Ransomware has been steadily shifting from opportunistic to targeted attacks since mid-2018. Unlike the notorious WannaCry and Gandcrab variants that have long embodied the “spray and pray” model of extorting many victims for relatively small sums, campaigns involving new variants such as LockerGoga and Ryuk indicate a transition toward highly selective targeting and larger ransom demands.
This presentation will address the shift in ransomware, opportunistic Tactics, Techniques, and Procedures (TTPs), targeted TTPs, likely targets, and more.
Watch the on-demand presentation led by Christopher Elisan, Director of Intelligence at Flashpoint, to find out the difference between opportunistic and targeted ransomware attacks.
CHRISTOPHER ELISAN: So today we're going to discuss about the shift from opportunistic to targeted ransomware attacks.
So these are the agendas.
Of course, the introduction, the most important part.
And then we'll talk about, why the shift?
And then the opportunistic TTPs of ransomware, the targeted TTPs of ransomware or ransomware that are used for targeted attacks.
And then we'll look at the notable differences, the likely targets, mitigations, and then questions.
So this is me.
You can call me "Tops." I head Flashpoint's Hunt Team.
So it's one of the most exciting teams in Flashpoint.
And we're also part of the Threat and Readiness Response by Flashpoint, wherein we help customers go through a ransomware incident.
And trust me, it's one of those fun things to do.
But then you realize that your weekend would be gone if something's going to happen.
So, true I love basketball.
So there was a ransomware incident one time, and I had to go home because something's happening, right?
And for the first time in a decade, the Atlanta Hawks had a quadruple overtime that night.
So it's just, like, fate really testing me, saying, oh, you need to go home?
Not yet, first overtime.
Then, oh, you need to go home?
Not yet, second overtime.
Oh, you need to go home?
Not yet, third overtime, until it went into fourth overtime.
And then the Atlanta Hawks lost, so-- [LAUGHTER] All right.
So, why the shift?
These are the four things that I'd seen that's the reason for the shift-- fewer victims to manage, bigger payday, discrete communication, and less likely to have the attack campaign exposed.
So opportunistic TTPs.
So how many of you here have been victimized by ransomware-- of course, some of you won't say it, but-- or have experience with ransomware through testing or through your family members or companies you've worked with?
It's perfect that you mention that, because that actually was the springboard to the ransomware that we're seeing today.
So before, you had a lot of this scareware.
And most of them are browser lockers, so they would maximize your browsers, and then you won't have access to your system anymore.
And people actually pay them for this.
People would say, hey, it says here I'm infected by this malware, I need to pay them this money.
And one of my favorites there is that it has this fake scanning thing that it's showing you.
And then it would say at the end, we just found child porn in your system, so the FBI would arrest you unless you pay us money.
And so I had this presentation in the past discussing that.
And one good came out of it.
I think you can still Google this story after this presentation, wherein somebody with real child porn on his system went to the cops and surrendered and said, OK, I give up, you found it.
So I don't have money to pay you, but here it is.
So you can Google that story.
It's one of those funny things.
So from there, the threat actor groups, they made money out of it, right?
And then, of course, the browser companies, they became smarter, wherein, oh, no, you cannot lock the browser anymore.
Or if there's, like, a continuous-- because what usually happens there is that every time they turn off that message, it would pop another message, it would pop another message, so effectively locking your browser.
So browsers after that-- they updated their browsers to have, like, if there's multiple pop-up messages, the user now has the ability to cancel all of those.
So they made money out of those.
And then they realized that, you know what, we can make money out of ransomware.
I remember I had a presentation about it.
I called it, "All your Macs are belong to us." So how many of you were gamers back in the day?
Yeah, so, if you are, you know what that means, right?
So this is a typical ransom note.
So with ransomware, what usually happens there, unlike other threats, it won't try to hide itself.
It would try to tell you that, hey, you're victimized by ransomware, give us your money, and we'll decrypt your files.
So we have the typical ransom note.
