The estimated reading time for the provided text is approximately 7-8 minutes
Ransomware has been an ongoing problem for years, so much so that most security personnel are fatigued. Fatigued from fighting them, fatigued with the constant new threats and the new types of targets. But that does not mean we can stop caring no matter how much we might want to. The whole situation seems very grim, and rightfully so: the numbers are dark and only represent the exposed victims. We cannot know how many more organizations have been attacked. So even if everything seems dark, it might just be far darker. The black number is typical for all crimes and is not only for ransomware. The reality is that we do not know as much as we think we do. In fact, we only see what they want us to see. And what if they are lying? There are some facts we know, some things we think we know, and things we cannot know. This is not something defensive teams like to admit, but it is the harsh reality.
The landscape keeps changing, but the more it changes, the more some remain the same: new groups emerge, old ones disappear, or transformed into new groups. Right now, Lockbit3 remains the reigning champion in terms of hits and for an extended period of time. New groups like Money Message, Trigona, and Rorschach are emerging. Will they overpower Lockbit one day? Who is to know? Although it seems unlikely considering Lockbit’s ruthless but fair(ish) business models that have worked so well for them for so long. Rorschach's rapid encryption speed of 4.5 minutes compared to Lockbit3's 7 minutes encryption speed could make Lockbit3 sweat a bit. Would that be enough to dethrone them? Who knows. Techniques do change and evolve. Lately, ransomware is written more and more often in Rust or Nim, and attacks are going across platforms, and Mac and Linux are no longer the safer options. It often feels like they change more when we start to get the hang of ransomware, forcing us to start from the beginning again.
The good news is that even though the number of groups continues to rise, it does not explicitly imply a brand-new modus operandi with each group. Groups share attack techniques. This is often not discussed; although each group has its own modus operandi, they share similarities in techniques. The wheel is not constantly being reinvited. This was mainly seen with the fall of Conti. Groups took some of the leaked code and ran with it. The downfall is that we cannot attribute attacks to groups unless they take credit for what could be their work. It is impossible to know all of the ransomware gangs' complete TTPs, especially in RaaS groups. Their customization abilities mean security professionals do not have the complete picture. Attacks can differ from target to target. Sometimes, we have multiple malware analysis that informs us which strategies were used by each group. However, this is not an exact science nor a perfect picture. We can know which techniques were used during that one attack instant, but we cannot generalize these results to say that the group always behaves the same way. How many times do victims delete their logs in a panic, or how many groups purposely play with logs to mess with the defensive teams? This impacts what we can learn from these groups.
Ransomware groups share certain techniques; thus, we cannot appropriate a crime to a victim that simply. Groups can share so many similar techniques that we cannot tell them apart with a guarantee; we can only be as certain as a percentage that it could be them or, due to lack of presence of other strategies, that it cannot be other groups. Think of it like a cake recipe: multiple people can have the same ingredients but make slightly different cakes. Each one has a special ingredient that we cannot know about. Then how does one know for certain who made what cake, but you can know what cake yours is? That applies to ransomware groups as well. We see the surface, some depth, but most likely not all of it.
Nonetheless, certain techniques remain fan favorites for a while. Phishing continues to be a stable initial access strategy as it is easy and efficient for groups to do. Groups such as Royal, Lockbit3 were seen using phishing as part of TTP. Work on securing emails, LinkedIn, Teams, and Slack forums. Continue to insist on employees complexifying their passwords and installing MFA systems. If you can't focus on defending once threat actors are inside, then focus on making sure they cannot get their foot in the door or the window. If you would rather focus on defensive countermeasures once threat actors are inside, it’s always good to know some fan-favorite techniques there too.
Most groups most likely use a variation of reconnaissance skills before attacking a target. Of course, there are exceptions to this case scenario. Some can go blind; some do not care about reconnaissance and will shoot their shot. Opportunistic threat actors and lower-level threat actors are more likely to fall into that category. There are plenty of ways to go about gathering intel, but some of the information sought after are IP addresses, credentials leaks, leaks in general, software uses, open ports, and connected IoT. Knowing what they can know about your organization is a major step in prevention. Another reconnaissance method, if having a vulnerability available and the capacity to exploit it, is then searching for targets. Certain open-source tools are used in those cases to give a list of targets, as seen with Cl0p and GoAnywhere. Groups such as Black Basta, BlackCat/ALPHV, and Cuba were seen using internal discovery techniques.
Hitting the firewall to disable it so that threat actors can go in and out and sending communications with the command-and-control center is a commonly used technique. Surveillance around firewalls for any abnormalities is an effective tactic. Threat actors will need to move around the infrastructure and elevate the privileges, so always look for abnormalities in the logs. Know your users' normal behaviors to be able to flag these behaviors.
Focusing on what we know of ransomware, ransomware TTPs can already help a lot more than we can imagine. In an ideal world, we would have the complete picture, but since this is not the case, we need to find ways to limit the damages and render ransomware attacks as difficult as possible for threat actors to commit. We should continue to focus on the techniques instead of the group attribution. Focus on factors we can know and go from there. Focus countermeasures on the more impactful places and work to make threat actors' tasks harder. By making attacking harder and longer, there is more probability that threat actors make a mistake and get detected, which gives defenders a quick chance to defend and protect their infrastructure.
Internal discovery is very important for threat actors; they might know what they want but exactly where it is hiding. For example, they know that files like revenue2022.xlsx must exist but where in the infrastructure? They will need to surveil and make a move. Sure, certain locations are more likely than others, but until they make the internal discovery, they do not know for certain. The point of ransomware is to extort you based on fear and pain. If organizations had nothing to hide, ransomware would not be today’s business. Thus, ransomware groups are seeking what will hurt the business. Organizations need to know what data would hurt them and protect those secrets. Employees’ data should be in that category of guarded secrets. Internal threats remain one hell of a problem. Moving back to the original point, making it harder for them to find what files they are looking for can buy time for the defensive teams to mitigate the attack.
Instead of focusing on ransomware groups’ unique techniques, tactics, and procedures, we should look at common behaviors. This allows defense teams to concentrate on defense countermeasures and increase their likelihood of working. We recommend inventorying the most valuable assets and what needs to be protected at all costs. Have plans to defend them based on commonly used TTP and give your defensive team a chance to fight back. Ransomware continues to change, but some things do not, and let’s use that to the defenders’ advantage.
