April 2021

threat Insider eBook

2021: The Evolution

of Ransomware
Introduction
The Ransomware Landscape
is Shifting Under Our Feet
Ransomware has been a growing scourge for years, but recent months have
been marked by a growing sophistication and level of innovation in this slice
of the cybercrime underbelly. This eBook sets out to arm organizations with
the knowledge they need to defend against not only the state of play – but also
the emerging trends and attack patterns that are set to bubble up and take
security staff by surprise.
Our lead story explores what’s next for ransomware rather than the status
quo, with a comprehensive look at emerging types of extortion attempts;
how the malware itself is changing; what fresh swathes of victims are being
targeted; and the burgeoning move to attack cloud resources like Kubernetes
and Docker.
We also take a deep dive into how the ransomware underground economy
is structured, including what goes on in illicit forums. Follow the money to
find out how affiliates work with the main operators, cybercriminals’ code of
conduct and more.
2
This eBook also delivers an insider’s view into the real-world toll that
ransomware can take. An exclusive case study takes readers inside a
fascinating incident-response event, with a diary of the first 48 hours of an
attack on a school district.
Elsewhere, exclusive Threatpost research (based on a reader poll) examines
attitudes towards paying the ransom, how respondents said they deal with
a ransomware attack and what organizations’ top challenges are. Finally, a
round-up of best practices for mitigating risk offers an at-a-glance checklist
for shoring up defenses. We also take a critical look at the role of cyber-
insurance companies when it comes to ransomware.
Read on to help hone a solid foundation for understanding this threat, and how
to be better positioned to defend against it – both now and in the future.
Tara Seals,
Ransomware eBook Editor
Threatpost.com April 2021
Table of Contents 3

Inside This eBook

Introduction: The Landscape is Shifting

2 Cyber-Insurance Fuels Ransomware Payment Surge
21
Emerging Trends in Ransomware
4 Diary of a 48-Hour Ransomware Attack
25
A Peek Inside the Ransomware Economy
11 A Practical Guide to Avoiding Ransomware
29
Threatpost Poll: The Cost of a Ransomware Attack
16 Conclusion and Acknowledgments
30
Threatpost.com April 2021
 4

Emerging Trends in Ransomware

By Tara Seals

Today’s ransomware gangs are more dangerous and prolific than ever before.
Worse, they keep moving the goalposts with new techniques and approaches
as the attacks prove to be increasingly lucrative.

For instance, in February 2021, CD Projekt Red, the videogame-development

company behind Cyberpunk 2077 and the wildly popular Witcher series,
suffered a novel ransomware attack. The cybercriminals acknowledged that
the ransomware itself would likely not be a problem for the company, which
had backups in place to quickly remediate the attack. More concerningly, the
attackers threatened to dump troves of stolen company data online – including
game source code.

It was a milestone in the ongoing shift from holding computing resources

hostage to basic blackmail using stolen data. And the incident illustrates that
ransomware gangs are constantly innovating in what has become cybercrime’s
most money-making sector.

Ransomware Volumes Continue to Grow

According to Positive Technologies, the third quarter of 2020 brought a record rise
in the number of ransomware attacks, which accounted for more than half of all
malware attacks in the time period. Check Point, meanwhile, reported that the daily
average of ransomware attacks in Q3 2020 increased 50 percent when compared
to the previous six months, with Ryuk alone attacking 20 organizations a week.

Threatpost.com April 2021

Emerging Trends in Ransomware
The reason for the growth is obvious: It’s a lucrative game. Data from
NinjaRMM’s 2020 Ransomware Resiliency Report also shows that ransomware
incidents resulted in damages of between $1 million and $5 million for 35
percent of the organizations whose IT pros they surveyed.
In 2021, researchers expect to see a continued wave of attacks from both
malware operators themselves and from ransomware-as-a-service (RaaS)
purveyors, who provide access to ransomware toolsets in return for a
percentage of the victim’s ransom. And as ransomware continues to spike,
there are a few emerging trends to keep an eye on. These include code tweaks;
new adventures in extortion; changes in victimology; and the move to attack
cloud resources like Kubernetes and Docker.
“There is an unprecedented number of ransomware variants
and actors popping up on a weekly basis.”
“Ransomware operations were the predominant attack vector in 2020, with an
unprecedented number of different variants and actors popping up on a weekly
basis,” said Stefano De Blasi, threat researcher at Digital Shadows.
Ransomware Code Changes
First and foremost, organizations can expect ransomware gangs to add a few
technical tricks to their arsenals, including those aimed at better detection
evasion, as Yana Yurakova, analyst at PT, explained.
5
“Some ransomwares, such as Maze and Snake, use sandbox detection and
bypass techniques to hide their presence from security tools that test file
behavior in virtual environments,” she said. “It can be assumed that such
functions will increasingly appear in ransomware code.”
Along with the ability to better fly under the radar, ransomware groups are
also looking to cast a wider net in terms of available targets, according to
Christo Butcher, global lead for threat intelligence at Fox-IT, part of NCC
Group. Thus, they’re starting to take a multiplatform approach, branching out
from exclusively abusing Windows code.
“Just like nation-state actors make their backdoors cross-platform, we expect
this adaption to be applied by ransomware gangs,” he said. “Currently most
ransomware groups are targeting Windows operating systems, but more and
more companies are also running Unix. For example, the RaaS group Darkside
has already adapted their ransomware operations to be more cross-platform-
capable, and many more RaaS providers are adding Linux payloads to their
service.”
Om Moolchandani, co-founder, CTO and CISO at Accurics, said that in the same
spirit of expanding attack services, nonstop scanning for vulnerable targets
in the cloud and worm-like self-propagation have been added to a handful of
ransomware samples.
“While desktops are relatively static, cloud use (especially infrastructure-as-
a-service and platform-as-a-service) is much more dynamic in nature, and
malicious actors are always looking for new weak links,” he explained.
Threatpost.com April 2021
Emerging Trends in Ransomware
6

He added that cloud use thus provides fleeting windows of criminal

opportunity. “A developer spinning up a Kubernetes cluster at 3 a.m. to test
something briefly could provide a toehold to a larger compromise,” he said,
which is something only constant scanning can pick up on for attackers.