One thing you guys would notice when it comes to opportunistic ransomware is that, for you to be able to communicate with the threat actor groups, it would ask you to visit TOR site.
And as I had mentioned earlier, it would try to announce its presence, right?
So what if the victim is too lazy opening all the files or opening one of the folders where the files are encrypted and had no idea what's going on?
So like GandCrab and other opportunistic ransomware, they would just change your desktop wallpaper.
It's not as clear here, but it's actually saying the same thing as in the ransom note, wherein, yeah, you're a victim, you have to pay us.
And this is a typical payment site.
So we have to remember, regardless of ransomware, opportunistic ransomware, the thing here is that, one, it would have a ransom note.
Oh, sorry, first it would announce itself, and then it would have a ransom note.
And then that ransom note would instruct the user to visit a payment site, such as this.
And most payment sites, it would have all of the information that the user-- or not the user, but the victim needs to get his or her files back.
They even had this chat message here, where if you have questions or you just need some guidance on what's going on, you could send them a message.
And it's not shown here, but most payment sites, they have instructions on how to get bitcoins.
So imagine your non-technical relative-- grandma, grandpa, your mom, your dad, if they're not technical-- and they got victimized by this, chances are they won't have any idea what a bitcoin is, right?
Like, how do I get a bitcoin?
Yeah, before it was easier during the browser locker era.
Like, yeah, just send Western Money Union to this or get a lot of gift cards, and then send the number to this email.
So those are the TTPs for opportunistic ransomware.
So opportunistic ransomware, it's designed to spread.
It's like a spray-and-pray thing.
Like, you try to infect as many as you want, and then once somebody gets infected, these are the typical TTPs that you would see.
Oh, before I forget, the main reason for this is that when it comes to ransomware threat actor groups, usually the guy who controls the ransomware, that threat actor group doesn't have the ability to spread the ransomware.
Like, they might be good at coding ransomware, but they don't have the right infection vectors to spread the ransomware.
This is the reason why they try to look for affiliates.
So affiliates are other threat actor groups that have access to different infection vectors.
So a threat actor group might have a spam bot that they can utilize.
They might have access to stolen RDP credentials.
They might have access to zero days or vulnerabilities that they can use to spread ransomware.
And the main reason for that is that the more they spread, the more money they make.
I didn't have it in this presentation, but if you have access to our platform, you guys could actually see some of the ads that the threat actor groups are posting, like in Russian forum sites, in Chinese-speaking forums, wherein they would say, hey, I have this awesome ransomware, if you want to partner with me, you get 60% of the profits.
If your infection proves to be very successful, you can get up to 70%.
So before we go to the targeted TTPs, what do you guys notice here that would probably be a challenge for the ransomware threat actor groups?
You know the concept of "try before you buy," right?
Like, why would I pay money if I don't know something would work?
So this payment site also gives them the capability to upload files for sample decryption.
And if they can decrypt it, say, hey, you know what, we can decrypt it, so pay us money.
So imagine you are an affiliate, right?
So a threat actor group could have, what, like, probably four or five trusted members of that group.
So imagine you have And those 100,000 infections all sent you chat messages, right?
Or all of those all send you files to decrypt.
See the challenge there, right?
It's just like you're a company, you have a lot of customers, and it's hard for you to support them.
So what do you do?
You hire people, right?
And you could actually see postings in the underground about people hiring-- or threat actor groups hiring "work from home that can support chat groups like this." As long as you're a native English speaker, just answer chats, we'll give you money, right?
So you guys see the challenge here, right?
And most of what they're asking, like for this one, this is really one of the highest.
Most of what you would see is like $100, $200, $300.
I can't remember, but I think there was a study where individual users are willing to pay up to $3,000 in ransom just to get their files.
So when I read that study I was thinking, you know what, it's a lot of money.
But then, when your job is on the line, right?
So if you're traveling, your laptop becomes encrypted, and you're reluctant to report to your SOC or to your IT because of the fear of losing your job, right?
