www.extrahop.com
Open in
urlscan Pro
54.148.157.239
Public Scan
Submitted URL: http://app.wiredata.extrahop.com/e/er?utm_campaign=2022-q1-february-newsletter-general-dynamic-noam-uk&utm_medium=email&utm_sourc...
Effective URL: https://www.extrahop.com/resources/learning/ransomware-retrospective/?utm_campaign=2022-q1-february-newsletter-general-dy...
Submission: On February 18 via api from US — Scanned from DE
Effective URL: https://www.extrahop.com/resources/learning/ransomware-retrospective/?utm_campaign=2022-q1-february-newsletter-general-dy...
Submission: On February 18 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form>
<input class="st-default-search-input st-search-set-focus garlic-auto-save" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>
Text Content
* The Platform EXTRAHOP REVEAL(X) 360 CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE FOR THE HYBRID ENTERPRISE. Learn More Explore Reveal(x) How It Works Competitive Comparison Why Decryption Matters Integrations and Automations Cybersecurity Services What is Network Detection and Response (NDR)? Cloud-Native Security Solutions Reveal(x) Enterprise: Self-Managed NDR * Solutions -------------------------------------------------------------------------------- SOLUTIONS With the power of machine learning, gain the insight you need to solve pressing challenges. FOR SECURITY Stand up to threats with real-time detection and fast response. Learn More > FOR CLOUD Gain complete visibility for cloud, multi-cloud, or hybrid environments. Learn More > FOR IT OPS Share information, boost collaboration without sacrificing security. Learn More > BY INITIATIVE * Advanced Threats * Ransomware Mitigation * Multicloud & Hybrid Cloud Security * Implement Zero Trust * Security Operations Transformation BY VERTICAL * Financial Services * Healthcare * e-Commerce and Retail * U.S. Public Sector Featured Customer Story WIZARDS OF THE COAST Wizards of the Coast Delivers Frictionless Security for Agile Game Development with ExtraHop Read More See All Customer Stories > * Customers -------------------------------------------------------------------------------- CUSTOMERS Our customers stop cybercriminals in their tracks while streamlining workflows. Learn how or get support. COMMUNITY * Customer Portal Login * Solution Bundles Gallery * Community Forums * Customer Stories SERVICES * Services Overview * Reveal(x) Advisor * Deployment TRAINING * Training Overview * Training Sessions SUPPORT * Support Overview * Documentation * Hardware Policies Featured Customer Story WIZARDS OF THE COAST Wizards of the Coast Delivers Frictionless Security for Agile Game Development with ExtraHop Read More See All Customer Stories > * Partners -------------------------------------------------------------------------------- PARTNERS Our partners help extend the upper hand to more teams, across more platforms. CHANNEL PARTNERS * Channel Overview * Managed Services Providers * Overwatch Managed NDR INTEGRATION PARTNERS * CrowdStrike * Amazon Web Services * Security for Google Cloud * All Technology Partners PANORAMA PROGRAM * Partner Program Information * Partner Portal Login * Become a Partner Featured Integration Partner CROWDSTRIKE Detect network attacks. Correlate threat intelligence and forensics. Auto-contain impacted endpoints. Inventory unmanaged devices and IoT. Read More See All Integration Partners > * Blog * More * About Us * News & Events * Careers * Resources * About Us * The ExtraHop Advantage * What Is Cloud-Native? * Leadership * Board of Directors * Contact Us * Explore the Interactive Online Demo * Take the Hunter Challenge * Upcoming Webinars and Events * Newsroom HUNTER CHALLENGE Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag style event. Read More * Careers at ExtraHop * Search Openings * Connect on LinkedIn * All Resources * Customer Stories * Ransomware Attacks in 2021: A Retrospective * White Papers * Datasheets * Industry Reports * Webinars * Cyberattack Glossary * Network Protocols Glossary * Documentation * Firmware * Training Videos Login Logout Start Demo THE PLATFORM SOLUTIONS CUSTOMERS PARTNERS BLOG MORE START THE DEMO CONTACT US Back EXTRAHOP REVEAL(X) 360 Cloud-native visibility, detection, and response for the hybrid enterprise. Learn More HOW IT WORKS COMPETITIVE COMPARISON WHY DECRYPTION MATTERS INTEGRATIONS AND AUTOMATIONS CYBERSECURITY SERVICES WHAT IS NETWORK DETECTION AND RESPONSE (NDR)? CLOUD-NATIVE SECURITY SOLUTIONS REVEAL(X) ENTERPRISE: SELF-MANAGED NDR Back SOLUTIONS Learn More SECURITY CLOUD IT OPS USE CASES EXPLORE BY INDUSTRY VERTICAL Back CUSTOMERS Customer resources, training, case studies, and more. Learn More CUSTOMER PORTAL LOGIN CYBERSECURITY SERVICES TRAINING EXTRAHOP SUPPORT Back PARTNERS Partner resources and information about our channel and technology partners. Learn More CHANNEL PARTNERS INTEGRATIONS AND AUTOMATIONS PARTNERS Back BLOG Learn More Back ABOUT US NEWS & EVENTS CAREERS RESOURCES Back ABOUT US See what sets ExtraHop apart, from our innovative approach to our corporate culture. Learn More THE EXTRAHOP ADVANTAGE WHAT IS CLOUD-NATIVE? CONTACT US Back NEWS & EVENTS Get the latest news and