Revenue generated from cybercrime yields $1.5 trillion for RANSOMWARE, INC: transnational crime syndicates that goes to funding other illicit criminal activities, such as the global drug and arms THE RISE OF TARGETED trade and human trafficking (Atlas VPN, 2020) RANSOMWARE CRIME SYNDICATES Summary Author Information Publication Information This paper discusses the rise of a new Alissa Valentina Knight This white paper is sponsored by threat, targeted ransomware -- or as Partner Illusive Networks Microsoft refers to it, “human- Knight Ink operated ransomware.” This new type 1980 Festival Plaza Drive Initial Date of Publication: of ransomware is created specifically Suite 300 December 2020 and fine tuned for the organizations an Las Vegas, NV 89135 Revision: 0.1 operator is targeting and is increasingly [email protected] using “lock and leak” as a tactic to try and increase the number of successful payouts. 2 RANSOMWARE, INC TABLE OF CONTENTS 04 11 16 § Key Points § Ransomware Crime Syndicates § Ransomware § Introduction § Ransomware Gangs § Tactics and Techniques § The Business Models § Tools THE RISE OF TARGETED RANSOMWARE CRIME SYNDICATES 3 TABLE OF CONTENTS 24 29 35 § The Rise of the Three Crime § Solution § Conclusion Families § Solving This New Challenge § Summary § Big Game Hunters § Living off the Land § Sources § Lateral Movement § About the Author § Active Defense § About Knight Ink § Synthetic Worlds § Addressing Infrastructure Weakness 4 RANSOMWARE, INC KEY POINTS This section outlines the salient points § Ransomware crime syndicates, much from this paper. While it’s my hope you’ll like the mob that the etymoloGy of the read this paper in its entirety as I couldn’t word oriGinated from, have grown possibly cover every important point this from unsophisticated, loosely paper makes, this section attempts to orGanized groups of just a hand-full of summarize the key points. people. They’ve now grown in size to become larGe, transnational criminal § Ransomware, which rakes in a cool $1 enterprises rakinG in revenues in the Billion per year for its operators, billions from operatinG their own claims a new victim every 11 seconds ransomware operations to leasinG it Cybersecurity Ventures, 2017). out in “ransomware-as-a-service.” RaaS affiliate proGrams adopt a shared § Whereas commodity ransomware is revenue model where the operators employed opportunistically and take a portion of the profits their traditionally got delivered in a “spray affiliates generate in a typical 60/40 and pray” model, operators are now split (Forbes, 2020). creatinG targeted ransomware built specifically for the orGanization they § The top 3 attack vectors used in the are targetinG. deployment of Ransomware are two predominant tactics, phishing emails § While one miGht think the revenues and remote desktop protocol (RDP) from ransomware and other profit- services opened to the internet. With generatinG cybercrime would go into the COVID-19 pandemic, RDP has frivolous purchases like LamborGhinis increasinGly been opened up more so and mansions, almost a quarter of now than ever to employees needing revenues generated are reinvested to work from home who still need to into traditional illicit criminal activities, access intranet resources for such as terrorism, human trafficking, companies. and drug production and trade. § Once a ransomware syndicate has § Financial services now represents the established a beachhead on the target 2nd hiGhest number of Ransomware- network, they deploy a number of related breaches across all industries tools in support of their tactics, targeted in 2019-2020 (Coveware, techniques, and procedures (TTPs). No 2020) matter what tool is used by the syndicate, pivoting from the initial § Cybercrime syndicates involved in point of entry or beachhead is a profiting from ransomware must also constant indicator of compromise launder their profits. While money is (IoC). also laundered through more traditional means, such as through leGitimate businesses, ransomware operators are now increasinGly turninG to launderinG their money through cryptocurrencies, like Bitcoin. THE RISE OF TARGETED RANSOMWARE CRIME SYNDICATES 5 § The idea behind biG game hunting is § LivinG off the land is the concept of a that the syndicates capable of syndicate using already-available tools developing their own ransomware or built into the operatinG systems in customizinG their own fork, create a order to achieve their goals rather ransomware payload desiGned to than downloading and using malicious target a specific orGanization, tools that miGht otherwise be industry, or market seGment. The blacklisted. The increased exodus by threat behind biG game hunters is that ransomware groups from tools like they typically demand much hiGher