The FBI has issued a public service announcement entitled “High Impact Ransomware Attacks Threaten US Businesses and Organizations.” While the announcement doesn’t provide any details of specific attacks, the Bureau warns in the announcement:
Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 [the Internet Crime Complaint Center] and FBI case information.
This pronouncement will come as no surprise to anyone who’s followed the wide-ranging ransomware attacks against cities, counties, state agencies, and school districts over the course of 2019. While some of the most publicized attacks—such as the Baltimore City “RobbinHood” attack in May—have appeared to be opportunistic, many more have been more sophisticated and targeted. And these attacks are but the most visible part of an upsurge in digital crime seen by commercial information security firms thus far in 2019. In fact, sophisticated criminal attacks have nearly fully eclipsed state actors’ activity—despite there not being any reduction in state-sponsored attacks.
Data from CrowdStrike has shown a rise in what the firm refers to as “big-game hunting” over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.
“Big-game hunters are essentially targeting people within an organization for the sole purpose of identifying critical assets for the purpose of deploying their ransomware,” said Jen Ayers, CrowdStrike’s Vice President in charge of the Falcon OverWatch threat-hunting service in an interview with Ars. “[Hitting] one financial transaction server, you can charge a lot more for that than you could for a thousand consumers with ransomware—you’re going to make a lot more money a lot faster.”
While CrowdStrike saw a significant uptick in this sort of attack in the second half of 2018, Ayers explained, “we’ve seen quite a bit of that happening in the beginning half of the year, to the point where it’s actually dominating our world right now in terms of just a lot of activity happening.”
The industries targeted by these sorts of attacks have included healthcare, manufacturing, managed services, and media. But since May, attacks increasingly targeted state and local governments, library systems, and school districts. Since many government agencies are short on budget and security resources but have a strong need to stay up and running to provide services, they have naturally become an attractive target to these sorts of attacks.
Ayers acknowledged:
It has been interesting in the targeting of these what you would typically think of as small entities… But there is wide-scale impact when you look at destructive campaigns like this. I mean, everybody kind of more thinks of—forgets about the local and town government and their day-to-day operations, but that’s no marriage certificate. That’s no building permit. That’s no vehicle-excise tax payments. That’s no local, state tax payments depending on where you live.
…The fact that attackers are specifically targeting these sorts of organizations speaks to them knowing how well their security is done, is pretty big. In terms of having that kind of understanding—to know to hit these entities and how to hit these entities—that is very interesting.
That understanding comes down to having done reconnaissance on organizations’ key calendar dates. A series of ransomware attacks against schools last month appeared to be timed to have ransoms expire just before the first day of school—putting districts in the position of having to either delay opening or pay up.
Breaking and entering
The FBI IC3 notice cited three primary ways ransomware operators are getting into networks for these targeted attacks: email phishing campaigns, exploitation of Remote Desktop Protocol (RDP), and known vulnerabilities in software.
The phishing attacks the FBI has investigated in connection with ransomware recently “have been more targeted” than past opportunistic attacks. The phishing is often focused initially on compromising the victim’s email account so that an internal email account can be used to spread malware and evade spam filtering.
Email credentials may also be used in remote desktop-based attacks. But in general, the RDP attacks—common in gaining access to hospitals and other organizations that leave RDP accessible for third-party service providers to perform product support—have generally relied on one of two things. They either use brute-force “credential stuffing” attacks against logins, or they have used credentials stolen by others that are sold on underground online marketplaces.
“Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems,” the FBI warned.
Scanning for vulnerabilities was a primary means of initial compromise for attacks such as the SamSam ransomware that hit several hospitals in Maryland in 2016. But targeted attacks are also leveraging vulnerabilities to gain a foothold to deploy their attacks. The FBI notice reported that “cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.” This statement is likely at least partially in reference to the over 20 Texas municipalities hit by ransomware this summer through an MSP’s network.
Rent-a-hack
Two other areas of criminal hacking have spiked in the first half of this year, according to CrowdStrike’s data—and one of them is tied closely to some of the ransomware attacks. Ayers said that there has been an uptick in criminal organizations essentially selling access to the networks of victims. The organizations are performing nearly nation-state style intrusions to provide other actors with a footprint for attacks.
“The higher-level organizations within the criminal realm are selling and outsourcing their distribution mechanisms to get a bigger, wider spread,” Ayers said. “So we’ve seen a lot more players in sort of the big-game hunting than we had last year because it is now much more, much easier to do.”
Smaller organizations will rent capabilities to gain access to potential victims. Then they’ll use that access to perform reconnaissance before eventually dropping ransomware.
The third group seen on the rise, Ayers said, is “really still focused on the data—on exfiltrating and taking information.” But this group is using more advanced capabilities to hang around, with an uptick in what Ayers described as “hands-on keyboard types of activity”—using their access to manually explore victims’ networks, much like state actors have in espionage operations.
“We haven’t quite yet made an inference in terms of what the objectives are at this point,” she said. “But it is certainly a third tier that we hadn’t seen in the past.”