information. Learn More TAKE THE HUNTER CHALLENGE UPCOMING WEBINARS AND EVENTS Back CAREERS We believe in what we're doing. Are you ready to join us? Learn More CAREERS AT EXTRAHOP SEARCH OPENINGS CONNECT ON LINKEDIN Back RESOURCES Find white papers, reports, datasheets, and more by exploring our full resource archive. All Resources CUSTOMER STORIES RANSOMWARE ATTACKS IN 2021: A RETROSPECTIVE CYBERATTACK GLOSSARY NETWORK PROTOCOLS GLOSSARY DOCUMENTATION FIRMWARE TRAINING VIDEOS RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RANSOMWARE RETROSPECTIVE RISE OF THE ADVANCED EXTORTIONATE THREAT * Intro * Timeline * Tactics * Infrastructure * Insurance * Kill Switch * Conclusion RANSOMWARE RETROSPECTIVE 2021 ansomware is not new. Since 2016, the United States Department of Justice estimates that more than 4,000 ransomware attacks have been perpetrated against US organizations every single day. While that number is staggering, the scope and severity of the problem is even larger. Chronic underreporting of attacks means that the daily number is likely far greater. The nature of ransomware attacks have also changed dramatically over the last eighteen months, with advanced nation-state tactics making their way into for-profit cybercriminal activity. In this report, we explore the ways in which ransomware has become an advanced threat with the "hat trick" of exfiltration, encryption, and software exploitation; how governments are changing their treatment of ransomware attackers; and what organizations can do to reclaim the advantage. INTRO TROUBLING RANSOMWARE TRENDS In March 2021, the cybercriminal syndicate known as REvil (aka Sodin, aka Sodinokibi) detonated an attack on Acer, the Taiwanese computer giant. At the time, it was the highest ransom demand ever made—$50 million. But while the price for the decryption keys was itself noteworthy, this attack drew attention for another reason. The "double extortion" model used by REvil—first exfiltrate the data, then encrypt it—wasn't new. But during the ransom negotiations, REvil claimed to have gone one step further, indicating that they had introduced an exploit into Acer software. If true, this would have allowed REvil to use Acer software to perpetrate attacks on Acer customers, in much the same way that SolarWinds Orion software had become an attack vector just a few months earlier. What REvil was alleging was a worst-case scenario: a Cyber Hat Trick including exfiltration, encryption, and exploitation that—if successfully executed—would not only have done considerable damage to the original victim, but given the attackers easy access to thousands, if not tens of thousands, of other organizations. Unfortunately, in July, the REvil attack on Kaseya confirmed the cybersecurity communities' fears. A ransomware gang had compromised a build server for a widely used enterprise software and introduced an exploit that enabled them to conduct a ransomware attack on a massive scale. It was SUNBURST—for profit. With the attacks on Acer, Colonial Pipeline, and Kaseya in just six months, ransomware gangs have thrown the increasing use of advanced nation-state tactics into sharp relief. These attacks should no longer be called ransomware, but rather a new class of advanced persistent threat. In this report, we'll look back at the evolution of the advanced ransomware techniques in 2021, and what governments and private organizations can do to combat the threat. THE NEW CLASS OF RANSOMWARE THREATS HEADACHES AND HEADLINES In late 2020, a large retailer based in North America received an alert in ExtraHop Reveal(x) 360 that ransomware activity had been detected. The same devices were also seeing alerts for detections on SMB data staging and suspicious file reads. The customer's security team determined that the attackers were also in the process of exfiltrating data before they encrypted it in an effort to inflict maximum damage—a double extortion technique that has become increasingly common over the last eighteen months. By detecting this pre-ransomware deployment kill chain activity, the customer was able to quickly identify and quarantine affected assets and accounts, and as a result, the attackers were only able to encrypt a small percentage of targeted files. According to a recent ExtraHop survey of 500 CISOs and other IT security leaders in North America and Europe, many are not so lucky. 85% have suffered a ransomware attack in the last 5 years 38% have suffered 5 or more ransomware attacks in the last 5 years 51% had impact to IT infrastructure 46% attacks targeted end users 98% of attacks resulted in downtime, data loss, fines 57% paid the ransom in half of ransomware attacks Results from an ExtraHop survey of 500 CISOs and IT security leaders HIGH PROFILE RANSOMWARE ATTACKS IN 2021 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2.26.2021 3.19.2021 3.20.2021 3.23.2021 4.21.2021 4.26.2021 4.28.2021 5.7.2021 5.31.2021 7.2.2021 8.11.2021 8.15.2021 9.7.2021 12.13.2021 Ransom Report 2.26.2021 Kia Motors VICTIM DEMAND $20M PERPETRATOR DOPPELPAYMER TECHNIQUES UNKNOWN In February, multiple media outlets began reporting that a Kia outage was actually due to