APT stands for Advanced Persistent Threat, but many organizations forget about the “P” and focus only on “advanced threats.” That strategy may be prudent if IT resources are limited, as the vast majority of attacks fall under the umbrella of advanced threats. But while persistent threats are the minority, they are the ones that can be most damaging. Bruce Schneider always opines that attacks only get worse, they never get better—and what’s coming this year is no exception.
In 2019, the world not only saw a resurgence in ransomware, but an escalation in tactics, which involve persistence, and ransom amounts. A mere two years ago, attackers were asking for $300 in Bitcoin for the decryption key to unlock the files on a single machine. Last year, attackers took home over $1 million in just a week after attackers hit two Florida municipalities with devastating ransomware attacks. Attackers found that encrypting the right network at the right time could net them an exponentially higher payment.
Significant attacks against municipalities started with the U.S. cities of Baltimore and Atlanta, where each city refused to pay the ransom and racked up recovery bills in the tens of millions of dollars. Smaller municipalities soon became targets due to their perceived lower IT security posture and minimal tolerance for downtime. When municipalities get locked out of their IT systems, essential services such as paying utility bills or processing payroll become impossible or need to be done by hand. If attackers were patient enough to perform reconnaissance and locate the most sensitive systems on the network, they could significantly increase the impact of their attack.
At first, attackers were encrypting all systems, including the most critical systems and holding their data for ransom. If the victims pay a ransom, attackers may send a decryption key to unlock and recover the affected systems. The most effective attacks take time to perform recon, plan, and execute at the precise moment to maximize impact. For example, attackers launched ransomware attacks against several school districts in Texas and Louisiana the week before the start of the school year. These new tactics show that attackers are continually improving their methods to maximize their chances of receiving a ransom payment.
Last October, the city of Johannesburg experienced the first significant escalation in the next wave of ransomware attacks, in which attackers not only encrypted the data but also stole a copy of it. A group named the “Shadow Kill Hackers” sent a ransom demand to the city of Johannesburg, noting that not only were its systems encrypted, but that the attackers planned to expose data on millions of its citizens. Once municipalities began to improve their cyberdefenses, attackers needed to improve their tactics to ensure payment is made. Offline and bulletproof backups are a common recovery technique after a ransomware attack. However, a municipality facing an attack like Johannesburg’s would still be inclined to pay the ransom to prevent sensitive information from being published online.
Recently, U.S. Law Enforcement warned that the Maze ransomware authors are taking these tactics to the next level. Not only are organizations facing a rise in threats against the infrastructure and the possibility of their data being published online, but attackers are also now creating a “Wall of Sheep,” exposing organizations that have been attacked and have not paid a ransom.
The publication to the Wall of Sheep could be damaging to affected organizations since some may not disclose that they were the victim of a cyberattack. Uber famously covered up a breach for over a year before the news broke that an attacker stole data on millions of users and managed to get HackerOne, the bug bounty provider, to launder a ransom payment to keep it all quiet. Journalist Brian Krebs independently verified that one organization on Maze’s Wall of Sheep was affected by a Maze ransomware outbreak but did not publicly disclose it. After publication to the Wall of Sheep, attackers will upload their victims’ private data for anyone to download.
Allied Universal is the first victim to fall to the combination of Maze ransomware and data publication attack. Last November, the first 700 megabytes of data stolen in the attack were published online. This escalation now means that ransomware attacks are also data breaches and organizations must follow the proper post-breach notification and remediation procedures. In the past, ransomware victims avoided disclosing a breach, hoping that the attackers wouldn't carry out their threat to release the data. Now that Maze has done just that, organizations must assume that attackers will make good on their warning.
Sodinokibi, the popular ransomware as a Service strain, announced that it would also be adding data exfiltration and exposure to its attack methods to maximize profits.
The only way these types of attacks can be successful is for attackers to live in the network and be a persistent threat over a long period. Stealing massive databases takes time and attackers often exfiltrate data using a slow drip so as not to trip any alarms.
Security controls such as Data Loss Prevention (DLP) with Exact Data Match (EDM) can detect and block the exfiltration of even a single sensitive record. Any DLP strategy would be ineffective without the use of SSL inspection to scan encrypted data, which now comprises more than 80% of internet traffic. The use of a cloud sandbox also aids in the detection and blocking of the latest zero-day threats and can even prevent a patient-zero infection through the use of file quarantine.
Organizations can expect more private data to be published online in 2020 as attackers make good on their threats. It is no longer enough for organizations to have a strategy to recover from a ransomware attack. They must also prevent the attack in the first place and have a plan to deal with any unauthorized data disclosure. Regulators may soon view ransomware attacks as a data breach and will be keeping a close eye on the situation as it develops.
Christopher Louie, CISSP, is a sales engineer at Zscaler