Also, compromise automation will continue, he said: “That scan doesn’t just
report findings, but additional systems take vulnerability findings as they’re
discovered and compromise the systems, then inform their owner of success.”

Speaking of vulnerabilities, Chris Clements, vice president of solutions

architecture at Cerberus Sentinel, said that he expects ransomware groups to
take their newfound wealth and use it to invest in finding and exploiting zero-
day vulnerabilities.

“My expectation is that groups will extend their offensive capacity by using
their considerable extortion earnings to buy or develop their own zero-day
exploits to gain initial access to their victims’ networks,” he said. “This will
ensure that they are able to continue compromising organizations even as
perimeter and phishing defenses improve.”

Evolving TTPs and Extortion

Along with technical changes, ransomware gangs are also switching up
their techniques, tactics and procedures (TTPs) to improve their extortion
operations.

In late 2019 and 2020, the Maze ransomware group blazed new territory
when it began exfiltrating data and threatening to release it to get victims

Threatpost.com April 2021

Emerging Trends in Ransomware 7

to pay up. For instance, in May 2020, a U.S. military contractor involved in individuals, customers or partners in the company if they are able to discover
the maintenance of the country’s Minuteman III nuclear arsenal (Westech compromising information from their documents or communications.
International) was hit by the Maze ransomware, with the hackers making off
with reams of sensitive information, including employee data and company An example of this is an attack on cloud-computing company Blackbaud in July
emails, which may or may not have included classified military information. 2020. Ransomware attackers stole data on 200+ of the company’s customers
and used it to mount follow-on attacks.
“The primary change was that ransomware gangs realized that the network
admin access they often acquired would allow them to do nearly anything
to the victim, and was not just limited to encrypting files, data and operating Big Growth for Double Extortion
systems,” said Roger Grimes, data driven defense evangelist at KnowBe4. “This
includes exfiltrating confidential and critical data, and promising to release it
to hackers, competitors or the public, if the ransom is not paid.”
over over
This double-extortion tactic was soon adopted by most of the larger gangs, 50 percent 80 percent
who have also improved upon the model over time. That includes stealing
all found business, employee and customer login credentials; threatening
to publicly out victim companies; and the creation of customized “name and
shame” websites to advertise the compromise and demands, and to leak data. 2020 2021
Percentage of attacks where adversaries threaten to leak stolen information.
“By the end of last year, over 50 percent of all ransomware deployed similar Source: KnowBe4

tactics, and we expect that number to rise to over 80 percent this year,”
Grimes said. “This also explains why the amount of average ransom paid has
significantly increased over the last two years (from tens of thousands to over
$200,000) and why more victims are paying than in the past.”
An emerging extortion tactic for this year includes attackers becoming
increasingly sophisticated in post-exploitation activities, targeting
“Ransomware operators, in addition to stealing data, can blackmail the
victim so that the data obtained during the attack will be used against their
customers or partners,” PT’s Yurakova noted. “An outstanding example of a
supply-chain attack is the incident with the cloud software provider Blackbaud
in May, during which not only the company itself but also its customers
suffered.”