Some people will just-- you know what, I'll just cough up this money instead of taking the risk of me probably losing my job because of what happened.
So it's hard, right?
It's hard for the threat actor groups.
So many customers, yet so little resources.
So instead of making money off of opportunistic ransomware, they went to a more targeted attack.
So this is one example of a builder that affiliates would have access to.
So we have to understand, when it comes to ransomware, especially targeted, most of the ransomware that you would see targeting an enterprise or a government agency, you might not see that ransomware anymore anywhere.
It would have different form.
Of course, it would have different hashes.
But then it would be a different generation or a different polymorphic version compared to if you see it again in enterprise B compared to enterprise A or government agency X compared to government agency Y.
So here, these are the things that they have access to.
Of course, they have the decryptor.
And this is what usually they would send the victim if the victim do decide to pay.
So you might hear discussions wherein, yeah, we'll send you the decryption keys.
They're not really just sending you the keys.
They're actually sending you the decryptor, the executable, for you to decrypt your files.
And if you would notice here, the key.
It's actually there.
You already have it.
So think of it this way, like in encryption, right?
You have the algorithm, and then you have the key.
So this is the key.
They'll provide you with the decryption routine or decryption algorithm designed specifically for your machine by using this key that you can run in your system if you become victimized by ransomware.
So same ransom note, but the difference here is that instead of asking the victim to visit a TOR site, it would ask the victim to contact email addresses instead.
So the main significance of that is that opportunistic ransomware, I can go to my test laptop and open the TOR website, and I would have an idea of what's going on.
I would have an idea there of how much time is left before the ransom amount doubles or whether the ransom has expired or whether the ransom has already been paid.
But for this one, since it's an email communication between the victim and the threat actor group, you won't have any idea what's going on unless you have access to the emails that the victim is using to communicate with the threat actor groups.
So typical with different ransomware, it kills the process in your system, and it also stops different services.
And most of the services that it stops are those that you can find in machines in an enterprise setting or services that are running on a server.
So if by any chance it gets itself inside the server, it would be able to stop some of the processes in that server.
And also, the good thing about stopping some of the processes-- oh, sorry-- the services in that server and stopping the processes, because, number one, if files are being owned by one of these processes, it'll be hard to encrypt them.
So it's just like a-- so there won't be conflict in handles when it comes to files.
So how many of you here have backups of your machines?
That's a good practice.
For me, in my personal machine, the most important files are pictures, right?
So when ransomware came to be, even before, I always practiced having-- so I'm paranoid.
I have a cloud backup, and I also have an offline backup.
And a hard disk now is cheap.
Even though we have backup, right?
So one challenge of having a backup.
Now, if you're a regular user, it's so easy.
Like, download it from the cloud or just copy it back from an offline backup source.
But if you're an enterprise, one thing you have to ask yourself is that, how fast can I recover from backup?
Because the main idea of ransomware is that it would cripple you enough that you would lose money that you would pay the threat actor groups so you'll get back in operation.
It's not as much as recovering your files.
It's more about getting back into full operation, right?
So if you have a backup, but then it takes you 15 days to fully restore from backup, and every day you're in operation you lose $5 million, for that 15 days, you already lost, like, $75 million.
$75 million, $3 million ransom, right?
So when it comes to paying ransomware, it's a business decision.
It's not really a technical decision, but it's more of a business decision.
And we have an excellent blog about it in our website if you guys are interested in reading something like it.
We now have cyber insurance, right?
So insurance is just like they're taking on the risk for you, and then they pay a big amount of money.
And on the threat actor group side they would say, these are good targets, number one, because they have insurance, they will definitely pay us, right?
I remember talking to somebody about this I think a couple of weeks ago.
Yeah, they had somebody to pay in case they become victimized.
But then if I'm an insurance company, before I insure them, before I take on the risk-- like, for you guys, before they give you health care, right?-- they want to make sure you guys are healthy.
