The security firm ProofPoint has been tracking the ransomware underground for many years and last Wednesday they released a report titled: “The First Step: Initial Access Leads to Ransomware.” The report detailed the means by which ransomware attackers are increasingly partnering with affiliated cybercrime groups to obtain access to high-profile targets. This is the way we believe the Colonial Pipeline attack began. An existing VPN logon credential was purchased on the dark web by a DarkSide affiliate and used to gain entry into Colonial Pipeline’s internal network.

How Hackers Hunt
Ransomware threat actors currently carry out “big game hunting,” conducting open-source surveillance to identify high-value organizations, susceptible targets, and the companies’ likely willingness to pay a ransom. Working with initial access brokers, ransomware threat actors can leverage existing malware backdoors to enable lateral movement and full domain compromise before successful encryption.

An attack chain leveraging initial access brokers could look like this:
1. A threat actor sends emails containing a malicious Office document
2. A user downloads the document and enables macros that drops a malware payload
3. The actor leverages the backdoor access to exfiltrate system information
4. At this point, the initial access broker can sell access to another threat actor
5. The actor deploys an application via the malware backdoor which enables lateral movement within the network
6. The actor obtains full domain compromise via Active Directory
7. The actor deploys ransomware to all domain-joined workstations

Just like an organic virus that mutates to improve its chances of survival, we see a similar mechanism in action. In this instance, we’re seeing growing evidence of increasing specialization within the ransomware business model. We first saw ransomware gangs doing their own work. Then the ransomware-As-A-Service affiliate model appeared. And now we’re seeing the emergence of “IAB’s” — Initial Access Brokers — as the ransomware affiliate role divides and specializes into the initial entry and post-entry exploitation.

Ransomware attacks are poised to change again
One of the lessons learned by the ransomware hackers is that if you want to remain viable it’s far better to avoid what we might call “the Colonial Pipeline mistake.” Attempting to hold US infrastructure at ransom, while it may appear at first to be the motherlode, brings with it far too much unwanted political and law enforcement attention. It is far better to sneak around under the radar, siphoning off and aggregating many more much smaller ransoms. The subsequent attack on JBS Meat Packing was just as much a mistake. Sure, they netted $11 million dollars, but they also got the U.S. to start considering ransomware as Cyber Terrorism.

Why are we looking at this now?
The clear takeaway from the recent high-profile attacks is that those were a mistake and we know that the entire ransomware industry watched and learned. What they learned was that the way to get rich is to streamline the system. Don’t attack big. Attack small and attack more. This means that small and medium-sized businesses are once again, going to be their target and targeted hard.

Carrying out multiple $1 million dollar attacks against non-name brand targets (small to medium-sized businesses) will not get the worldwide media attention that the pipeline or meat packing companies did so it will not cause the government or the FBI to get involved.

As Ransomware attacks morph again, we all need to become much more vigilant and keep security considerations top of mind. We can expect a flurry of increased activity over the next 6 months and we need to prepare for it. If you believe that YOUR network is too small for hackers to be bothered with, unfortunately, you are sadly mistaken. Even if they don’t consider you to be a valuable ransomware target, they can still use your computers and network to attack other computers and networks around the world and you’ll probably never even know it. EVERYONE needs to do their part when it comes to security.

On June first, we started a new Public Service type program called Safer Every Day.  Each day, Monday thru Friday, we post information that you need to know to be safer – every day.  We post it on social media platforms as well as on our website.  You can read all the posts so far at ACTSmartIT.com/safer.
You can also sign up to get them delivered every day.

Special thanks to Steve Gibson of Gibson Research Corporation for this enlightening information.