Threatpost.com April 2021

Emerging Trends in Ransomware
Notably, Northwestern Memorial Healthcare reported a Blackbaud-related
breach impacting 55,983 individuals; and Inova Health System reported one
impacting more than 1 million individuals.
Cerberus’ Clements meanwhile noted that extortion could go even further in
the havoc it can cause. “I can foresee them targeting intellectual property or
trade secrets to resell to adversarial nation-states,” he said, “or orchestrating
operations to manipulate stock prices by staging misinformation campaigns
that appear to come from official sources inside their victims’ organizations.”
On the heels of these new tactics, researchers warn that soon ransomware
groups may be demanding double payment: One to decrypt the data and
another not to publish it.
“For example, an affiliate of LockBit mentioned that the victim also had to pay
for the data not being published or sold elsewhere,” Fox-IT’s Butcher said.
“And the Clop ransomware group already has an option to pay to remove the
data from their leaking page. We wouldn’t be surprised to see a shift to double
payments by more ransomware operators.”
There’s also the looming tactic of piling on distributed denial-of-service
(DDoS) attacks if a victim doesn’t pay. So, even if they clean the ransomware
from the systems, companies will still find themselves with operational
disruption.
“DDoS-after-encryption is something that might be an upcoming trend, however
currently this is only observed being used by the SunCrypt group against some
8
smaller companies,” Butcher said. “As for all the cases and investigations we’ve
done, we haven’t seen other groups applying this technique.”
However, an alleged representative from the REvil ransomware group
mentioned in a 2020 interview with Russian OSINT that he admired the idea.
“Everything ultimately comes down to a shift toward leaking files and not
locking them,” he said. “I personally really liked SunCrypt’s idea. DoS [denial
of service] the site of the company and their infrastructure, combined with
locking the files and threatening to publish them…[it] puts a lot of pressure on
them…[We’re] thinking about employing a similar model.”
New Frontiers in Victimology
In 2020, ransomware gangs also shifted to more targeted attacks and
larger organizations, including certain verticals known for lax security, like
healthcare. But there are new trends percolating in terms of victimology.
For one, criminals will continue searching for known vulnerabilities in the
perimeter this year, particularly when it comes to lucrative industries that
have existing security weaknesses, or that can’t afford a potential downtime in
operations.
“Penetration tests in financial organizations show a low level of protection: In
seven out of eight companies, an external attacker would be able to penetrate
local networks from the internet,” said PT’s Yurakova. “So, bank ransomware
attacks will also likely increase this year.”
Threatpost.com April 2021
Emerging Trends in Ransomware
Criminals will also likely ramp up the targeting of industrial companies, she
added, which can be especially destructive. For instance, WestRock – the
second-largest packaging company in the U.S. – suffered an attack in January
that affected its operational technology (OT) systems used to manage, monitor
and control industrial operations. It took weeks to restore its more than 320
manufacturing facilities globally, which create packaging supplies for a bevy of
high-profile clients, including General Motors, Heinz and Home Depot.
This kind of operational damage increases the stakes – and the ransoms.
“In some cases, they already reach tens of millions of dollars, and the more
companies fall victim to attacks, the more motivated hackers become,”
Yurakiva said.
Niamh Muldoon, senior director of trust and security at OneLogin, noted
that taking the global economic environment and current market conditions
into consideration, cybercriminals will also look to maximize their revenue-
generating streams by moving upmarket.
“During 2021 we are likely to see cybercriminals, both individuals and groups,
partner together to try maximize their return of investment with their
attacks,” she said. “This could be targeting high-value individuals and/or large
enterprise organizations, for example.”
Cloudy with a (Good) Chance of Ransomware
As companies continue to turn to the cloud to support their work-from-home
strategies and digital transformations, ransomware operators too have cultivated
interest in cloud-native resources – a trend that’s likely to develop further this year.
9
“One the most innovative attacks we will see this year will be cloud-native
watering-hole attacks, due to rapid adoption of cloud-native technologies
which are eccentrically immutable and ephemeral in nature,” Accurics’
Moolchandani said. “The continuous deployment of cloud-native technologies
like containers requires supply-chain infrastructure such as container-trusted
registries like from Amazon, Docker and Google, etc. in order to deliver the
cloud-native artifacts such as a container images.”
Thus, a plausible attack vector involves an attacker corrupting a container
image located in a container-trusted registry, which becomes a supply-chain-
based way to infiltrate a victim’s entire Kubernetes cluster.
“Gangs soon may be demanding double payment: One to
decrypt the data and another not to publish it.”
“Container images store application code and the dependencies needed to run
the application,” explained Michael Vieth, senior application security consultant
at nVisium. “Container images are typically stored within a centralized
container repository, such as the Docker Hub. Container orchestrators such
as Kubernetes pull container images from repositories like the Docker Hub.
Thus, if an attacker is able to successfully compromise popular base images
(such as Ubuntu or WordPress) it could allow an attacker to plant ransomware
within seemingly legitimate images.”
The threat is more than theoretical: Docker Hub reported in 2019 that 190,000
accounts had been breached. These credentials could have allowed attackers
Threatpost.com April 2021
Emerging Trends in Ransomware
to modify any Docker images that the account had privileges to manage,
allowing them to push a new update to an existing Docker image containing
ransomware. Then, when other users pull the new image and run it on their
hosts, they import the ransomware to their environments.
“The thought of a ransomed Kubernetes cluster is not a pleasant one,”
Moolchandani said. “These systems are growing more complex; It is an
imperative that their security and configuration management is properly
managed, or the results could be catastrophic. The interest follows any
valuable, insecure resources, so it’s just a matter of time until this becomes
more popular.”
10
Whether it’s code changes, new extortion techniques, an expansion of
victimology or a pivot to the cloud, ransomware operators are continuing to
forward themselves and improve their ability to flourish in an ever-shifting
landscape – a state of affairs that defenders would be wise to keep in mind.
“Cybercrime is a business so we all should think of it the same way,”
OneLogin’s Muldoon said. “Out of all the various types of cybercrime,
ransomware is the one activity that has a high direct return on investment
associated with it.”
Threatpost.com April 2021
 11

A Peek Inside
the Ransomware Economy
By Tara Seals

Ransomware is not just a type of malware – it’s also at the center of a

sophisticated, flourishing underground economy that has all the conventions of
legitimate commerce.

It’s a community made up of major malware developers, affiliates and

channel partners, and those that provide adjacent services, such as selling
network access. Operators even have their own publicity arms that put out
press releases and maintain their “brands,” and they have customer service
operations.

At the center of the scene is the fact that ransomware operators often adopt
affiliates, to whom they provide ransomware-as-a-service (RaaS) offerings.
Affiliates can be seen as the channel partners of the underground, responsible
for ransomware distribution to end victims. They usually pocket between
60 and 80 percent of the ransom, with the rest going into the operators and
authors’ coffers.

“These gangs run like legitimate businesses: They have customer service
and IT support, and will do what they can to boost their brand reputation,”
according to experts at Intel 471, in a collaborative interview. “So, your most
popular variants are those that result in higher payouts and take care of the
criminal’s asks once they are brought into an affiliate program.”

Threatpost.com April 2021

A Peek Inside the Ransomware Economy 12

Ransomware Affiliate Programs Flourish

RaaS affiliates are carefully vetted and chosen, and some gangs, such as
NetWalker, have stronger standards than others.

“Well-established ransomware gangs are known to be rather picky,” according

to Intel 471. “The basic requirement for a candidate willing to enroll into any
high-profile RaaS affiliate program is typically to demonstrate availability of
compromised accesses or potential sources of such accesses to lucrative
corporate networks.”

Such sources usually include operating an information-stealing botnet, the

ability to carry out brute-forcing and account-checking activity, or targeted
attacks.

“Therefore, experience in carrying out network intrusions and lateral

movement with associated malware is often desired,” the firm noted. “An
added benefit is prior first-hand experience in ransomware deployment and
operation.”

In a 2020 posting in the Russian-language Exploit forum, MedusaLocker

posted its requirements to prospective affiliates. These included “practical
experience with ransomware, confident user of Cobalt Strike, able to escalate
local administrator and domain administrator privileges, working knowledge
of backup systems and understanding of OPSEC.”