So with companies, they would want to make sure that the security posture of that company is really up there, so that even though the cyber insurance companies are taking on the risk, the probability of them getting infected would be low.
So before a company gets cyber insurance, they have to go through audit, they have to go through different types of improvement in their security.
Probably they wouldn't have done it on their own.
But since they want to get insurance, they're now forced to make their system much more secure.
So for companies that have cyber insurance, yes, somebody is there to pay for in case they become infected or they become a target of ransomware.
But then on the other side of it, their security posture is now better compared to when they didn't have insurance.
But then again, unless a threat actor group attacks them at a zero day that they're not prepared for, then regardless of how well they're secured, they will still get infected.
And one thing we learn, you know you're secure until something happens.
And then you realize, oh, you know what, I should have patched that vulnerability that I read last Tuesday, 10 years ago, or something like that, right?
I hope it answered the question, sir.
So these are the likely targets.
Every time we work with different organizations, these are the things that they fall into.
It's either they have a deadline-driven business or they provide critical services or infrastructure.
So something that they cannot-- I would say-- like, if you miss one day of operation, a lot of people will get affected or their bottom line will get affected.
So how many of you guys freak out if you lose internet for five minutes?
So like, for me, it's funny.
But if I want my kids going down for dinner-- we have Comcast.
I just turn off the, using my app, the internet in the house.
But then I realize my 16-year-old, he has data on his phone.
So he really doesn't care anymore.
So it's the same thing, right?
If you have a publication to run, imagine a major publication not releasing any print or any online news for two or three days, right?
It would definitely affect their reputation.
And if they're a public company, it might affect their stocks or the value of their stocks.
If you're providing critical infrastructure, you've already seen this happening in some cities.
One of them is close to where we are right now.
So how many of you guys watch The Wire?
So probably that could be one of-- that could be Wire season five, right?
CHRISTOPHER ELISAN: Six?
In the future.
So, something similar.
So likely targets, deadline-driven business or those that provide critical services or infrastructure.
So these are the notable differences.
When it comes to infection vectors, opportunistic-- spam, watering hole-- targeted-- spear phishing, much more complicated.
But then one thing about malware, it's not black and white.
It's not ones and zeros.
This might be used here, and this might be used there.
So ransomware behavior targets user services, protection services, if you have an endpoint system-- I mean, an endpoint solution.
Targeted-- targeting server software.
So if we discover a ransomware in the underground, and it has this capability of-- it looks at the different server processes and then tries to kill them, that's one indicator for us that it's probably going to be used for a targeted attack.
And ransom communications-- TOR site, email for targeted.
Ransom, up to $3,000, for targeted, up to a million dollars.
So here, when it comes to communication via email-- if you're talking to somebody directly and you're about to pay that person, what's the first thing that comes to mind, especially if you're buying a car or buying a house?
AUDIENCE: It's a scam.
CHRISTOPHER ELISAN: Yeah.
It's a scam, of course.
But if somebody tells me, this car-- it's the new Toyota Supra, $58,000-- AUDIENCE: Test drive it.
CHRISTOPHER ELISAN: Test drive, which is like sample decryption, right?
But if you're communicating directly to that person, so what's the first thing that would come to your mind?
Can I get it for cheap, right?
CHRISTOPHER ELISAN: Yeah, you negotiate.
So like, for me, my favorite word is free, second is discount.
So, of course, they cannot get anything for free, right?
So as much as possible, they would ask, hey, I think $5 million is too heavy, are you willing to go down to $3 million?
Of course they might say yes, they might say no.
And when it comes to talking to threat actor groups, there's so many dynamics going on.
Number one, the difficulty of moving bitcoins.
And number two, the difficulty of not only moving, but acquiring of bitcoins.
And there are some incidents wherein companies are willing to pay, but no bitcoin services are enabling them to pay, because the bitcoin wallet is already flagged for fraud.
So there are so many difficulties going on, and the threat actor groups know about it.