a ransomware attack. Bleeping Computer obtained a copy of a ransom note from DoppelPaymer, the alleged attackers, demanding $20 million in Bitcoin payments. While there was substantial evidence that Kia had in fact been the victim of an attack, the company has continued to deny that any such attack took place. Ransom Report 3.19.2021 Acer VICTIM DEMAND $50M PERPETRATOR REVIL TECHNIQUES EXFILTRATION, ENCRYPTION, ALLEGED EXPLOITATION At the time, the ransom demand on electronics giant Acer ($50 million) broke the record for the largest ransom demand to date. REvil used multiple extortion techniques to add leverage to the demand by combining encryption with data exfiltration and exploitation. As a result of their success with Acer, a newly emboldened REvil went on to set higher demands months later with an attack on Kaseya. According to BleepingComputer, REvil may have leveraged a Microsoft Exchange Server vulnerability to gain initial access, which would mark the first time a major ransomware actor successfully weaponized Microsoft Exchange as an attack vector. Ransom Report 3.20.2021 Sierra Wireless VICTIM DEMAND N/A PERPETRATOR UNDISCLOSED TECHNIQUES EXFILTRATION, ENCRYPTION Ransomware halted production for Sierra Wireless, a Canadian IoT manufacturer with operations around the world. According to a statement released by the company, the attack affected internal operations and made the company's corporate website inaccessible, but the risk did not extend to consumer products or systems. Sierra Wireless hired an independent incident response firm to investigate the attack, but the initial access point, demand, and responsible party are not publicly known. The impact of the attack is believed to have caused significant financial damage to the company, who withdrew their Q1 revenue forecast in the aftermath. Ransom Report 3.23.2021 CNA Financial VICTIM DEMAND $40M PERPETRATOR PHOENIX LOCKER/EVIL CORP TECHNIQUES EXFILTRATION, ENCRYPTION In March, attackers gained a foothold on CNA's network using a fake browser update—which came from a legitimate website which had itself been hacked. Attackers maintained access from March 5-21, using living-off-the-land tactics to avoid detection, disabling logging and security tools, and exfiltrating data to hold as additional leverage. On March 21, they deployed ransomware, encrypting more than fifteen-thousand systems and demanding $40 million in ransom. It was reported that the source code used resembled that of the sanctioned WastedLocker ransomware, leading to speculation that Phoenix Locker was another evasion by Evil Corp to avoid 2019 sanctions, which prohibited any financial transactions with them. Ransom Report 4.21.2021 Quanta VICTIM DEMAND $50M PERPETRATOR REVIL TECHNIQUES EXFILTRATION, ENCRYPTION REvil (also known as Sodinokibi) accessed the network of technology supplier Quanta, exfiltrating data and encrypting an undisclosed number of systems. Among the stolen data was schematics for a number of yet-to-be-released Apple products, which Quanta manufactures. When Quanta refused to pay the ransom, hackers then demanded the same amount from Apple, otherwise threatening to release the stolen blueprints. When Apple refused to pay, REvil posted the data, which included schematics for the upcoming MacBook Pro. While few details of the initial hack were shared publicly, REvil commonly exfiltrates data for additional leverage, encrypts systems, and modifies backup software to prevent companies from restoring their data after encryption. Ransom Report 4.26.2021 Washington DC Police VICTIM DEMAND $4M PERPETRATOR BABUK TECHNIQUES EXFILTRATION, ENCRYPTION Attackers exfiltrated sensitive files from the Metropolitan Police Department, claiming to have more than 250 GB of personnel and case files. Babuk uses existing tools like Bloodhound, CobaltStrike, and Metasploit to achieve and maintain the access needed for both encryption and exfiltration tactics. Ransom Report 4.28.2021 Brenntag VICTIM DEMAND $7.5M (PAID $4.4M) PERPETRATOR DARKSIDE TECHNIQUES EXFILTRATION, ENCRYPTION Darkside attacked German chemical manufacturer Brenntag, a company with over 17,000 employees working at over 670 sites worldwide. In addition to locking Brenntag out of business-critical applications and data, Darkside also claimed to have stolen 150GB of data during the attack. While Darkside initially demanded a $7.5 million payment, Brenntag ultimately settled the matter with a payment of the equivalent of $4.4 million in bitcoin. Ransom Report 5.7.2021 Colonial Pipeline VICTIM DEMAND $4.4M PERPETRATOR DARKSIDE TECHNIQUES EXFILTRATION, ENCRYPTION There is nothing like the spectre of a gas shortage to capture the attention of the American public or the federal government, and the Darkside ransomware attack on Colonial Pipeline in May 2020 did just that, rocketing ransomware to the top of the national agenda. While Darkside made clear in the days following the attack that they didn't intend to hit such a critical and visible target, the damage was done. While only Colonial Pipeline's IT systems were hit, the company nevertheless shut down pipeline operations until it could fully investigate