Mimikatz has a lot to do with the ransom payments, use both lock and syndicates wantinG to go undetected leak, and target orGanizations with for a lonGer period of time. Whereas much deeper pockets able to afford tools like Mimikatz miGht be such payouts. blacklisted from use in a network and potentially trigger alarms, built-in § After establishinG a beach head on the tools that when combined together network, syndicates will often as can achieve pretty much the same quietly as possible, attempt to goal are used instead. escalate privileGes if they don’t already have them to gain § Lateral movement occurs at the administrative riGhts over the entire second step of a kill chain in a breach. domain so they can pivot around There is no point for a syndicate not to laterally undetected. pivot around within a network once the beachhead is established. Lateral § Oft-times, syndicates will use file-less movement is a constant, not a malware as to not disturb disks and variable in a breach. Just like it’s said file system tables to avoid detection that the only guarantees in life are by more sophisticated endpoint death and taxes, so can the same be detection and response (EDR) and said about lateral movement in a network detection and response breach. (NDR) solutions. § Nearly all hiGh-impact cyberattacks § The most effective method of have a phase in which the attacker detection, would be the detection of must conduct lateral movement from lateral movement and the effects of “patient zero” to the ultimate target. livinG off the land so the syndicates To do this, the attacker needs a can be identified before the droppers combination of credentials and are placed and files encrypted and available connections between one leaked. system and another. This is the evasive process of “livinG off the land” using the connectivity native to the orGanization. 6 RANSOMWARE, INC INTRODUCTION AccordinG to Dr. Michael McGuire, and HerzeGovina. lecturer in criminoloGy at the University of Surrey, revenue generated from However, a new type of ransomware has cybercrime yields $1.5 trillion for emerGed that is far more sophisticated, transnational crime syndicates that goes customized, and more relevant to the to fundinG other illicit criminal activities, target orGanization. such as the global drug and arms trade and human traffickinG (Bromium, 2018). This paper was written for cybersecurity enGineers and chief information security CateGorically, ransomware rakes in an officers wantinG to better understand this average $1 Billion annually for its new ransomware, colloquially being operators and claims a new victim every referred to as targeted ransomware or as 11 seconds (Cybersecurity Ventures, Microsoft refers to it, “human-operated 2017). ransomware.” This new type of ransomware is created specifically and Like drug cartels, crime syndicates fine tuned for the orGanizations an involved in the deployment and operator is targetinG and is increasinGly operation of ransomware take advantage using “lock and leak” as a tactic to try and of local government corruption and lack increase the number of successful of law enforcement to operate, especially payouts. in transit countries, such as eastern Europe and the middle east. These There are two separate types of criminal enterprises operate ransomware gangs, those that use indiscriminately without abandon with already-developed ransomware-as-a- little to no concern of intervention by service (RaaS) tools and those who create local state or federal authorities. their own, targetinG specific companies or industry seGments. Those who use To ensure they don’t anGer their own commodity ransomware as a crime of local government, their ransomware opportunity, don’t need to be proGrammatically looks for keyboard sophisticated developers and are being layouts installed on the target host in sold as easy-to-deploy, “set it and forGet their lanGuaGe, such as Russian if it” crime kits on the dark web. Anyone operatinG in Russia, Persian if they’re an with or without proGramming skills can Iranian group, and so-on. When their own run a network of ransomware infected lanGuaGe is detected, the ransomware hosts and generate handsome profits immediately terminates. using a RaaS service, such as DarkSide or Sodinokibi amonG others. AccordinG to Statista, the top three countries operatinG revenue-generatinG malware are Belarus, Russia, and Bosnia THE RISE OF TARGETED RANSOMWARE CRIME SYNDICATES 7 However, this paper focuses on a runninG them, their costs, and tactics and different type of criminal enterprise, techniques used to deploy them. This those who create their own ransomware paper attempts to demystify targeted based on the orGanization or seGment ransomware and their operators for they are targetinG