Affiliates usually outline these skills in a “resume,” and are often asked to
perform actual successful network attacks and ransomware deployments

Threatpost.com April 2021

A Peek Inside the Ransomware Economy
during a short trial period, researchers said. And, all potential candidates are
required to pass an interview with the affiliate program’s support staff.
This pickiness has to do with maximizing revenue. Successful attackers
perform weeks of reconnaissance in order to accumulate information on the
target’s finances and business situation, to set an appropriate ransom price –
and they need the right skill set in order to do that.
“They’re in enterprise systems for weeks or months, gathering as much
data as possible to make sure their attack is successful,” according to
Intel 471. “The more attackers understand a business by combing through
communications, ledger sheets, along with services and product offerings, the
better they know how to tailor their ransomware demands to a price that will
grab attention, but won’t be so large that it gets ignored.”
Meanwhile, in order to prevent infiltration of affiliate programs by western
law-enforcement services and by cyber-threat researchers, some RaaS
gangs implement additional precautions, which include vouching by existing
members, a requirement for a native command of the Russian language, or
vetting of local and cultural knowledge pertaining to Russia and ex-USSR
countries, the researchers added.
For example, a posting in the Exploit cybercrime forum by the REvil
ransomware gang in fall 2020 noted, “No doubt, in the FBI and other special
services, there are people who speak Russian perfectly but their level is
certainly not the one native speakers have. Check these people by asking them
questions about the history of Ukraine, Belarus, Kazakhstan or Russia, which
cannot be googled. Authentic proverbs, expressions, etc.”
13
Not all gangs are considered equal in the underground. Competition for
affiliates comes down to the commission and how quickly it’s paid, the speed
and quality of encryption, and the extortion mechanisms that the ransomware
group offers to “motivate” the victim to pay (for instance, exfiltrating and
holding data hostage).
“Each group has a different scheme,” explained Dmitry Bestuzhev, head of
research center for Latin America at Kaspersky. “A ‘good’ one offers about
80 percent as commission to those who work with them. Some implement
automated payments, where funds once received from the victims are
automatically split and sent to the affiliated group. That is the most attractive
mechanism for those who work with ransomware. In addition, there is a transit
cryptocurrency in the middle, like Monero, which brings more anonymity
compared to Bitcoin.”
Ransomware Ecosystem Services
As gangs continue to pivot to high-value victims, network-access merchants
have become an important part of the scene, researchers said. Criminals in
underground forums will advertise access to various breached organizations,
and quickly turn to sell access to the highest bidder or strike a deal with a
ransomware affiliate in order to share any profits pulled from a successful
payment.
They offer information-stealing malware, logs of vulnerable (unpatched)
companies, or credentials stolen and offered by individual vendors, for
example.
Threatpost.com April 2021
A Peek Inside the Ransomware Economy 14

“These partnerships have resulted in a flourishing submarket, where access If the total ransom is $10 million, he said, then each “job” brings the gang
to corporate networks is sold for six-figure sums directly or via a partnership about $4.9 million. This is what’s left after the costs for piggybacking on botnet
and cut of paid ransoms,” according to Intel 471. infections or buying access to victim networks (around $100,000); giving the
ransomware developers their cut, which can be up to 40 percent; and Bitcoin
Also, since the ransom price is unique and calculated for each victim laundering, which takes around 10 percent in fees.
individually, ransomware gangs count on financial analysts.
Bestuzhev estimated that an active group probably makes hundreds of
“When the data is stolen, they work with it to understand the nature of the millions of dollars per year.
business, its profit and other data,” Bestuzhev said. “They do it to measure what
is the highest price they can ask for but still to stay below the recovery cost, What Affiliates Make
which sometimes includes fines for violations of HIPAA and other regulations.”
Affiliate profit (�4.9M)
Follow the Money Ransomware
authors' cut (�4M)
Total ransom
The vast majority of ransom payments are made in cryptocurrencies, most �10 million Bitcoin laundering/money
often in Bitcoin. mule services (�1M)

Cost for buying network

“After a payment to the perpetrator’s wallet is made, money is then often
dispersed and mixed across numerous wallets, to ensure anonymity,”
according to Intel 471. “Part of that money is used for the gang’s own
operational needs (payments to ransomware developers, support of
infrastructure etc.), while the rest is exfiltrated via numerous underground
payment services.”
Ivan Kwiatkowski, senior security researcher at Kaspersky GReAT, noted that
it’s difficult to estimate affiliates’ overhead, but a simple back-of-the-envelope
calculus can offer a rough idea of the profitability of ransomware attacks.
access (�0.1M)
A quick look at where the profits go, on average. Source: Kaspersky.
What About the Data?
Ransomware gangs have doubled down on the increasingly common “double-
extortion” threat, saying they will auction stolen data if victims don’t pay. Many
maintain “name and shame” blogs – used by operators to post leaked data
from victims that didn’t pay – which in theory creates a supply of sensitive
information for potential buyers.

Threatpost.com April 2021

A Peek Inside the Ransomware Economy 15

But Bryan Oliver, cybersecurity analyst at Flashpoint, said there’s currently
little evidence that this is part of the economic reality of the ransomware
scene.
“Conti and Egregor have locked an extremely high number of victims, and have
been struggling to shame victims on their extortionist sites as fast as they
attack new victims,” he said. “As of January 11, 2021, we have not observed
either of these groups actually selling data, and assess that there is a good
chance they are not actually selling data, but instead, are just claiming that
they are in order to pressure victims whose data they do not have time to
upload.”
One of the only known examples iis the ransomware gang behind the hack of
CD Projekt Red making good on its promise to auction off the company’s data.
Source code for Cyberpunk 2077 and an unreleased version of the Witcher 3
was put up for sale in February 2021 on the well-known Russian-language
underground forum “Exploit,” and was sold a day later.
REvil famously claimed that a private party bought data related to Donald
Trump after it stole data from celebrity law firm Grubman Shire Meiselas &
Sacks: “Interested people contacted us and agreed to buy all the data about
the U.S. president, which we have accumulated over the entire time of our
activity. We are pleased with the deal and keep our word,” the leader said, in
the aforementioned OSINT interview.
However, no evidence was provided for the claim.
“Auction claims should be viewed with a healthy amount of skepticism,” Oliver
said. “Essentially, whether any ransomware groups have successfully sold
data online or not, this does not appear to be a tactic commonly employed to
successfully increase profits.”