the scope of the incidents, resulting in hours-long lines and a panic over access to fuel up and down the Eastern seaboard. Ultimately, the US government responded by attacking and disabling Darkside's servers, the first—but not the last—such action the US government would take in 2021. Watch the Webinar: How to Catch & Stop Next-Gen Ransomware Ransom Report 5.31.2021 JBS USA VICTIM DEMAND $11M PERPETRATOR REVIL TECHNIQUES EXFILTRATION, ENCRYPTION JBS USA is one of the largest meat suppliers in the US. On May 31, 2021, JBS announced that a ransomware attack required them to temporarily halt operations at five of their US plants, as well as across parts of their UK and Australian operations. In order to prevent disruption to grocery supply chains and limit panic buying, JBS chose to pay the $11 million ransom demand. The FBI attributed the hack to REvil. Ransom Report 7.2.2021 Kaseya VICTIM DEMAND $70M PERPETRATOR REVIL TECHNIQUES EXFILTRATION, ENCRYPTION, EXPLOITATION While REvil claimed to have compromised Acer's build server, they made good on the threat when they successfully infiltrated IT solutions provider Kaseya. Not only was Kaseya locked out of it's systems and data, the malware spread through Kaseya software to over 1,500 organizations across multiple countries. The ransom demand—$70 million in Bitcoin to provide the encryption keys—was the largest in history, handily beating the previous record demanded in REvil's attack on Acer. Although it's not known how many Kaseya customers independently paid to have their data released, Kaseya itself opted not to pay the ransom, instead cooperating with the US government. Kaseya's decision to cooperate in the investigation would ultimately lead to the takedown of REvil. Learn More About the Kaseya REvil Ransomware Attack Ransom Report 8.11.2021 Accenture VICTIM DEMAND $50M PERPETRATOR LOCKBIT TECHNIQUES EXFILTRATION, ENCRYPTION In August 2021, news broke that global consulting firm Accenture was the victim of a ransomware attack by LockBit. The attackers claimed to have exfiltrated more than 6TBs of data from the company—a detail not confirmed by Accenture for months and then only in SEC filings. In exchange for this stolen data, as well as the encryption keys, LockBit demanded $50 million. It is not clear what, if any, ransom Accenture paid. Ransom Report 8.15.2021 Brown-Forman VICTIM DEMAND N/A PERPETRATOR REVIL TECHNIQUES EXFILTRATION Brown-Forman, the parent company of well-known brands including Jack Daniel's, Woodford Whiskey, and Finlandia Vodka, announced that it had been hit by ransomware. Compared to many other organizations, Brown-Forman got lucky. They detected the activity before their files were encrypted; however, REvil still made off with more than a terabyte of confidential data that they planned to auction off to the highest bidder before leaking the rest. Ransom Report 9.7.2021 Howard University VICTIM DEMAND N/A PERPETRATOR UNKNOWN TECHNIQUES ENCRYPTION At the beginning of the 2021-2022 academic year, Howard University was hit by a ransomware attack that forced the temporary shutdown of online and hybrid classes school-wide. While the school claimed that no student data was stolen, the attack disrupted major systems, including taking down the school's wifi network. Ransom Report 12.13.2021 Kronos VICTIM DEMAND N/A PERPETRATOR UNKNOWN TECHNIQUES ENCRYPTION Kronos, a division of Ultimate Kronos Group, which provides payroll and timesheet software, was hit by a ransomware attack that crippled its systems and effectively shut down payroll and timesheet operations for thousands of global customers. While the perpetrators and the ransomware demand have not yet been disclosed, the broad impact of the Kronos attack underscores just how costly ransomware attacks can be, particularly when they affect widely used software platforms. COMMON & EMERGING RANSOMWARE TACTICS It used to be that the sole endgame of ransomware was encryption. Deploy the ransomware, encrypt the files, and demand payment in exchange for the keys. In 2021, this was no longer the case. Ransomware criminals have introduced payment incentives at multiple steps in the killchain, from exfiltration of data to exploitation of software. The ability to restore from backup is cold comfort when doing so will result in your customers' data being sold on the dark web, or your customers themselves becoming the victims of a ransomware attack. Here are some of the most common techniques to emerge or become popular in 2021. LATERAL MOVEMENT: LAND AND PIVOT Ransomware gangs have adopted advanced east-west maneuvering to amplify damage and halt business operations, improving their payment calculus. Modern ransomware exploits IT infrastructures to move stealthily and persist for longer periods of time before springing its trap (also known as ransomware midgame), putting security and IT at a disadvantage to prevent large-scale incidents. LATERAL MOVEMENT: LAND AND PIVOT Ransomware gangs have adopted advanced east-west maneuvering to amplify damage and halt business operations, improving their payment calculus. Modern ransomware exploits IT infrastructures to move stealthily and