Ransomware gangs have really upped their game in the last few years, generating billions in paid ransoms from public and private sector organisations.
Within Asia Pacific, Singapore has topped the list of most attacked countries, followed by Australia and India – taking 8th, 9th, and 10th places on the worldwide list respectively. The gangs have increased attacks on critical infrastructure operators, hospitals, manufacturing companies and pharma companies.
Twenty-eight per cent of business leaders in Singapore, including those in the healthcare sector, paid up to avoid the potential injury or loss of life that could result from critical systems being blocked. Ransom demand amounts have gone up as well, with companies paying an average of around S$1.5 million.
So, is this still just the same old ransomware we are talking about? Well, sort of. Once the niche of spray-and-pay spam and drive-by campaigns, you’re now more likely to find ransomware tacked on to the tail-end of an highly crafted attack sequence we define as RansomOps–ransomware in its most pernicious, pervasive and professional form.
RansomOps are less like the old “spray and pay” methods and a lot more like stealthy nation-state APTs. What sets them apart is their technical sophistication, data exfiltration for double extortion, specialised players and attraction to big-name targets. Cybersecurity Agency of Singapore saw 137 ransomware cases reported in 2021, an increase of 54 percent from the 89 cases reported in 2020. Just last year, Singapore’s telco Singtel fell victim to a ransomware attack and saw that personal data of some 129,000 customers were extracted during the breach.
RansomOps purveyors often leverage the stolen data by threatening to leak it publicly in order to further pressure victims into paying–and when they’re asked to pay, it’s usually an astronomical demand.
“Ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model ...with an increasing level of innovation and technical sophistication,” according to a recent report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy.
The stakes, evolving landscape and publicised RansomOps attacks, are evidence of why the threat of new ransomware models was a top concern among executives last year.
Five most advanced RansomOps attackers
1. Black Basta Ransomware Gang
The Black Basta gang emerged in April 2022 and has victimised nearly 50 companies in the United States, United Kingdom, Australia, New Zealand and Canada. Organisations in English speaking countries appear to be targets. Cybereason assesses the threat level of Black Basta attacks against global organizations as HIGHLY SEVERE.
Since Black Basta is relatively new, not a lot is known about the group. And due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil, the two most profitable ransomware gangs since 2021.
2. BlackCat Ransomware Gang
Cybereason researchers have been tracking BlackCat since its emergence in 2021. Having attacked the “telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries” among at least six countries, it was called 2021’s most sophisticated ransomware.
Interestingly, it is built in Rust (an unusual language for ransomware) and is not above triple-extortion techniques. Believed to be a descendent of BlackMatter and targeting no less than 60 organizations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert.
3. Conti Ransomware Gang
To stay ahead of the latest tech trends, click here for DigitalEdge Section
The Conti ransomware group has caused a great deal of damage in a relatively short period of time—making headlines around the world. It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware.
The FBI released an alert around Conti in February of this year, warning that “attacks against U.S. and international organizations have risen to more than 1,000.” This prodigious gang is known for not only infecting machines, but spreading through the network via SMB and encrypting remote files as well.
4. NetWalker Ransomware Gang
Raking in over US$25 million since 2020, NetWalker earned a global remediation attempt by the US Department of Justice. Per court papers, the group operates a “so-called ransomware-as-a-service model,” or RaaS, in which developers write the malicious code, affiliates find and attack victims, and the two parties split the proceeds.
According to the Cybereason threat research team Nocturnus, “NetWalker encrypts shared network drives of adjacent machines on the network” and presents a HIGH threat, already having been “employed in attacks across a variety of industries around the world.”
5. Darkside Ransomware Gang
The Darkside Gang was responsible for the infamous 2021 Colonial Pipeline attack that boldly targeted America’s critical national infrastructure and disrupted the East Coast oil supply for several days. Believed to be “likely former affiliates of the REvil RaaS [ransomware-as-a-service] group,” so much pressure was put on Darkside after the attack by the U.S. government, the group disbanded with members forming new gangs or catching on with other gangs such as Black Basta, LockBit, BlackCat and others.
DarkSide targeted organizations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appeared to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organisations and government agencies.
Defending against ransomware
It’s possible for organisations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices.
When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.
Factors such as lack of cyber hygiene, visibility, and detection of cyber criminals are overwhelming many companies’ security operations. About 64% of business leaders in Singapore are confident in their organisations’ skilled workers, while 61% were confident in their policies.
Moving forward, prevention always costs less than the cure, and that is particularly applicable when it comes to ransomware. An effective ransomware prevention plan includes actions like:
- Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
- Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
- Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
- Assuring Key Players Can Be Reached: In 2021, 35% of companies in Singapore said that it took longer to stop an attack as it happened during the weekend or a holiday. Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
- Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
- Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc.
- Evaluating Managed Security Services Provider Options: If your security organisation has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
- Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months’ worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organisation.
C.K Chim is the field chief security officer for APAC at Cybereason