Cyber-researchers confirmed the auction’s existence but were unable to verify

the amount it sold for. The auction however asked for $1 million opening bids.

At least one other group, REvil, has been observed supposedly auctioning off
the data of breached companies on its blog.

“However, we have not observed them to have successfully sold a single

breach since they began doing so,” Oliver noted. “Every item on their auctions
page currently says ‘not sold.’ Given that they have so far always published the
data for free after the end of an auction, this is perhaps as expected.”

Threatpost.com April 2021

 16

Threatpost Poll:
The Cost of a Ransomware Attack
By Threatpost Staff

Ransomware is on the rise, but what toll does it take on the real world?
Threatpost set out to answer that question in an exclusive poll aimed at
taking the pulse of organizations wrestling with attacks, including looking at
mitigations and the defenses organizations have in place.

The number of ransomware attacks has jumped by 350 percent since 2018, and
the average ransom payment increased by more than 100 percent just since
2020, according to a recent report from PurpleSec. Meanwhile, downtime is up
by 200 percent and the average cost per incident is on the rise.

Groups with names such as Ragnar Locker, Ryuk, Egregor, Conti and many
others are ruthless, well-funded and willing to target anyone to get their
payday; from COVID-19 vaccine manufacturers to retailers, banks to local
governments, schools, hospitals and more.

Rising ransoms have also helped evolve ransomware attackers from what
were historically basic scammers into a professionalized group of criminal
organizations with deep benches of top cybersecurity talent.

With the threat of ransomware attacks being ratcheted up every day,

Threatpost decided to examine the ransomware landscape through the lens of
its cyber-savvy base of readers.

Threatpost.com April 2021

Threatpost Poll: The Cost of a Ransomware Attack 17

Among all 120 respondents, a little less than a third said they have been a
victim of ransomware. In terms of victims, the leading sectors hit the hardest
were tech and manufacturing (17 percent and 15 percent of respondents).
The next-most-common profiles were evenly distributed among finance,
healthcare and critical infrastructure.
the consensus is that paying the ransom is a bad idea. A full 78 percent argued
against giving into extortion demands, for a range of reasons.
If your company did NOT pay the ransom ― and recovered
relatively unscathed ― to what do you credit the limited impact?

If your firm was a ransomware victim, did the attack

include stealing data?

No (44%)

I don’t know (27%)

Yes (22%)

Other (7%)
Backing up data Other (10%)
religiously (43%)
Cybersecurity insurance (5%)
Network segmentation (20%)
Ransomware mediation
Privileged access services (5%)
management (17%)
These self-identified victims of ransomware attacks told their attackers to
take a hike. A full 80 percent said that they didn’t pay the ransom.
The top reason cited, by 42 percent, is that cybercriminals aren’t trustworthy
The poll results revealed sometimes counterintuitive attitudes towards (go figure) and that paying the ransom doesn’t guarantee a decryption key.
ransomware and how to deal with it. Included in these charts are Threatpost’s Respondents also felt that having backups is a better approach to dealing with
top findings. an attack (cited by 34 percent) – though of course that requires foresight.

To Pay or Not to Pay Sixteen percent did note that situations vary, and can be complicated,
depending on the impact on business continuity and the nature of the data
Among all respondents to Threatpost’s poll (both victims and the lucky ones), placed at risk. For instance, healthcare organizations and manufacturers may

Threatpost.com April 2021

Threatpost Poll: The Cost of a Ransomware Attack 18

face potential safety risks if their data is encrypted and devices bricked. In this about half of victims who did pay the ransom after an attack also paid less
case, they may choose to pick the quickest – not best – option for getting their than $50,000 in remediation – not counting the ransom payment.
data back.
What ransomware defenses
Should state or federal laws govern how businesses do you have in place?
respond to ransomware attacks?

Yes (51%)

No (49%)

Daily backups Privileged access

of critical data (19%) management (12%)
And in the “yes, let’s pay” camp, about 5 percent of respondents felt that paying Endpoint/device protection (18%) Weekly backups
is easier than dealing with business disruption, lost data and remediation; User awareness training (15%)
of critical data (11%)

while another 2 percent said that cybersecurity insurance will cover any Monthly backups
Network and resource of critical data (9%)
ransom and related costs. segmentation (14%)
Other (2%)

Interestingly, just 1 percent said that paying will ultimately cost less in the long
run. Threatpost’s poll results showed that costs – ranging from operational
or system downtime, negative brand backlash or otherwise – are often still Ransoms seem to vary however – in keeping with researchers noticing that
realized by the victims even when they do pay. gangs tailor demands to companies’ profiles. Thirteen percent of ransomware
victims who did not pay a ransom said they still paid between $50,000 and
Threatpost found that more than half of victims (57 percent) suffered less than $100,000 – and 13 percent paid more than $1 million.
$50,000 in remediation costs if they did not pay the ransom. Comparatively,

Threatpost.com April 2021

Threatpost Poll: The Cost of a Ransomware Attack 19

And, about 12.5 percent of those who did pay the ransom also paid more than
$1 million in overall remediation. In fact, 6 percent of this category of victims
paid more than $100,000.

Defenses and Challenges

When asked which vital defenses organizations should have in place to protect
against ransomware attacks, organization cited backups of critical data (24
percent), user-awareness training (18 percent) and endpoint/device protection
(15 percent) as the top “must-haves.”

What are the most vital defenses

to have in place?

Backups Privileged access

of critical data (24%) management (11%)

User awareness training (18%) Network perimeter

protection (6%)
Endpoint/device
protection (15%) Cloud securiy (4%)

Network and resource Other (4%)

segmentation (12%)

Threatpost.com April 2021

Threatpost Poll: The Cost of a Ransomware Attack 20

But implementing those defenses is easier said than done. Poll respondents
cited a range of challenges when it comes to fending off ransomware attacks.

Should your company pay the ransom,

if attacked?

