Extrahop Ransomware

Ransomware Is Getting Worse, and a New Name to Prove It: Multifaceted Extortion

Anakin Skywalker existed before Darth Vader; Max Eisenhardt existed before Magneto, and Smeagol existed before Gollum. To match their new identity, villains take on new names to disguise themselves as the worst versions of themselves. Ransomware is experiencing the same thing.

FireEye Mandiant, the security researcher, has published their annual M-Trends Report, which details current threats and security trends based on investigations that were conducted between October 2019 to September 2020. They found alarming increases in encryption and ransomware-related exfiltration. Mandiant gave the attack a new name multifaceted extortion because data exfiltration transforms this type of attack beyond just data ransom.

Recent Experiments in Multifaceted Extortion

Mandiant’s warning was reinforced by the Colonial Pipeline attack last week. Krebs on Security reports the DarkSide attackers are well-known for using multiple extortion techniques. Even in situations where organizations may be able to create backups or build new systems, these tactics can increase leverage.

Higher gas prices persisting after the shutdown of the pipeline, making it easy to forget that history was made two months ago by the ransomware group Ravil who made the largest ransom demand to date at USD 50 million. Multifaceted extortion is responsible for the high demand.

Similar multifaceted extortion schemes have been seen among customers. We shared a blog post about an ExtraHop customer that stopped a multi-pronged ransomware attack. The ransomware detection in ExtraHop Reveal(x 360) was triggered. The organization discovered that encryption and exfiltration were both components of the attack after receiving a data staging alert from the same device. They were able to stop the attack before any serious damage was done.

Reports of multifaceted extortion, in addition to the highly publicized attacks, have been reported on a broad range of industries, including technology giants and urban police departments. All of these companies were threatened with publishing personal records and, in one instance, the names of their informants.

What drives the new trend?

Four years ago, ransomware became more widely known when WannaCry was quickly spread around the world via the insecure HTML1 protocol. Organizations rushed to fix vulnerabilities and provide security education. Fortunately, data backups have increased to ensure that businesses can continue without worrying about encryption.

Cybercriminals are in dire need of leverage and have begun to use extortion and exfiltration as a way to get around these mitigation and prevention strategies. Although the most common extortion tactic is to release proprietary data, Mandiant mentions that attackers use more aggressive tactics such as employee harassment and DDoS attacks.

The move from ransomware to multifaceted extortion is important, given the mitigations that organizations have taken since WannaCry. Although headlines claiming ransomware is on a rise don’t give organizations a clue to the reality of today’s attacks. This threat is likely to prompt another rapid cyber defense strategy shift.

Know Thy enemy, defeat Thy enemy

In response to the increased risk, President Biden issued the Executive order on Improving the Nation’s Cybersecurity. It aims to improve cybersecurity standards in government and accelerate incident response.

Although the initiative does not create mandates for private sector organizations, it encourages them to follow the government’s lead and update their security models to meet today’s threats.

It helps to know who our enemy is before we can match them. Mandiant gives a few clues. Ransomware is on the rise. It made up 25% of all attacks in 2020 compared to 14% in 2019. According to the report, the average global dwell time is now less than a month. This is consistent with ransomware’s prevalence, which is a fast attack.

Mandiant also pointed out that exploits (29%) were the most common attack vector in cases where an entry point had been confirmed. This was the first time among all attack types that exploit surpassed phishing (23%). This suggests that attackers are changing their methods of accessing information as spam filters and internet users become more sophisticated.

Mandiant also noted that they have detected 144 new malware families and are currently tracking 652 new threat groups out of 1,900+ total.

All this is to say, although we might have a good idea of what our enemies want, we don’t always know how they will get there. Cyber extortion can be a daunting task for cybersecurity professionals, but it is possible to avoid it.

The Network can be your guide

How did ExtraHop customers detect and stop multi-faceted extortion attempts by their adversaries while others fell prey to them? It all comes down to the network.

While attackers are now highly skilled at hiding from the networks, they have also become extremely adept at evading detection when they enter a network. Network detection and response (NDR), is a defense tool that allows you to detect compromises early in the attack stage before it causes major damage.

NDR is a machine-learning tool that can detect threats within your network. Security teams can spot malicious activity even when it isn’t following a pattern by using behavior-based detectors. This strategy gives organizations an edge, even when there are new malware and zero-day exploits.

You can see the ExtraHop customer’s response to this threat of multifaceted extermination. ExtraHop Reveal(x), network detection and response that uses network data, alerts users to suspicious activity consistent with attempted exfiltration. You can see the full-scale Reveal(x), data exfiltration, and ransomware activity detectors in our demo.