Only up to five percent of ransomware cases are caused by phishing - interview
Humans are said to be the weakest link in cybersecurity. Yet, when it comes to ransomware, only two to five percent of them are caused by an inattentive person clicking on a phishing email.
According to the FBI, more than 4,000 ransomware attacks occur daily. Average ransomware payments increased by 82%, reaching a record high of $570,000 in the first half of 2021 compared to 2020.
Security experts believe that the level of sophistication and scale of cyberattacks will continue to increase, causing record-breaking financial losses.
It's no wonder that ransomware victims are less diligent in maintaining good cybersecurity hygiene. SecurityScorecard's Data Science team subsequently performed a statistical analysis to identify cybersecurity vulnerabilities that are more prominent among recent ransomware victims compared to other organizations not attacked by ransomware.
Ransomware victims have lower scores for several cyber risk factors, principally DNS health, endpoint security, network security, patching cadence, and social engineering.
"Phishing is a way [to plant ransomware], but the majority of the cases I've seen are coming through the selling of stolen credentials," Ryan Sherstobitoff, VP of Cyber Threat Research & Intelligence at SecurityScoreCard.
Recently, the company's Investigation and analysis team has compiled a detailed intelligence summary aimed at helping organizations reduce the risk of compromise from BlackMatter ransomware attacks. CyberNews asked Sherstobitoff what makes BlackMatter, which, by the way, recently claimed to be shutting down, stand out from other ransomware groups, and what makes some companies more susceptible to a ransomware attack than others.
Sherstobitoff's team hasn't seen much of BlackMatter's activity since they shut down, but experts are reviewing this further.
By the way, shutting down is probably not the most accurate way to describe a ransomware group disappearing from the grid. Most often, they rebrand to mislead researchers and law enforcement.
How does BlackMatter stand out from other ransomware families?
From our intelligence analysis, BlackMatter is essentially almost like a rebranding of DarkSide and REvil, but essentially, learning from the mistakes of those ransomware operators to be able to be more successful. We found that many ransomware groups, not only BlackMatter, have connections to Russian infrastructure. We see connections to Russian advanced persistent threat (APT) groups. It highly suggests a sharing of IP assets amongst the groups and sharing of infrastructure used by APT attackers. A number of state-sponsored Russian groups have been seen to actually use the same infrastructure that we have found through BlackMatter itself.
How targeted are they? Some say that BlackMatter, as well as many other ransomware gangs, choose their targets carefully. Meanwhile, others claim they pick victims at random from what initial access brokers offer.
It ranges. It can be targeted, and it can also be opportunistic. We even saw that with REvil. It was opportunistic as well as targeted. We can see targeted attacks. It's not uncommon. Especially the fact that infrastructure is overlapping with APTs, and historically, APTs have been very targeted per se. There's also a sense that it will be targeted at some point, especially towards environments that will yield high results in terms of monetary returns. Because BlackMatter is a group in its infancy, from a suspect point of view, it could be a make-up of previous operators or affiliates of other ransomware groups. Darkside went offline, REvil had its ups and downs, REvil disappeared from the internet for some time and was relaunched by some of the affiliates, but it didn't remain that stable. BlackMatter is kind of a learning lesson for ransomware, being able to operate using the lessons learned from those other groups, like not getting their Tor servers taken over, things like that, or gaining attention from law enforcement by attacking critical infrastructure.
Recently, I attended the CyberSecure conference by MIT Tech Review. Some experts said that certain ground rules are being established in the underground world. For example, threat actors understand that they can't be too big or too successful or attack critical infrastructure because they attract too much attention. Is Colonial Pipeline something that made them realize that you have to target less critical victims?
That is certainly the case there. Especially after Colonial Pipeline, there was a general ban of ransomware advertisements on many popular dark web forums causing many of these actors to shift to things like Discord or private messages. They have definitely taken the lesson from not only Kaseya but also from Colonial Pipeline. They can't be too visible, and also they have to be careful as to where they advertise. Nowadays, you can't see typical random postings by these actors in these dark web forums given the restrictions now.
Do you have any insights on BlackMatter's victims? Is there anything in common, maybe some vulnerability, or a mistake they made and got attacked as an aftermath?
I haven't seen a pattern yet. The analysis is in a fairly early stage right now. From a victimology perspective, it appears random at this point. That might be intentional to avoid raising suspicion. I can't pinpoint an exact pattern at this point. We will have to wait and see.
[BlackMatter actors have attacked numerous US-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero. In September, a major US farm service provider, New Cooperative Inc., was hit by the BlackMatter ransomware.]
During the CyberSecure conference, I learned about Fabian Wosar - a ransomware slayer - who, with a team of volunteers, hunts for vulnerabilities in ransomware payloads to help victims decrypt their data without paying the ransom. Is that something you see very often? Or is it something out of the ordinary?
Security researchers are always going to be analyzing the malware involved in it. Projects are out there that are working to find ways of decrypting the ransomware without paying. It's not a new trend of trying to find ways to bypass ransomware. That's not new. That's a trend that has been happening for years.
SecurityScorecard developed a sophisticated machine learning model that estimates the relative likelihood of a company falling victim to a ransomware attack. The predicted likelihood could be used to warn at-risk organizations and to assist insurance carriers offering cyber-insurance policies. The chart below shows the most common cybersecurity flaws in the organizations that fell victim to attack and the non-ransomware cohort.
Tell me, what, according to your analysis, makes a company susceptible to a ransomware attack the most?
It varies, but mostly the vulnerabilities that would enable remote code execution. The obvious ones are open remote desktop protocol, VNC, and anything that allows remote access to the network. Products that might allow a ransomware actor to introduce code into your environment make you susceptible. Any products or services that would enable an entry point into a victim's network make you susceptible, essentially. The most common ones are RDP (remote desktop protocol), VNC (virtual network computing) because access brokers essentially sell those credentials on the dark web, which would then enable a ransomware actor to get in, or secondarily, they do brute force scanning to try to brute RDP credentials on a company's attack surface. Those are the two ways that you would get hit.
What about the human factor? How often can a company fall victim to ransomware due to a phishing email?
Phishing is a way [to plant ransomware], but the majority of the cases I've seen are coming through the selling of stolen credentials. So stolen credentials can essentially be obtained through phishing. But a lot of those are coming from RDP, VNC, or remote access points into the environment. Phishing, I would say, would make about two to five percent, whereas the rest is about remote access services exposed to the internet. The more products and services you have exposed to the internet without proper controls enable an attacker to take advantage of your attack surface and find an entry point. The less you have, the less susceptible you are to ransomware.
More from CyberNews:
Alliances between threat actors have led to the rise of the ransomware empire
NSO Group's spyware used to hack US State Department iPhones
Over 50,000 European business users exposed in a data leak
Your organization’s network can be used to mine Monero: report
A glitch in the Revolut banking app sparked fears of a hack
Subscribe to our newsletter
Your email address will not be published. Required fields are marked