No: paying the ransom does not Yes: it΄s better then dealing
guarantee a decrytion key and with business disruption,
futher encourages attackers (41%) lost data and remediation (6%)

No: we have back-ups and are Yes: paying will ultimately cost
prepared for an attack (33%) less in the long run (2%)

It΄s complicated: depends on the No: cybersecurity insurance

impact on business continuity will cover any related
and nature of data (16%) costs (2%)

Organizations listed insider threats as the top challenge, with 29 percent

saying a lack of employee awareness (regarding email and social-engineering
threats) was a problem. Meanwhile, 19 percent said budget constraints (having
no money for deploying or upgrading defensive platforms) were an issue;
while 18 percent said a lack of patching and legacy equipment was a top
challenge.

Threatpost.com April 2021

 21

Cyber-Insurance Fuels
Ransomware Payment Surge
By Lindsey Welch

Ransomware victims are increasingly falling back on their cyber-insurance

providers to pay the ransom when they’re hit with an extortion cyberattack. But
security researchers warn that this approach can quickly become problematic.

In the first half of 2020, ransomware attacks accounted for 41 percent of the
total number of filed cyber-insurance claims, according to a Cyber Claims
Insurance Report released last year by Coalition.

And indeed, in real-world attacks over the past two years, many companies
afflicted by ransomware acknowledged that they had utilized cyber-insurance
to deal with either the ransom itself or the ensuing cost of remediation.

For instance, weeks after Riviera Beach, Fla. was hit by ransomware in June
2019, the city council held an emergency meeting. It voted unanimously to
authorize the city’s insurer to pay off a $600,000 ransom demand, after the
malware had frozen crucial data. Adversaries also took systems that control
city finances and utilities offline.

That same month, Lake City, Fla. paid ransomware attackers almost $500,000,
which the city announced would be mostly covered by insurance.

More recently, in August 2020, the University of Utah coughed up a $457,000

Threatpost.com April 2021

Cyber-Insurance Fuels Ransomware Payment Surge 22

ransom payment, working with its cyber-insurance provider, after an attack

targeted the university’s servers, and student and faculty data.

Cyber-Insurance: A Financial Cushion for Attack

For those companies impacted by a ransomware attack, cyber-insurance
is supposed to offer a buffer for companies struggling with the fallout. For
instance, after its severe 2019 cyberattack, aluminum giant Norsk Hydro
received around $20.2 million in cyber-insurance from its provider, AIG. The
total cost for damage from the attack was estimated to range between $60 and
$71 million.

“The financial impact of a ransomware attack is multifaceted, and goes well-

beyond the ransom payment,” said Jack Kudale, founder and CEO of Cowbell
Cyber. “Business interruption, revenue loss, potential exposure of sensitive
data and related third-party liability, forensics and restoration expertise, and
finally breach coaching and ransomware negotiations, can all be covered in a
cyber-insurance policy.”

The use of cyber-insurance specifically to cover negotiations, and the ransoms

themselves doesn’t sit well with some security researchers.

“Not only does making a ransomware payment also place an organization in a

potentially questionable legal situation, it is proving to the cybercriminals you
have funded their recent expedition,” said Brandon Hoffman, CISO at Netenrich.

Threatpost.com April 2021

Cyber-Insurance Fuels Ransomware Payment Surge 23

Costs, Premiums and Sub-Limits

In January 2021, a study from AdvisorSmith Solutions found that the average
cost of cyber-insurance is $1,485 per year in the United States. Premiums for
cyber-insurance range from $650 to $2,357, for companies with “moderate
risks” and $1 million in company revenue, the study found. These premiums are
based on liability limits of $1 million, with a $10,000 deductible.

Some of these policies have specific constraints – known as “sub-limits” – on

ransomware-related costs.

“Many cyber-liability policies provide very limited coverage for ransomware

or cyber-extortion attacks, with coverage sub-limits as low as $25,000, even
when the cyber-liability policy has a much higher total limit,” said the report.

The sub-limits have become more common as cyber-insurance has drawn

concern from security experts about how it will change the overall security
landscape. For instance, many argue that falling back on cyber-insurance
policies during a ransomware attack could dissuade companies from adopting
the security measures that could prevent such an attack in the first place.

“From a broad perspective, building in ransomware payments to insurance

policies will only promote the use of ransomware further and simultaneously
disincentivize organizations from taking the proper steps to avoid ransomware
fallout,” Hoffman said.

Threatpost.com April 2021

Cyber-Insurance Fuels Ransomware Payment Surge 24

Regulatory Moves Hamper Cyber-Insurance’s Role
Cyber-insurance companies often tout their ability to mediate payments
between a ransomware victim and cybercriminals. But governments are
looking at potential regulatory action when it comes to ransomware –
including a ban proposed by New York in 2020, preventing municipalities from
giving in to ransomware demands.
This ban, introduced in response to the rising tide of cyberattacks targeting
government agencies across the country, would limit municipal entities’ ability
to pay a ransom if hit by an attack. It instead suggested the creation of a
“Cyber Security Enhancement Fund” aimed at helping municipalities to upgrade
their security postures. A similar bill, proposed in the New York State Senate
in 2020, would also ban municipalities from paying ransoms – but Senate Bill
S7289 would omit the creation of a security fund.
The Department in October 2020 expanded the sanctions’ applicability,
saying that in general, companies that facilitate ransomware payments to
cyber-actors on behalf of clients (so-called “ransom negotiators”) may face
sanctions for encouraging crime and future ransomware payment demands.
Nation-State Exclusions
Cyber-insurers for their part have also added in their own loopholes when it
comes to certain nation-state attacks.
In 2017, when the NotPetya malware infected hundreds of organizations across
the world, some insurers invoked their war exclusions to avoid paying out
NotPetya-related claims. These types of war exclusions deny coverage for
“hostile or warlike action in time of peace and war.” However, this caused
some to criticize the ambiguity of how this clause could be applied.