persist for longer periods of time before springing its trap (also known as ransomware midgame), putting security and IT at a disadvantage to prevent large-scale incidents. ACTIVE DIRECTORY EXPLOITATION Ransomware playbooks share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges via AD speeds asset collection and data compromise. Ransomware now demonstrates shockingly short average dwell times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report. Numerous advisories on bad actors like REvil and BlackMatter (rebrand of Darkside) point to AD as the quickest path of attack. ACTIVE DIRECTORY EXPLOITATION Ransomware playbooks share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges via AD speeds asset collection and data compromise. Ransomware now demonstrates shockingly short average dwell times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report. Numerous advisories on bad actors like REvil and BlackMatter (rebrand of Darkside) point to AD as the quickest path of attack. INITIAL ACCESS BROKER Today, ransomware is in reach of any motivated extortionists. Even the intrusion phase can be bought through an initial access broker (IAB). Skilled IAB operators first access business networks through phishing, RDP, supply chain, vulnerabilities, or brute-force hacking, then sell that access on dark web forums. Would-be extortionists can choose their victim based on business size, country of operation, and sector, then slide into the RaaS workflow. INITIAL ACCESS BROKER Today, ransomware is in reach of any motivated extortionists. Even the intrusion phase can be bought through an initial access broker (IAB). Skilled IAB operators first access business networks through phishing, RDP, supply chain, vulnerabilities, or brute-force hacking, then sell that access on dark web forums. Would-be extortionists can choose their victim based on business size, country of operation, and sector, then slide into the RaaS workflow. DATA EXFILTRATION Stealing data is nothing new for cybercriminals. It is naive to believe ransom-driven criminals promise they didn't make a copy of your data and that you have the only copy, encrypted but intact. Noisy, data exfiltration is a critical element of the ransomware playbook. Having your data adds to their ROI calculus, enabling a double and a bonus sold on the black market. DATA EXFILTRATION Stealing data is nothing new for cybercriminals. It is naive to believe ransom-driven criminals promise they didn't make a copy of your data and that you have the only copy, encrypted but intact. Noisy, data exfiltration is a critical element of the ransomware playbook. Having your data adds to their ROI calculus, enabling a double and a bonus sold on the black market. COSTS OF RANSOMWARE RECOVERY Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. In 2021 the average ransomware payment was $170,000; the average cost of recovery was $1.85 million. COSTS OF RANSOMWARE RECOVERY Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. In 2021 the average ransomware payment was $170,000; the average cost of recovery was $1.85 million. RANSOMWARE + CRITICAL INFRASTRUCTURE There is nothing like the specter of a gas shortage to capture the attention of the American public. When Colonial Pipeline shut down its operations in May 2021 in order to respond to a ransomware incident, drivers up and down the Atlantic coast rushed to gas stations, waiting in hours-long lines to fill their tanks, and in many cases filling up any vessel they had available with extra gas. While the shutdown itself was short-lived, its impact was lasting. Just a few weeks after the attack was disclosed, the Biden Administration announced that it would start giving ransomware attacks the same priority as terrorist threats. The administration has, thus far, made good on that promise. DECISIVE ACTION In a May 2021 press conference on the Colonial Pipeline attack, President Biden stated: "We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We're also going to pursue a measure to disrupt [ransomware attackers'] ability to operate." Early the following morning, news broke that Darkside—the ransomware group responsible for the Colonial Pipeline attack—had itself gone dark, with access cut off to its blog, payment processing, and distributed denial-of-service (DDoS) operations. While the US government did not claim responsibility for the takeown, within minutes of the news breaking, the 780th Military Intelligence Brigade quietly retweeted, without comment or context, a blog from Recorded Future about the shutdown. It wouldn't be the last time. within minutes of the news breaking, the 780th Military Intelligence Brigade quietly retweeted, without comment or context, a blog from Recorded Future about the shutdown. It wouldn't be the last time. Just before the July 4th Holiday, news broke that software provider Kaseya had been hit by ransomware. But this was no ordinary ransomware attack. Not only had REvil, the syndicate responsible for the attack, exfiltrated and encrypted Kaseya's data, they had exploited a vulnerability in Kaseya's software to propagate their ransomware out to thousands of Kaseya customers. In