On the Taxonomy and Evolution of Ransomware

Cyber Security News

Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge.

Given the frequency with which “ransomware” appears in news articles, it may be worthwhile to take a step back and actually consider what the term means. Any malware or attack that culminates in extorting ransom from the victim is commonly referred to as ransomware. The general idea is to encrypt the victims’ data and to promise to deliver the key needed to decrypt it in return for a paid ransom.

But there are very different types of attacks which are all called “ransomware.” Let’s start by dissecting them.

Commodity Ransomware

This type of ransomware operates on autopilot. While the attacker might craft a unique phishing campaign to deliver the malware to a particular target, it is fully automated in carrying out its mission once the malware is on a system. With this type of ransomware, the ransom requested is generally pretty modest, with a business model based on infecting thousands of systems and expecting some percentage of the victims to pay.

In early versions of this ransomware (think CryptoLocker), each successful infection led to files on a single system being encrypted. Some versions also unintentionally encrypted files on network drives which the system had mounted.

The next evolutionary step was for the malware to search for network drives which the system’s user had the right to access but which had not already been mounted – and to encrypt them. In this step, the attacker’s ideal target shifted from an individual who would pay a ransom to recover family photos to an organization that would pay one or more ransoms to recover business-critical files. The rationale of the evolution is clear: By encrypting more stuff, the likelihood of a ransom being paid increases as one or more of those encrypted files might contain something the victim couldn’t live without.

The final evolutionary step of commodity ransomware came from combining it with a worm. This term refers to self-replicating malware, which first infects one system and then rapidly infects neighboring systems, which then infect their neighbors, and so on. This has the effect of duping a single phishing victim to get the ransomware on the victim’s system and from there rapidly infecting thousands of systems in the victim’s organization without requiring users of those systems to also fall for the con. WannaCry was the original of this generation of commodity ransomware.

Human-Operated Ransomware

Unlike its commodity brethren, this type of attack consists of a more sophisticated and targeted attack culminating in the demand for a large ransom.

The targeted attack generally starts with an initial foothold in the organization and requires many steps to achieve its goal. Many of the steps are manual as they have to adapt to the specifics of the target’s environment and the specific goals the attacker has for the target organization. Most groups undertaking such attacks have a collection of tools they utilize, but the needs of the particular attack may expand that toolchain.

Human-operated ransomware attacks generally take several weeks to pull off. Most of that time is spent getting all the attack pieces in place in the various parts of a target organization’s network. At the hour chosen for the attack, all the attack pieces simultaneously go into action by encrypting all the valuable data previously identified. The group known as the SamSam gang spent much of 2018 in the news as it used this methodology to attack municipalities, hospitals, healthcare systems and several universities.

As organizations became better at making backups (and ensuring they could actually restore them), another evolutionary step emerged: The valuable data would be exfiltrated and encrypted in place. Pay up, or your copy of the data is rendered useless and your data will be made public.

Both commodity and human-operated ransomware share a common challenge: How can the victim be assured that one, the payment of ransom will result in data being unlocked (and not leaked); and two, that the funds paid to the organization will not be used for even more reprehensible purposes (victims are less likely to pay a ransom if they know it may fund terrorist attacks).

This is where the ransomware “brand” comes into play. If you heard that someone with brand X ransomware paid a ransom and still lost their data, you would be less likely to pay the ransom. Each ransomware group effectively has a positive-spin P.R. strategy and employs a customer-success team to ensure that their “customers” have a positive experience when they pay a ransom.

Recent business-model evolution has also occurred: Gangs like REvil, DarkSide (which hit the Colonial Pipeline) and other strains of human-operated ransomware have moved to a franchise model. The franchiser supplies tools, playbooks and other attack infrastructure, while franchisees use these services to carry out the attacks, forwarding a percentage of the paid ransom back to the franchiser. The franchiser does the P.R. and may also employ the customer-success team. Ransomware is, after all, a business.

How to Block Ransomware Attacks

Existing commodity ransomware attacks can generally be blocked on entry (via timely indicators of compromise, or IoCs, delivered in a threat-intel feed). New commodity ransomware which bypasses preventive measures is often limited in scope so a good backup/restore regimen will do the trick.

Containing more virulent and fast-moving commodity ransomware is more difficult – micro-segmentation, zero trust, least privilege and other policy-driven controls can help contain the outbreak.

Human-operated ransomware attacks are very similar to other targeted cyberattacks in that many of the countermeasures to protect against them are the same. This means that success for the defender isn’t about prescriptive policy, hardened configurations or some threshold of protective controls. While useful to a point, a sufficiently motivated attacker will eventually overcome these.

Instead, the best defense against human-operated ransomware will be robust visibility and a strong mix of threat hunting and investigative discipline, with an aim to uncover malicious activities before they’ve progressed to the point of no return. On the plus side, this approach will also improve your resilience to something like the SolarWinds supply-chain hack.

Oliver Tavakoli is CTO at Vectra AI.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.