I spoke with Steph S from Terbium Labs on “The Rise in Ransomware: What Steps to Take to Reduce Risk and Respond to an Attack” on May 7, 2020. Thanks to those who attended! And for those that didn’t, the recording is available on the Terbium Labs’ website.
During the webinar, I spent some time discussing “affiliate” models for groups such as Sodinokibi, wherein exploiting different vulnerabilities, RDP, and phishing are conducted by different actor groups while using the same malware and payment infrastructure. The day after the webinar, FireEye/Mandiant released an outstanding blog on the Maze Ransomware group detailing how this subdivision is going even further among their affiliates:
Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.
This professionalization is a sobering indication of how lucrative this activity is to the criminal ecosystem conducting these targeted ransomware attacks. It also mirrors the subdivision and specialization seen among many nation-state advanced persistent threat (APT) groups. As discussed during the webinar, this makes targeted ransomware scenarios a worthwhile scenario to model security controls around, including tabletop or training scenarios that can aid in preparation for an incident.
All this said, these attackers understand that return-on-investment is paramount. Being “brilliant at the basics” does not make an organization invincible, but being a harder target significantly reduces their susceptibility to ransomware events.
Here are our top recommendations:
- Know and monitor your digital attack surface – both underground and IT infrastructure.
- Employ Secure Email Gateways and ensure users are trained on reporting procedures.
- Implement Multifactor Authentication.
- Patch Systems Regularly.
- Ensure backups are available, not network-connected, and are able to be restored from.
- Consider a standalone cyber insurance policy, know the coverage it offers, and take advantage of the relationships with professional and technical services it may offer.