Five of the most dangerous RansomOps attacks

Brandon Rochat, Cybereason Sales Director, Africa.

---

Ransomware gangs have really upped their game in the last few years, generating billions in paid ransoms from public and private sector organisations. The gangs have increased attacks on critical infrastructure operators, hospitals, manufacturing companies and pharma companies. Ransom demand amounts have gone up as well, with victims such as CNA Financial paying out a record $40 million.

So, is this still just the same old ransomware we are talking about? Well, sort of. Once the niche of spray-and-pay spam and drive-by campaigns, you’re now more likely to find ransomware tacked on to the tail-end of a highly crafted attack sequence we define as RansomOps – ransomware in its most pernicious, pervasive and professional form.

RansomOps are less like the old spray-and-pay methods and a lot more like stealthy nation-state APTs. What sets them apart is their technical sophistication, data exfiltration for double extortion, specialised players and attraction to big-name targets.

RansomOps purveyors often leverage the stolen data by threatening to leak it publicly in order to further pressure victims into paying – and when they’re asked to pay, it’s usually an astronomical demand.

“Ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model... with an increasing level of innovation and technical sophistication,” according to a recent report titled: RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy.

Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape and the publicised RansomOps attacks this far, you can see why.

Black Basta Ransomware Gang

The Black Basta gang emerged in April 2022 and has victimised nearly 50 companies in the United States, United Kingdom, Australia, New Zealand and Canada. Organisations in English-speaking countries appear to be targets. Cybereason assesses the threat level of Black Basta attacks against global organisations as highly severe.

Since Black Basta is relatively new, not a lot is known about the group. And due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil, the two most profitable ransomware gangs since 2021.

BlackCat Ransomware Gang

Cybereason researchers have been tracking BlackCat since its emergence in 2021. Having attacked the “telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation and construction industries” among at least six countries, it was called 2021’s most sophisticated ransomware.

Interestingly, it is built in Rust (an unusual language for ransomware) and is not above triple-extortion techniques. Believed to be a descendent of BlackMatter and targeting no less than 60 organisations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert.

Conti Ransomware Gang

The Conti Ransomware group has caused a great deal of damage in a relatively short period of time – making headlines around the world. It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware.

The FBI released an alert around Conti in February of this year, warning that “attacks against US and international organisations have risen to more than 1 000”. This prodigious gang is known for not only infecting machines, but spreading through the network via SME and encrypting remote files as well.

NetWalker Ransomware Gang

Raking in over $25 million since 2020, NetWalker earned a global remediation attempt by the US Department of Justice. Per court papers, the group operates a “so-called ransomware as a service model”, or RaaS, in which developers write the malicious code, affiliates find and attack victims, and the two parties split the proceeds.

According to the Cybereason threat research team Nocturnus: “NetWalker encrypts shared network drives of adjacent machines on the network” and presents a high threat, already having been “employed in attacks across a variety of industries around the world”.

Darkside Ransomware Gang

The Darkside Gang was responsible for the infamous 2021 Colonial Pipeline attack that boldly targeted America’s critical national infrastructure and disrupted the East Coast oil supply for several days. Believed to be “likely former affiliates of the REvil RaaS [ransomware as a service] group,” so much pressure was put on Darkside after the attack by the US government, the group disbanded with members forming new gangs or catching on with other gangs such as Black Basta, LockBit, BlackCat and others.

DarkSide targeted organisations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appeared to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organisations and government agencies.

Defending against ransomware

It’s possible for organisations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious e-mails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices.

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.

Prevention always costs less than the cure, and that is particularly applicable when it comes to ransomware. An effective ransomware prevention plan includes actions like:

• Following security hygiene best practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness programme for employees and deploying best-in-class security solutions on the network.
• Implementing multi-layer prevention capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
• Deploying endpoint and extended detection and response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
• Assuring key players can be reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
• Conducting periodic table-top exercises: These cross-functional drills should include key decision-makers from legal, human resources, IT support and other departments all the way up to the executive team for smooth incident response.
• Ensuring clear isolation practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc.
• Evaluating managed security services provider options: If your security organisation has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-on plan.
• Locking down critical accounts for weekend and holiday periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack. For more information on weekend and holiday ransomware threats, refer to another study, Organisations at Risk: Ransomware Attackers Don’t Take Holidays.

Remember, the actual ransomware payload is the tail end of a RansomOps attack and there are weeks or even months’ worth of detectable activity prior, where an attack can be arrested before there is serious impact to the targeted organisation.