consideration for pulling off the first known Cyber Hat Trick, REvil demanded a $70 million ransom to provide the encryption keys to Kaseya and its customers. On Tuesday, July 13, 2021, REvil disappeared from the internet. While speculation ran rampant that either the US, Russia, or some combination of the two governments was responsible for the takedown, there was no official comment from either country. But as in the case of the Darkside takedown, there wasn't complete silence. At 11:23am ET on July 13, as news was breaking that REvil was down, the twitter account for the 780th once again quietly retweeted the news. Within a matter of weeks, REvil had managed to restore its servers and was back online. Then in mid-October, news once again broke that REvil had been taken down, and this time, speculation about who was responsible didn't last long. On October 21, Reuters confirmed the involvement of US Government agencies in both the July and October shutdown operations. about who was responsible didn't last long. On October 21, Reuters confirmed the involvement of US Government agencies in both the July and October shutdown operations. According to Tom Kellermann, head of cybersecurity strategy at VMware and adviser to the U.S. Secret Service on cybercrime investigations, "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list." BLOCKING CRYPTO RANSOMWARE PAYMENTS In September 2021, the US Treasury Department announced its own set of actions aimed at disrupting ransomware actors, notably a set of sanctions against virtual currency exchanges known to facilitate ransomware payments. According to the Treasury Department's press release, virtual currency exchanges are "critical to the profitability of ransomware attacks." In some cases, the exchanges themselves have been exploited by ransomware criminals in order to facilitate payments. In many other cases, however, the currency exchanges themselves engage in the facilitation of illicit transactions for their own illicit purposes. In addition to the sanctions, the Treasury department also announced new efforts to help private sector organizations combat ransomware, as well as increase reporting on ransomware attacks and payments. ANALYSIS OF KNOWN SUEX TRANSACTIONS SHOWS THAT OVER 40% OF SUEX'S KNOWN TRANSACTION HISTORY IS ASSOCIATED WITH ILLICIT ACTORS. Press Release, US Treasury Department THE RANSOMWARE DISCLOSURE ACT OF 2021 In October 2021, both the Biden Administration and the US Legislature announced several major steps aimed at combating the ransomware advanced extortionate threat. On October 5, US Senator Elizabeth Warren and US Representative Deborah Ross introduced a bill called The Ransom Disclosure Act. The bill, if enacted, would require any organization that pays the ransom in a ransomware attack to disclose that payment to US authorities within 48 hours. that payment to US authorities within 48 hours. The disclosure requirement is an important step in understanding the scope of the ransomware threat. According to the recent ExtraHop CISO survey, of the nearly three-fourths of respondents whose organizations had paid a ransom at least once in the last five years, nearly 61% stated that they attempt to limit, as much as possible, any public disclosure of either the attack or the ransom payment. This affirms what most already suspect: ransomware—and ransom payments—are far more common than is reported. public disclosure of either the attack or the ransom payment. This affirms what most already suspect: ransomware—and ransom payments—are far more common than is reported. According to the same survey, while 61% avoid any disclosure of ransomware, a full two-thirds of respondents believe that it's actually good for companies to disclose when ransomware attacks happen to increase awareness and improve the ability to respond to future attacks. ability to respond to future attacks. Senator Warren and Representative Ross agree, and their bill is designed to take the decision out of the hands of the victim and make it a requirement. "The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation," said Ross as part of a joint statement about the legislation. WHEN IT COMES TO RANSOMWARE, DISCLOSURE TO US AUTHORITIES IS A CRITICAL FIRST STEP, BUT IT'S NOT ENOUGH. If the victim organization happens to be part of critical infrastructure, then they should also be required to report the attack and subsequent payment to any associated departments that have regulatory authority or interest over that infrastructure. If the ransom disclosures are subject to FOIA, the bill should also require that companies provide notice to shareholders and to their board of directors. Finally, even if individual ransom payments are not subject to public disclosure via FOIA, the government should be required to report aggregate data about ransom attacks and payments to Congress, the GAO, and other interested parties. Mark Bowling, VP, Security Services, ExtraHop Just a week after the Ransom Disclosure Act legislation was announced, the Biden Administration continued its own campaign to increase transparency, accountability, and collaboration against ransomware. The