat, as Siobhan Gorman of the Brunswick Group said in her AttackIQ Academy guest lecture series last week on ransomware and cybersecurity trends and best-practices. This post looks at recent ransomware trends and outlines changes that we have made in the AttackIQ Security Optimization Platform to best defend our customers against this variant of cyberattack.
Cost of Ransomware Incidents
CPO Magazine states that the average cost of a ransomware attack in 2019 was $8.1 million and that the total cost may have exceeded $7.5 billion in the United States alone. The cost of a ransomware attack is not only due to the cost of the ransomware payment itself. Cybersecurity vendor SentinelOne identifies many other indirect costs that follow — to include enforced downtime, reputation loss, liability, collateral damage, and data loss. From this it is easy to see the importance of investing in a testing capability that ensures your security products work as intended. Given the almost $10 million price tag associated with a potential ransom, it is far more cost efficient to invest in security controls and security control validation than to pay ransoms and incident response retainers.
For example, the city of Atlanta spent over $2.6 million responding to a SamSam ransomware attack in March of 2018 – most of which was spent on incident response and digital forensics. These numbers are small compared to the attacks suffered by Texas and Baltimore, Maryland in 2019. That year Texas suffered an attack on twenty-two towns using the Sodinokibi (REvil) ransomware after the attackers breached the service provider used to manage their infrastructure remotely. The attack cost them at least $12 million, none of which included the ransom itself, which they refused to pay. The city of Baltimore suffered an attack which crippled the city by rendering critical systems inaccessible, including official email servers. During the downtime, the citizens of Baltimore were unable to transact real estate or pay their water utility bills. The attack, which used a strain of ransomware called RobbinHood, cost Baltimore $18.2 million.
Other industries have been similarly hard-hit, and in some cases attacks have had far-reaching implications, not the least of which has been a drop in share prices. For example, on June 27, 2017, the shipping giant Maersk reported that it had suffered a variant of the NotPetya family of ransomware attacks. Maersk has offices in 130 countries with almost 90,000 employees and reportedly needed to reinstall 4,000 servers and 45,000 desktops and suffered “serious business interruption”. The attack cost the company between $200 million and $300 million, with $264 million of this figure due to share price reductions.
In the freight industry, a FedEx subsidiary, TNT Express, was hit in June of 2017 by another variant of the NotPetya ransomware family. FedEx reported that the attack cost them at least $300 million in lost earnings in the first quarter of 2018, excluding incident response.
AttackIQ Ransomware Template
To help organizations optimize their cybersecurity program to achieve maximum efficiency and effectiveness, AttackIQ has introduced a new assessment into the Security Optimization Platform to ensure that organizations are prepared to defend themselves against a range of ransomware attacks. The newly-updated ransomware assessment template in the AttackIQ Security Optimization Platform includes the techniques most commonly used by ransomware threat actors today. (This new template builds on AttackIQ’s pre-existing capabilities in validating the effectiveness of signature-based endpoint and network controls as well as file encryption.) The new assessment is aligned with MITRE ATT&CK and derived from a number of different ransomware families and the kill chains that lead to them. The ransomware families covered are Emotet, TrickBot, Qakbot, Ryuk, Sodinokibi/REvil, ProLock, Snake, SamSam, and NotPetya.
Emotet, Trickbot, and Qakbot are malware used in the initial infection phases of these attacks; the other families are the ransomware payloads themselves. In addition, adversaries commonly use “living off the land” and other manual strategies that employ TTPs such as T1021.001: Remote Services: Remote Desktop Protocol, used to move laterally via compromised or weak credentials, or T1569.002: System Services: Service Execution using PSExec on a compromised domain controller in order to execute the ransomware on high-value targets throughout the organization.
The methodology used when creating this assessment is simple, and with the capabilities of the AttackIQ Security Optimization Platform, can be easily customized to suit the context of your environment — or be used out-of-the-box:
- Research which TTPs are used by ransomware actors;
- Determine which of these TTPs are implemented in the AttackIQ Platform;
- Determine which techniques implemented for these TTPs match the method the attacker is using to execute the TTP;
- Insert results into MITRE ATT&CK Navigator layers — one for each ransomware family
- Combine individual layers into one layer; and
- Insert the most commonly used results into an assessment template in the AttackIQ Platform.
Ransomware is a prevalent threat and a leading cause of concern for corporations around the world. It costs companies billions of dollars annually in the United States alone. It is wide-spread, affecting organizations by causing both direct financial consequences and far-reaching implications for consumers of their products, including a decrease in trust if and when a company fails to respond effectively in a ransomware crisis.
Given the potential impact on organizations of all types, to include the destruction of critical data, it is crucial for organizations to assess the efficacy of their ransomware cyberdefenses as a part of a comprehensive cybersecurity and risk management strategy. Security controls assessments should be accompanied by a broader risk management and crisis planning process for ransomware attacks, to include preparing for negotiations with ransomware attackers, potential bitcoin investments in the event that ransoms need to be paid, and public affairs crisis preparation practices across the executive team and board. In addition to AttackIQ’s assessments and services, our colleagues at The Brunswick Group have developed a robust practice to help those interested in learning more about crisis-management preparations for ransomware attacks.
If you would like more insight into how this assessment works, or would like to incorporate some of our perspective into your own workflows, please see the above MITRE ATT&CK Navigator overlays. As always, we will keep our tabs on the adversary and continue to release content pertinent to today’s most prominent threat actors, malware families, and advanced persistent threats as we develop it.