Breaking Down Cyber-Insurance Costs How can cyber-insurance policies be improved to address these concerns?
Netenrich’s Hoffman argued that insurance companies should refuse to
�1,485 �650 to �2,357 �1 million �10,000
The average cost The premium range for The liability limits that The deductible for
pay premiums – let alone ransoms – unless basic prevention and recovery
of cyber-insurance per year cyber-insurance for companies these premiums are these premium measures are performed by the insured organization on an ongoing basis.
in the United States with “moderate risks” based on ranges

Source: AdvisorSmith Solutions Inc.
Meanwhile, the U.S. Department of the Treasury has added multiple crimeware
gangs to its sanctions program, prohibiting U.S. entities or citizens from doing
business with them (including paying a ransom). These include the developer of
CryptoLocker (Evgeniy Mikhailovich Bogachev); the SamSam ransomware group;
North Korea-linked Lazarus Group; and Evil Corp and its leader, Maksim Yakubets.
“I know this sounds harsh, but there’s a reason why governments and law
enforcement do not negotiate with terrorists in hostage situations, and
ransomware should be treated the same way,” said Hoffman. “Building a
resilience plan and a recovery plan for ransomware is the proper path, and
creating awareness of the likelihood that this can happen to your organization
will pay off in a big way.”

Threatpost.com April 2021

 25

Diary of a 48-Hour Ransomware Attack

By Tom Spring

It was the fall of 2019, and this East Coast public school district was busy prepping for the academic year ahead. The end-of-summer bustle was typical, with
municipal IT staff deploying system updates and bringing new infrastructure online. The team was oblivious to the mad scramble about to come.

The first sign of trouble surfaced when a sysadmin noticed a mysterious flurry of outbound network requests to an unknown IP address. Then, the anomaly became
a beehive of mysterious network activity spreading across dozens of local endpoints. It was a clear sign of attack.

Hour One
48
“The infection was immediate and disruptive,” recalled Mark Ostrowski,
cybersecurity evangelist with Check Point’s office of the CTO, who was part
of a third-party security response team called in to help mitigate the attack.
Priority No. 1 within the second hour of identifying the active attack was
understanding what the culprit was (as in, which malware), and the nature
of the assault. Ostrowski drew direct comparisons to the initial response to
COVID-19, and the IT team’s own scramble to identify the infection, its origin
and what variant front-line workers were dealing with.

The vulnerable infrastructure was not massive, but vital to the town’s
school system and hundreds of thousands of district parents and students.
On the line was infrastructure that spanned three campuses, separated by
just over 10 miles each. Network specifics included nearly 1,000 nodes –
both virtual and physical – along with hundreds of physical endpoints – desktops,
laptops, servers and handhelds.
Some of this was quickly discovered, as ransomware notes popped up
on unattended computer screens at one campus. But this first victory in
staunching the attack – identifying the final payload – didn’t feel like a win,
said Ostrowski.
Hour Four

Hour Two
Texts and email alerts were sent to the dozen-plus members of the municipal
IT team responsible for managing the network. It was an “all-hands-on-deck”
plea for help to address the rapidly unfolding cyber-incident.
After analyzing samples of malware found on infected machines, security
responders identified one of the pieces of the attack. It was a 2019 variant
of the TrickBot trojan, which is often seen stealing credentials and working
with other malware, including ransomware. In this case, TrickBot was the
malicious code that the attackers used to mount and spread the initial

Threatpost.com April 2021

Diary of a 48-hour Ransomware Attack
infection. Instead of lying dormant and siphoning financial data, TrickBot was
being leveraged by attackers to further infiltrate the network to then deploy
the ransomware payload.
“Clearly we were seeing in real time the evolution of this malware from a
banking trojan to a multifunctional tool,” Ostrowski said.
Over the next few hours, any playbook on how to mitigate TrickBot went
out the window. This variant gained the upper hand over the security team
and began moving laterally across the network. The concern escalated
to panic, as TrickBot showed signs it could easily jump the 10-mile span
to neighboring campuses via the hair-thin fiber-optic data pipes that
connected them.
Hour Six
By hour six, the security team had identified a clear line of communications
between the TrickBot malware and an amorphous distributed botnet
directing the attack. The pace of the lateral spread quickened, with TrickBot
rapidly worming its way from endpoint to endpoint. Meanwhile, the head of
IT for the school district came to a dreaded realization as he stared into his
laptop monitor in dismay. He watched his network dashboard light up, with
the infections spreading like lightning across the school district’s network.
They would be overwhelmed soon.
Threatpost.com
26
Hour Seven
The goal was to protect vulnerable network resources and endpoints,
find the source of the infection and neutralize the malware. However,
this seemed out of reach. With visibility limited to only one piece of the
overall attack puzzle (TrickBot), the decision was made to call for back-up
assistance from a third party. Still unknown was the source of the infection,
and the totality of which resources were compromised.
Not Quite a Jack-Bauer Moment: Hour 24
By the time reinforcements arrived on-premise, TrickBot’s tentacles had
reached all three campuses and had begun to move laterally within the
virtual infrastructure of the school.
“There were about 20 of us, including local staff. The name of the game
was to turn off as many physical endpoints and virtual nodes as quickly
as possible,” Ostrowski said. That required boots on the ground, physical
access to interior offices and classrooms, and broad network permissions
and access.
“We couldn’t pull the plug on everything. Authentication servers and
mission-critical resources needed to stay online,” he explained.
Hour 28
In the interim, the virtual blocking and tackling continued, in an attempt to
bolster perimeter defenses. The TrickBot variant was polymorphic, meaning
April 2021
Diary of a 48-hour Ransomware Attack
its underlying code signature was continually changing and adapting to
avoid detection.
As the impromptu team scrambled across campuses and hurried through
halls, the diagnosis wasn’t good. Within what was passing for the network
operation center (NOC) – a fluorescent-lit conference room with a long
Formica table – it was clear that endpoints had been woefully under-
protected. Virus definitions were out of date, and patches not evenly applied
throughout the school district.
Hour 36
The team would soon split into task-specific groups. One would continue
to identify and clean virtual and physical endpoints and nodes, and shut
them down to protect them from infection. Another team was tasked with
identifying mission-critical network resources before they became infected,
and inoculating them with antivirus protection and patch updates.
There was also a third (and by far the most important) team, which
methodically examined a firehose of network data generated by TrickBot’s
blaze of infections. This team’s focus was on the forensic analysis of the
attack, versus incident response.
Meanwhile, desktops, laptops, virtual servers and network nodes were
being “bricked” by the dozens each minute by ransomware. Each endpoint
displayed the same demand for Bitcoin in exchange for encryption keys.
Threatpost.com
27
“We were putting out brush fires left and right. Meanwhile [we] still had no
visibility into the blaze,” Ostrowski recalled.
Hour 40
Then, as hundreds of thousands of command-and-control requests were
being made for the ever-changing TrickBot samples, a turning point
occurred.
Finally, in a moment that ironically had little fanfare for the team, the
original point of infection was identified.
The source, or malware entry point, was an on-premise insecure remote
desktop protocol (RDP) server. It was the leaky spigot that needed to be
turned off in order for the cybersecurity team to get their arms around the
emergency.
Hour 41
“Once you identify the source of the infection you can start to contain it,”
Ostrowski explained. Borrowing from his COVID-19 analogy, “This is when
you can start rolling out the vaccine and healing the sick.”
Security teams now shifted to assessing the damage, and working on virus
removal, data recovery and rebuilding infected systems taken offline.
April 2021
Diary of a 48-hour Ransomware Attack
28