administration convened the largest multinational gathering on ransomware to-date, bringing together law enforcement, national security, and cyber intelligence personnel from thirty countries. The gathering produced a statement of intent to cooperate across areas including disruption of ransomware organizations through law enforcement and strengthening cybersecurity across the public and private sectors, with special emphasis on hardening critical infrastructure. THE FUTURE OF RAN$OMWARE INSURANCE The primary philosophy behind insurance is that risk held collectively is smaller than risk held individually—otherwise put, that bad things will happen to some, but not to all. By paying a small amount of money into a system, every participant gains access to a pool of money larger than what they put in, that they can tap into if necessary. But the system only works if the pool has more money in it than the sum of its claims. And when the claims begin to exceed the pool, insurance becomes either prohibitively expensive, or altogether unavailable. When cyber insurance was originally introduced to insurance portfolios, it was seen as a low risk means of diversification. However, over the past several years, loss ratios in cyber policies have drastically outpaced those in the broader casualty industry, prompting cyber insurers to urgently reassess their risk appetites and premiums. And it looks like ransomware is to blame. According to Insurance Journal, ransomware claims rose by 35% in 2020 and accounted for a whopping 75% of total cyber claims (Insurance Journal). Early predictions for 2021 appear even more grim. The recent ExtraHop CISO survey supports this assertion. Of the 85% of respondents whose organizations experienced at least one ransomware attack, nearly three-quarters paid the ransom at least once. In most, if not all, of those cases, insurance was likely involved. This rise in claims has alarmed insurers. If the number of claims continues at the current rate, ransomware is on track to become an uninsurable risk for insurance providers, who will grow to view it like they see a fire in California wine country or a flood in New Orleans—an inevitable risk. For California wineries and New Orleans residents, the solution is obvious, if painful. If the property you rely on for shelter or livelihood can't be protected financially or otherwise, relocation may be the only option. But cyberattacks are not natural disasters. They are calculated efforts made by actors across the globe with very little to lose and everything to gain. And in our increasingly connected and interconnected world there is nowhere to move, and nowhere to hide. So what happens when ransomware is deemed an uninsurable risk, as it seems likely it will be? It's possible that the cost burden of ransomware will fall on the taxpayer. Much like the housing crisis of 2008, enterprises deemed "too big to fail" that are hit by ransomware will either need to be bailed out or risk extinction. It's also possible that governments decide to much more aggressively target ransomware syndicates with counter-cyberterrorism measures. Following the attacks on Colonial Pipeline and Kaseya, the US and other governments took out the operations of Darkside and REvil. But this approach has its limitations. It's cost prohibitive and would likely be reserved to only the most serious attacks. BUT THERE IS A THIRD OPTION: SECURITY ORGANIZATIONS SIMPLY GET BETTER AT DEFENDING AGAINST THESE ATTACKS. THE KILL SWITCH IN THE RANSOMWARE KILL CHAIN he best chance organizations have to protect themselves and their customers, avoid paying the ransom, and maintain their reputations, is to build defenses that interrupt attackers before they spring their extortion trap. Ransomware actors have the first-mover advantage and will likely gain initial access to the network. Having 100% intrusion prevention is an impossible goal. Winning the fight against ransomware requires SecOps teams to be strategic by extending the detection window. It requires organizations to expand their attention, focusing on damage prevention instead of intrusion prevention to establish ransomware resilience. The number one resource that modern ransomware attackers have on their side is the ability to slink around the enterprise environment, just out of sight, accumulating as many assets and data to prime their payment calculus. Therefore, a defensive strategy must include the ability to shine a light on the dark corners where they're hiding and living off of the land. The good news is, extortion driven intruders are not the type to stay in place. Their shameless drive for profit means that they're regularly moving around, looking for meaty data to damage, steal, and dangle over victim organizations. But, hidden in their greed is opportunity. Bad actors move laterally around your network. Organizations have ownership and visibility over their environment. If security teams are watching for the expansion tactics and lateral movement common to ransomware, it's possible to identify indications of compromise before the breach occurs. Meet Ransomware HOW TO MITIGATE RANSOMWARE The modern ransomware