Recently, the U.S. Justice Department officially accused Chinese cybercriminals of launching ransomware attacks against U.S. businesses. Specifically, the charges alleged that Chinese state-sponsored hackers had exploited vulnerabilities (since patched) in Microsoft Exchange Server over two months, linking those exploits to a number of ransomware activities, including DearCry.
The DearCry ransomware itself was very much “ransomware for beginners,” lacking the more sophisticated attack or detection characteristics you’d expect from a nation-state-linked ransomware package. And in general, we find that ransomware operators typically operate either from the dark web or from compromised servers hosted in a country that the attackers themselves don’t live in.
That removal between attack and attacker makes attribution hard (albeit not impossible), so the Justice Department’s allegation that the hackers behind Exchange-related ransomware like DearCry and Black Kingdom were actually working for Chinese intelligence marks a new escalation on the international ransomware front. Especially as other international partners from the U.K, Australia and Japan, to the European Union and NATO, joined in the condemnation.
Earlier this year, I had hopes that our global ransomware problem was improving, not worsening. Despite highly publicized stories of ransomware attacks during the pandemic last year, new independent research found that the number of ransomware attacks from 2017 to 2020 had actually been declining, rather than increasing.
But looking at the landscape of 2021 ransomware attacks – from Colonial Pipeline to Kaseya to the alleged DearCry and Black Kingdom hacks from China – it’s clear that whatever ransomware attacks have lost in quantity, they’ve more than made up in quality.
Ransomware isn’t just getting worse; it’s becoming a full-blown international crisis.
Blurring the lines between nation-states and private ransomware groups
That ransomware has become such a crisis is a testament to how much harder attacks have become to detect and thwart. That’s because the attacks themselves have become significantly more sophisticated, with private ransomware organizations beginning to mimic the tactics, techniques, and procedures (TTPs) of nation-states – or nation-states directly putting these hackers onto their payroll.
As a result, more mature TTPs that we’d previously seen used predominantly by nation-states – exploiting zero-day vulnerabilities, launching in-memory attacks, targeting supply chains and distribution points – have become more widespread among attackers of all stripes. And naturally, the more ransomware attackers there are using sophisticated TTPs, the easier it is for these ransomware attacks to successfully infiltrate their targets.
4 key pillars for a global anti-ransomware strategy
The escalating threat of ransomware – both in the nature of the attacks and the origin of the attackers themselves – demands an escalating response from businesses and governments around the world.
Taking the wind out of ransomware’s sails comes down to four major countermeasures:
- An international response: Many cybercriminal groups live in countries where their local governments will neither pursue them with criminal charges nor extradite them to countries that will. That’s to say nothing of the nation-states themselves, which may have some of these hackers on their government payroll. As long as certain corners of the globe are harboring, or even outright facilitating, ransomware attacks, the international community in turn needs to combat that with a unified response. White House, G-7 and NATO summits made earlier in the year about a ransomware were a good first step; the international condemnation of Chinese cybercriminals in the DearCry and Black Kingdom attacks builds upon that. But there needs to be a consistent and strong diplomatic effort in condemning nation-state ransomware attacks, with real enforcement behind that condemnation. Ransomware deserves a global response, and one that’s more than just a strongly worded letter.
- Pairing anti-ransomware software with human-led threat hunting: Simply installing anti-ransomware technology, like endpoint protection, is not enough. Defensive technologies need to be complemented with human experts who are able to proactively monitor and hunt for threats, detecting the red flags that more automated approaches might miss. If an organization doesn’t have these capabilities in-house, they should consider partnering with a security operations center that does.
- Good IT hygiene: This is a basic one, but it remains essential in large part because so many organizations still aren’t practicing it. Key IT hygiene measures include:
- Training employees so they know how to identify phishing attacks and to whom they should report those attacks.
- Securing any internet-facing unprotected interfaces.
- Installing two-factor or multifactor authentication across the corporate network.
- Backing up critical data and systems to separate networks or off-site locations.
- Don’t pay the ransom: I know this is a hard call, and it’s easy when you’re not the one being extorted to say, “oh, just don’t pay the ransom.” But the truth is, paying the ransom doesn’t help anyone. Paying ransoms incentivizes future ransomware attacks by making it a profitable business for attackers. And it doesn’t necessarily win back an organization’s data, either, which is the whole reason you’d pay to begin with. On the contrary: more than 90% of organizations who do pay the ransom end up not getting all of their data returned. In fact, many ransomware victims who pay don’t get back any of their data, period. Organizations are more likely to restore their data from their own backups than to get them back from paying off attackers.
The ransomware crisis is getting worse, and new allegations of Chinese state-sponsored cybercrminals attacking U.S. businesses with ransomware is proof of the darker turn this trend is taking. But the combination of a coordinated global response (with real enforcement around that response), human-led threat hunting combined with anti-ransomware technology, organizations practicing basic IT hygiene, and a refusal to pay attackers can all help to start finally turning the page on this crisis.
About the Author:
Dan Schiappa is the chief product officer at Sophos.