A few years ago ransomware criminals typically used what's called the "spray-and-pray" approach – or what might more appropriately be called "spray-and-prey", given the entirely predatory nature of these attacks. A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.
Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLocker, Locky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today. But today's ransomware criminals tend to pick entire organisations as victims. The crooks break into networks one-at-a-time, learn the structure of the network, work out the most effective attack techique for each one, and then scramble hundreds or thousands of computers across an entire organisation in one go. In cases like this, where an entire business may find its business operations frozen because all its computers are out of action at the same time, ransom demands aren't just $300 or even $30,000 – they may be $3,000,000, or even more.
As you can imagine, this means that the ransomware part of today's file scrambling attacks – the malware program at the heart of the scrambling process – is now just one piece in a much bigger toolbox of tricks that a typical ransomware gang will have up their sleeves.
Last week, for example, we wrote about an attack by the Ragnar Locker crew in which they wrapped a 49KB ransomware executable – a file created specifically for one victim, with the ransom note hard-coded into the program itself – inside a Windows virtual machine that served as a sort of run-time cocoon for the malware. The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim's network, plus a VM file containing a pirated copy of Windows XP, just to have a "walled garden" for their ransomware to sit inside while it did its cryptographic scrambling.
But that's far from everything that today's crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.
The Netwalker gang's toolkit.
The columns are laid out to fit the MITRE ATT&CK matrix. Above, taken from the SophosLabs report, is a chart showing the range of tools used by these crooks during a typical attack.
From left to right, the columns reveal the various activities that the crooks work on as the attack unfolds:
Data exfiltration
Perhaps the most important thing to take from this whole chart is the bottom-most box at the far right, labelled Data exfiltration.
When ransomware first became a serious problem about seven years ago, the idea of scrambling your files in place was a way for the crooks to "steal" your files – in the criminal sense of permanently depriving you of them – without having to upload them all first. The average computer and the typical network just didn't have the bandwidth to make that possible, and the average crook didn't have enough storage to keep hold of it all. But cloud storage has changed all that, and ransomware crooks are now commonly stealing some or all of your data first, before unleashing their ransomware. They're then using this stolen data to increase the pressure of their blackmail demands by threatening to leak or sell your data if you don't pay up, thus giving them criminal leverage even if you have a reliable and efficient backup process for recovering your files.
What to do?
Here, we're going to refer you to our April 2020 article entitled 5 common mistakes that lead to ransomware.
In quick form, our five tips are:
Of course, don't forget the obvious – make sure you are using anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
Below is a quote from Gabor Szappanos, senior director, Threat Research at SophosLabs:
"Ransomware attacks nowadays are not single-shot events like WannaCry was in 2017. Cybercriminals now have well-established procedures and toolsets that they routinely use. The attacks are usually longer and multi-faceted, meaning attackers spend days or even weeks within targeted organizations, carefully mapping internal networks while gathering credentials and other useful information. In this process, they use legitimate third-party tools that may not be detected by the defenses. However, if defenders know and understand the processes and the tools that attackers are using, they can better prepare against these attacks and detect them in the early stages before the actual ransomware."