So this is a good time for you to negotiate with the threat actor groups.
And, of course, every time you negotiate, every time you tell something to the threat actor groups, you have to be aware of the risks.
Like, they might say, oh, I'm done talking to you, and then you won't get your files back.
But then one thing-- like, for us, in our engagement, one thing I notice is that they would always want to get paid.
They'd rather get something rather than nothing, right?
So there's always room for negotiation, especially when it comes to this.
So did you guys remember the TOR site in GandCrab?
So in opportunistic ransomware, when you see the wallet there, that wallet is owned by the ransomware owner.
And if you're an affiliate, once they get payment, the ransomware owner would give the affiliate their cut-- their 60% or their 70%.
But some affiliates, what they did, they took an opportunistic ransomware and used it for targeted attacks, wherein an enterprise company would say, hey, it's asking us to visit this TOR site instead of an email, which is totally different from the TTPs that I discussed here.
But then during the course of the infection and the negotiation, the threat actor groups or the affiliates or the infection vector owners that use the opportunistic ransomware for a targeted attack, you know what they did?
They sent an email communication to the victims saying, don't mind the TOR site, let's start communicating here via email.
So the difference there is that instead of the ransomware owner getting the payment, right, and the infection vector owner just getting a cut, the infection vector owner now gets all of the money, because whoever owns that ransomware will have no idea that they got paid, because they're going to give the victims a different bitcoin wallet compared to the one that's being displayed in the TOR site.
So as I'd said, there's no black and white.
Even though these are the notable differences, it can be used-- like, a ransomware that's designed for opportunistic can be used for targeted.
And the ransomware that's used for targeted can also be used for opportunistic.
Partly, they just want to have fun.
They send it to, like, a million email addresses, and then say, you know what, let's see what happens.
Even if it's just a 10% success rate, that's still 100,000 victims, right?
So it's still a lot.
So this one-- so you guys probably heard of LockerGoga, right?
So after paying LockerGoga threat actors, this is what they would send you.
Like, hey, since you're a paying customer, these are some things that you can do to your system so you won't get infected anymore.
[INAUDIBLE] screenshot from an email they sent a victim.
And it's a good suggestion, right?
And we have to realize that these threat actor groups, they're also trying to build their reputation.
So if you want to get paid, you have to build that reputation that you're a trusted ransomware threat actor group.
So imagine, I'm a CEO, we're playing golf, and said, oh, yeah, it wasn't in the media, but we got infected.
It was these threat actor groups.
We paid them, and then we're good.
So it increases their reputation.
Because a company that's victimized by ransomware, the first thing they ask is that, if I pay them, will I get my files back?
But if they built enough reputation to say, oh, yeah, if you pay us, you'll definitely get the decryption tool, and you'd be able to decrypt the ransomware-- I mean, the encrypted files in your system.
So when it comes to deciding whether to pay for ransom, aside from the other factors, take into consideration the trust-- it's hard to use that word-- the trustworthiness of the threat actor group.
Sometimes the decision to pay them becomes easier, as well.
Protection and mitigation-- typical stuff.
But then the challenge there is that if you have backup or if you have anything that would prevent you from getting bogged down because of ransomware, it's the speed of which you would restore.
So like, for me, every time somebody asks me about this, like if I'm going to build or deploy a system company-wide, I would consider ephemeral systems, wherein if something goes wrong with that system, shut it down, turn it on again, it'll be in a clean-- completely clean slate.
And then, of course, if you have backup, it has to be designed in a way where it will always have fresh backups, and then you could always go back in operation for-- the longest would probably be a day.
So the challenge is there.
And also there's a lot of business opportunities here.
It could be a new backup company that just says, oh, yeah, if you're victimized by this or if your systems go down in a day, we can restore in a day as well.
So, so many things to do on our end aside from detecting ransomware.
We have to come up with technical solutions on how to mitigate companies being bogged down by not only ransomware, but by anything.
Hope you guys got something.
Thank you for coming, guys.