Cybercrime is a billion-dollar industry that is consistently evolving. Innovation is at the heart of these criminal acts—hackers and fraudsters must continuously overcome advances in technology and forensics, in addition to staying ahead of law enforcement. When it comes to the problem of ransomware, the act of encrypting and ransoming the data of victims, things are spiraling out of control. The actors behind these attacks now seek out and take down the most critical targets and are successfully fielding new ways to exploit their victims. The ransomware challenge has become so prolific and dire, that we should no longer view it as a mere nuisance or business risk—we should consider it a grave threat to global security.
In recent years, Mandiant has witnessed an increasing number of ransomware operators focus on deployment following the thorough breach of a network. Rather than indiscriminately targeting victims, operators are exploiting critical organizations with the means and motivation to pay enormous ransoms. Once networks are breached, operators skillfully move laterally through victim networks, deleting or encrypting backups if they can find them. Then they deploy their malware on sensitive systems. The result is highly effective and widespread ransomware deployments guided by human intelligence rather than the indiscriminate method that only affects a handful of machines.
Gaining access to critical systems allows ransomware operators to demand higher ransom amounts and increases the sense of urgency to pay. And as the criminal seeks out more critical prey, the consequences become more dire, not just in terms of economics. Municipal networks, which run many critical civil services, have been particularly affected by this method, and many cities have been forced to pay exorbitant ransoms to bring themselves and their communities back online. Ransomware incidents have already impacted some election systems, possibly drawn by their familiarity with state and local systems.
Now our hospitals are under siege by ransomware attacks that are disrupting patient care. Several U.S. hospitals have been hit, and in Germany, one death may even be connected to an attack. Under present circumstances, physically dangerous incidents are inevitable. Though there has always been some question about the willingness of threat actors to cross this line, actors such as UNC1878 have proven to be cruel and unrestrained. In fact, the criticality of these systems may have only incentivized these criminals to target them.
The COVID-19 pandemic has also underscored the danger of ransomware. The danger to hospitals and their patients will only be compounded by another rise in infections which overburdens hospitals and leaves little room for error. Research laboratories working to develop vaccines and treatments have been targeted as well. Even when the availability of these systems is crucial to alleviate human suffering worldwide, some of the least scrupulous operators have shown no restraint. Cyber espionage operators from Russia, Iran and China have targeted these organizations too, but we doubt that even they would have the gall to disrupt them for ransom.
Cyber criminals are also now combining ransomware deployment with data theft and extortion, threatening to leak sensitive data from their targets via websites they control. In essence, this adds another point of leverage and increases the pressure on victims to comply with the demands of these groups. This brash method has caught on with several actors who recognize the opportunity for major paydays. Ransomware operators are increasingly abandoning restraint in lieu of an aggressive and loud approach to their victims.
Another worrisome trend we have witnessed this year is an increased threat towards the operational technology (OT) networks that run the industrial processes in our most critical infrastructure. Mandiant Threat Intelligence observed at least seven ransomware families incorporate some ability to interrupt operational technology. This capability could allow threat actors to disrupt critical systems that could result in kinetic, real-world impacts—shutting down machines in a plant or destabilizing a device in a hospital. As ransomware operators penetrate industrial processes the effects of their actions may become unpredictable.
A group exemplifying both the trend of data leakage as an extortion tactic and the utilization of ransomware impacting OT assets is FIN11. Active since at least 2016, this group has historically been involved in various financially motivated crimes, to include point-of-sale compromises. In 2019, however, this group switched their focus to ransomware operations, using the increasingly infamous CLOP ransomware family. Now, in 2020, they have joined many of their peers by employing the tactics of extortion and data theft to apply pressure to victims resulting in successful demands of as much as $10 million USD.
Disruptive and destructive cyber attacks by state actors receive significant attention—and they should; Russia, Iran and North Korea have all demonstrated an interest in attacking critical infrastructure to disrupt our lives and livelihoods. But the reality is that the threat posed by those actors may never overshadow the threat posed by ransomware operators right now; a threat we believe will continue to grow and mutate until we take it seriously. Like those capabilities being developed by foreign adversaries, ransomware is a threat to the global community and deserves our full attention and resources.
For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform.