Ransomware attackers down shift to 'Mid-Game' hunting in Q3 2021

As of publication we are well into National Cyber Security Awareness month and this past quarter has seen an unprecedented amount of domestic and international activity from government and law enforcement to counter the operations of ransomware actors. Despite these initiatives, ransomware actors continue peppering enterprises with more attacks than ever. What we are doing is not working, at least not yet. Why? 

The profits ransomware actors generate are too high, and the risks are too low.

The barriers to entry for participating in the ransomware industry are effectively non-existent. The economics of this illicit trade are too compelling to combat without materially disrupting the economics of the entire industry.  As an example, consider a quick comparison between the profitability of ransomware versus cocaine trafficking using data related to the 1992 Colombian cocaine cartels.

Ransomware Cocaine Trafficking in 1992
Revenue/Unit $140,000/attack $60,000/kilo
Operating Costs/Unit $2,500/attack* $5,000/kilo
Profit Margin 98% 91%
Arrests/Unit .0008** .50
Deaths/Unit 0 .25
Barriers to Entry None Very High

*Estimate based on reported costs of network access credentials, and amount of hours a threat actor expends on the average attack
**Estimated roughly 25,000 ransomware attacks of impact in 2020. Research found evidence of less than 20 total arrests globally.

Cocaine trafficking in 1992 and ransomware in 2021 share similar profitability metrics; both activities carry +90% profit margins per unit. The major difference lies in the risk taken by the actors. In 1992, every 2 kilos of cocaine trafficked resulted in 1 person arrested. Every 4 kilos of cocaine trafficked resulted in 1 person being killed. Ransomware carries an infinitesimal fraction of the risk. Ransomware arrests are extremely rare relative to trafficking. A trafficker in 1992 was 625x more likely to get arrested than a ransomware actor in 2021. 

Additionally, physical altercation with law enforcement our competitors and resulting injury, ie - violence,  is non-existent within the ransomware industry. We highlight this NOT to encourage violence as a solution, but to demonstrate a point. Ransomware industry actors face little to no risk when carrying out attacks. There is effectively zero downside to becoming a ransomware affiliate and the extortion economy is attracting new entrants every day. Until the economics are disrupted and the risks start to outweigh the rewards, the problem will persist and grow. 

It is not all bad though! We can bucket recently announced government and law enforcement initiatives into 3 economic drivers that should help counter the economics of ransomware:

1) Activities that decrease the revenue earned by ransomware actors. Decreasing the revenue earned by ransomware actors means decreasing their attack success rate (fewer attacks will convert to a ransom payment), and decreasing the size of the average ransom payment. Decreasing conversion rates means companies are both harder to compromise AND have sufficient continuity resources (backups) to recover without paying. It also means piercing the veil of secrecy on ransom payments such that company’s are not tempted to pay in order to keep the incident private. Recent initiatives that will aid in decreasing revenue earned by ransomware actors include:

  • Senator Elizabeth Warren has introduced the Ransom Disclosure Act which will require companies to report ransom payments to the federal government. Mandatory disclosure WILL decrease the likelihood that a ransom is paid. Companies on the fringe of paying or not will be influenced by the reporting requirement.  

  • CISA launched the StopRansomware website and has moved all their guidance, updates, reports, assessments and resources to a centralized location. Additionally, the U.S. Treasury has guided companies to demonstrate that they have adopted basic security standards as outlined by CISA.

2) Activities that increase the costs incurred by ransomware actors. By increasing the costs of a successful ransomware attack AND the dilution of laundering of the ransom proceeds, the profitability of the industry will decline and make it a less attractive endeavor. Some recent initiatives that aim to increase the costs of ransomware attacks and cryptocurrency laundering include:

  • The Australian Government released their Ransomware Action Plan, a comprehensive plan that spans policy (mandatory reporting), new interagency law enforcement collaboration, new tougher criminal penalties on ransomware actors, and resources to help small businesses stay safe.

3) Activities that increase the risk, or perceived risk of being a ransomware cyber criminal. Ransomware attacks are accurately perceived to be low risk endeavors. Arrests and retribution are rare so actors are not deterred or influenced when carrying out attacks. Some recent initiatives that should increase the perceived risk include:

  • White House National Security Council convened the Counter-Ransomware Initiative, a 30 nation summit to better connect international law enforcement agency collaboration on disrupting ransomware operations. Geopolitical pressure on states that condone or protect ransomware actors will increase the risk of ransomware operations residing in those geographies. 

Average Ransom Payment Amounts Flat in Q3 2021

Average Ransom Payment

$139,739

+2.3% from Q2 2021

Median Ransom Payment

$71,674

+52.5% from Q2 2021

The average ransom payment amount remained relatively constant in Q3, while the median increased by over 50%. We attribute this shift to less large outlier ransom payments from a small subset of large companies, versus a higher proportion of payments coming from mid-market sized victims. Ever since the pipeline attacks this spring, we have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may evoke a national political or law enforcement response. This shift from ‘Big Game Hunting’ to ‘Mid Game Hunting’ is personified in both the ransom amount statistics but also the victim size demographics from the quarter. 

Ransomware and Data Exfiltration Tactics Remain Intertwined

Attacks where data exfiltration was threatened

83.3%

+3% from Q2 2021

Over 80% of ransomware attacks involve the theft of corporate data in addition to file encryption. Despite the persistence of this tactic, paying to suppress news of a leak remains a bad deal for victims because:

  • The data is not credibly destroyed by the threat actor. Victims should assume it might be traded, sold, misplaced, or held for a second/future extortion attempt.

  • Stolen data is held by multiple parties. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future.

  • The data may be deliberately or mistakenly published before a victim can even respond to an extortion attempt.

  • Data that HAS value has likely already been sold, traded or otherwise monetized.

  • Complete records of what was taken may not be delivered by the threat actor, even if they explicitly promise to provide such artifacts after payment.

  • Paying does NOT absolve the victim of any legal or contractual notification obligations depending on the nature of the information that was exfiltrated.

The Most Common Ransomware Variants in Q3 2021

Rank Ransomware Type Market Share % Change in Ranking from Q2 2021
1 Conti V2 19.2% +1
2 Mespinoza 11.3% +2
3 Sodinokibi 8.9% -2
4 Lockbit 2.0 8.4% New in Top Variants
5 Hello Kitty 5.4% -
6 Zeppelin 4.4% +3
7 Ranzy Locker 3.0% New in Top Variants
8 Suncrypt 2.5% New in Top Variants
8 Hive 2.5% New in Top Variants
9 Ryuk 2.0% -3
9 BlackMatter 2.0% New in Top Variants

Top 10: Market Share of the Ransomware attacks

With REvil / Sodinokibi dissolving following the Kaseya attack and subsequent law enforcement intervention, other variants have increased their market share. While tracking activity at the RaaS affiliate level remains a challenge, it seems clear that the affiliate diaspora from REvil has been absorbed by other large RaaS operations like Conti and Lockbit 2.0. LockBit 2.0 in particular seems to be pushing the RaaS model into new territories in order to attract the most talented affiliates. Specifically, the RaaS operation advertises greater transparency to affiliates and direct receipt of ransomware proceeds. It seems the rivalry between LockBit 2.0 and REvil compelled these changes given REvil appears to have been caught running a backdoor on their TOR platform that allowed them to cut affiliates out of some ransomware payments.

MITRE ATT&CK Tactics Observed in Ransomware attacks in Q3 2021

In addition to statistics about threat actor behavior, Coveware aggregates data about the tactics, techniques and procedures (TTPs) used by the cyber criminals during the attack. These TTPs are collected first hand by Coveware and mapped to the MITRE ATT&CK framework for standardization. The top 5 MITRE TTPs in Q3 where:

  1. Credential Access (TA0006): 85% of ransomware cases saw evidence of Credential Access via either Brute Forcing (T1110) or OS Credential Dumping (T1003). Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give threat actors access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

  2. Lateral Movement (TA0008): 83% of ransomware attacks involve lateral movement with the most common types being  Exploitation of Remote Services (T1210),  Lateral Tool Transfer (T1570) and Remote Services (T1021).  Lateral Movement consists of techniques used to enter and control remote systems on a network. The primary objective of broad ransomware deployment requires exploring the network to identify and control critical systems. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

  3. Defense Evasion (TA0005): 52% of ransomware attack had signs of defense Evasion with the most common sub tactics being Indicator Removal on Host - Clear Windows Event Logs (T1070.001),  Indicator Removal on Host  (T1070) and Impair Defenses (T1562). Defense Evasion consists of techniques used to avoid detection during compromise. Defense evasion techniques include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

  4. Persistence (TA0003): 48% of ransomware attacks had persistence TTPs observed with the most common sub tactics being:  Create Account (T1136), External Remote Services (T1133), and Scheduled Task/Job (T1053). Persistence consists of techniques that adversaries use to keep access to systems despite system restarts, credential changes, or other interruptions that could disrupt their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

  5. Discovery (TA0007): 46% of ransomware attacks had Discovery TTPs tracked across the networks, with the most common sub tactics being:  Network Share Discovery (T1135), Process Discovery (T1057), and System Information Discovery (T1082). Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. Native operating system tools are often used toward this post-compromise information-gathering objective.