Hour 42 In this case though, patching and having updated antivirus would have
protected the school district from being an easy target.
Municipal and third-party teams were working in tandem. With the fire drill
mostly over and the computer forensics already performed on the TrickBot
variant’s path of destruction, this allowed for better network fumigation. The
once-bustling team of perspiring IT workers was able to calmly shift from
incident-response mode to damage assessment and repair.

Hour 46

“At this point we had containment,” Ostrowski said. “We blocked the
adversary from causing further damage.”

Next, with trepidation, resources were brought cautiously back online.

Networks were micro-segmented to ensure any possible TrickBot flare-up
would have limited impact. Secure system group populations began to come
back, and endpoints were brought back online after patching and antivirus
had been updated. And of course, ransomware remediation began.

Hour 48

Ostrowski said he isn’t aware whether the municipality paid the ransom (or
how much the demand was for). He noted that the school system dodged a
bullet in that critical databases were not impacted.

“The lesson learned from this is that ransomware is still an unsolved

problem,” he said, adding that malware and ransomware attacks will
constantly evolve, evade and be mitigated – a rinse, wash and repeat cycle. !

Threatpost.com April 2021


A Practical Guide to Avoiding Ransomware
By Threatpost Staff
Gloomy ransomware forecasts for 2021 translate into cybersecurity pros
needing to keep on their toes. Here is a preventative round-robin of best
ransomware practices to steer you clear of lost data, extortion and attacks.
Lock Down Remote Connections: Remote Desktop Protocol is
the underlying technology for remote sessions to the cloud
and on-premises resources. Disable RDP servers for anyone
not required to use the services. Also, secure those RDP
configurations, and mandate the use of strong, unique passwords
and multi-factor authentication (MFA).
Disable PowerShell: Disable PowerShell on workstations where
possible. If it cannot be disabled, then be vigilant about logging
and monitoring PowerShell activity.
Back Up Data: Restoring from backups is a better mitigation than
providing a ransom payment. Maintain backups in a separate
infrastructure and don’t assume they’re safe in the cloud.
Threatpost.com
29
Proactive Patching: Enable automatic patching for all operating
systems and internet browsers. Ensure that anti-virus signatures
are up-to-date and take inventory of all network nodes – virtual
and hardware.
Limit Admin Rights and Account Sprawl: Ransomware can’t worm
around a corporate infrastructure without vulnerable accounts
and generous permissions. Limit administrative rights to IT staff,
and protect sensitive accounts with MFA. Kill off old accounts:
58% of companies have 1,000+ inactive accounts.
Security Awareness Training: Employees need to be trained to spot
common threats and to be suspicious of suspect links or documents
sent via email, collaboration apps, social media and more. Watch for
shadow IT and rescind accounts for departed workers.
Cybersecurity Insurance: Insurers help underwrite a range of
attack fallout, including incident response, system restorations
and in some cases the ransom demands themselves.
April 2021
 30

Conclusion
Data security, business continuity, the supply-chain and perimeter defenses
are a sampling of what is at risk with ransomware. The sobering reality is
that businesses need to view ransomware as a future event to plan for, not a
hypothetical abstract.
Acknowledgments
Threatpost is a long-running, independent source of news and analysis about the
cybersecurity landscape, covering breaking news and threat research, malware
and vulnerability analysis, long-term trends and everything in-between.

Modern businesses, even those firmly planted in the brick-and-mortar trade, Editorial Contacts Advertising and Sponsorships
are not immune to the impact of a ransomware attack. Cloud services, remote
workers and a reliance on connected devices (even surprising things, like Tom Spring Oliver Gillis
HVAC systems) put any business at risk for a ransomware incident. Editor in Chief Business Development Manager
[email protected] [email protected]
Awareness means paying attention to the latest ransomware attacks and +1-339-240-8788
gathering as much knowledge as possible when it comes to what the threat Tara Seals
actually looks like. The polymorphic nature of ransomware crimes plays out in Senior Editor Threatpost
multiple dimensions, and paying attention to those developing trends is vital. [email protected] www.threatpost.com
Woburn, Mass.
The avalanche of ransomware stats, facts and forecasts can seem defeating. But Lindsey Welch
a deer-in-the-headlights approach to dealing with the issue will be catastrophic. Senior Editor
The threat is existential, and one that isn’t going away anytime soon. [email protected] Copyright 2021 Threatpost

To help organizations make sense of it all, in this eBook we offered exclusive

insights into what it’s like in the trenches fighting this threat.

The good news: As fast as ransomware evolves, cybersecurity basics - blocking,

tackling and exceptional cybersecurity hygiene – never fall out of vogue.

Threatpost.com April 2021