playbook is executed in three acts. Each act has its unique specialization, tooling, and as-a-service ecosystem. OPENING INITIAL INTRUSION Attackers gain a foothold through a wide range of techniques proven effective over time, including phishing emails. MIDGAME POST-COMPROMISE The attacker pivots through your infrastructure, accumulating assets and compromising data before springing their extortion trap. ENDGAME EXTORTION It's too late, and the damage is done. Traditionally, security operations centers (SOCs) have relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But those tools don't provide the real-time visibility into East-West traffic that is essential for spotting ransomware in its midgame, expanding through your infrastructure. Target enumeration Lateral movements Domain escalations SMB files system & DB exploits Command & control Data staging EDR has come a long way from an easily evaded anti-virus tool and plays an essential part in preventing initial access. But as the leaked Conti playbook, as well as real-world attacks like Solarwinds SUNBURST, remind us, attackers evade EDR or avoid managed endpoints altogether. Moreover, the exclusive dependence on EDR leads to extensive coverage gaps across servers, IoT, 3rd-parties, and other unmanaged endpoints. Equally, SIEM technology offers essential security controls, including alerting, compliance, and dashboarding, but the fuzzy view from logs present limited actionable insight to respond to laterally moving intruders. ExtraHop Network detection and response (NDR) leaves no such gaps. *Requires advanced agent on the targeted host **Dependent on the data source NDR solutions passively capture network communications across every device, including servers, Linux hosts, unmanaged IoT, and 3rd-party software, and apply advanced , behavioral analytics and artificial intelligence to identify both known and unknown attack patterns. NDR does not depend on other technology's telemetry quality like SIEM log collection or the technical and operational friction of deploying agents on hosts and things, as does EDR. NDR's traffic visibility even works as a compensating control for the prevalence of servers, Linux hosts, and IoT devices that continue to present challenges to EDR coverage gaps. This complete midgame visibility with advanced analysis gives real-time detection insights into today's modern ransomware campaigns, so you can stop the intruder before the real damage is done. Learn more about ExtraHop's Ransomware Mitigation Solution CONCLUSION TAKE ACTION By all measures, 2021 was a landmark year for ransomware. From record-setting ransom demands, to attacks on critical infrastructure and the first known supply chain-based ransomware attack, to the actions taken by the US government and its allies to take down perpetrators, it has become clear that we are facing an entirely new class of threat. This new class of ransomware is sophisticated, well-funded, and its perpetrators are ruthless in the pursuit of illicit profit. While there is no panacea for ransomware, there is hope. The scope and severity of attacks in 2021 brought new focus, urgency, and transparency to the problem of advanced cyber extortion. New government initiatives aimed at curtailing the ability of ransom attackers to gain access to funds, combined with countermeasures that included shutting down major ransomware syndicates, represent an important shift in how authorities intend to treat attacks. Likewise, private organizations and individuals are waking up to the reality of ransomware. From initiatives aimed at training employees to accurately spot phishing emails, to growing investment in cybersecurity, companies around the world are acknowledging the increasing severity of this evolving threat—and beginning to take action. AddThis Sharing Buttons Share to TwitterTwitterShare to LinkedInLinkedInShare to Hacker NewsHacker NewsShare to RedditRedditShare to EmailEmail + ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More Global Headquarters 520 Pike St Suite 1600 Seattle, WA 98101 United States EMEA Headquarters WeWork 8 Devonshire Square London EC2M 4PL United Kingdom APAC Headquarters 3 Temasek Avenue Centennial Tower Level 18 Singapore 039190 PLATFORM * Reveal(x) 360 * How It Works * Competitive Comparison * Why Decryption Matters * Integrations and Automations * Cybersecurity Services * What is Network Detection and Response (NDR)? * Cloud-Native Security Solutions * Reveal(x) Enterprise: Self-Managed NDR SOLUTIONS * Security * Cloud * IT Ops * Use Cases * Industries CUSTOMERS * Customer Portal Login * Services Overview * Training Overview * Support Overview PARTNERS * Channel Overview * Technology Integration Partners * Partner Program Information BLOG MORE * About Us * News & Events * Careers * Resources * Copyright ExtraHop Networks 2022 * Terms of Use * Privacy Policy * Facebook * Twitter * LinkedIn * Instagram * YouTube What do I do for a living? 1:00 Close suggested results AddThis Sharing Sidebar Share to LinkedInLinkedInShare to TwitterTwitterShare to Hacker NewsHacker NewsShare to RedditReddit , Number of shares Share to EmailEmail Hide Show Close AddThis