Securing a large enterprise network is a never-ending task. However, the rate at which ransomware threat actors reuse TTPs presents an opportunity for defenders to select areas of weakness that can be addressed quickly and cost effectively. No single vulnerability or weakness causes a ransomware attack. It is ALWAYS a compounding sequence of events during an attack, or kill chain. By identifying opportunities along the kill chain to halt these attacks, enterprises can opportunistically reduce risk. 


The Most Common Ransomware Attack Vectors in Q3 2021

Weakly configured Remote Desktop access (RDP) and email phishing remain the primary methods of initial ingress to corporate networks. This is due to the size of the addressable market for these credentials, and the investments in automation that access brokers have made towards the mass scanning / harvesting of network credentials. Software vulnerabilities (CVE’s) have been increasing their share though as common peripheral applications get targeted, and patching cadence by enterprises lags. An open source collection of Ransomware CVE’s has formed and is being maintained by a group of researchers as well, which does a great job of visualizing the common vulnerabilities that are being exploited by access brokers that work upstream of the ransomware affiliates.

*Vulnerabilities exploited by ransomware gangs (Allan Liska / Pancake)

Distribution of Company Size by Attack Vector in Q3 2021

Cost effective methods of attack such as RDP and email phishing remain the most prevalent for smaller organizations. Smaller organizations are more likely to have insufficient IT security resources to understand the risks of RDP, and are also unlikely to be able to afford email filtering services that can mitigate the risk of a phishing attack leading to fully compromised credentials. As network access attackers move up market they end up needing to invest more money into more sophisticated attack vectors such as the latest software vulnerabilities. Exploiting a software vulnerability, especially at scale, takes specialization which equates to higher costs, and a smaller pool of potentially exposed enterprises. 

Common Attack Vectors used by the top 3 Ransomware Variants in Q3 2021

The attack vectors used by different RaaS operations depend on the shape and size of the operation itself. Some RaaS operations have direct connection with large network access bots or exploit services, such as the affiliation between QBot malware and Conti. Other operations, such as Mespinoza, typically target smaller organizations which leads to a concentration of attacks traced back to brute force RDP sessions. 

Industry Segments that succumb to a Ransomware Attack in Q3 2021

As often discussed, financially motivated ransomware attacks are generally financially motivated and not targeted attacks. Therefore, industry concentration trends surface as a result of how economically viable and prevalent opportunities for attack are. Small professional service firms continue to absorb a disproportionate share of ransomware attacks. These firms (mostly small and medium sized legal and financial services firms) tend to under invest in IT security and often believe they are too small to be on the radar of ransomware attackers. This fundamental misconception of how ransomware attacks are manufactured, leads companies to believe they will never be struck by lightning. What they do not realize is that this type of thinking actually makes them a lightning rod for attacks. 

Size of Companies Impacted by Ransomware in Q3 2021

Both the median and average declined in Q3. While this trend is still young, we suspect that many RaaS groups and their affiliates are moving away from big game hunting. Following the pipeline attack in Q2, and resulting geopolitical response, affiliates seem resigned to trade away opportunities for very large ransoms given the risk of an adverse national response. Middle market companies that are not systemically important may not offer up the largest ransoms, but are more cost effective to attack and may still provide a sizable payment if the company is caught without the proper defenses and backup assets.

Distribution of Ransomware Victim Size in Q3 2021

Incident Duration and Business Interruption of a Ransomware Attack

Ransomware remains disproportionately a small business problem. On average businesses face 22 Days (-5% from Q2 2021) of business interruption (less than 100% productivity). In Q3 almost 44% of attacks impacted businesses with between 101-1,000 employees, up from 38% in Q2, reflecting threat actors potentially shifting from Big Game Hunting to Mid Game Hunting.

DISCLAIMER

Coveware is not responsible for any actions taken, errors or omissions (negligent or otherwise), regardless of the cause, or for the results obtained from the use of this content, or for the performance of any computer, hardware or software used or modified in conjunction with this content. The content is provided on an "as is" basis. 

VIEWERS OF THIS REPORT AND ITS CONTENT DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. 

In no event shall Coveware be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the content even if advised of the possibility of such damages.

 
Bill SiegelQuarterly Report