How Ransomware is Mutating Like a Virus

The key to ransomeware proliferation lies in its sophisticated corporate structures (3 min read)

One of the scariest talks at last month’s SXSW conference explained how ransomware is mutating like a virus. The key to its proliferation lies in the sophisticated corporate structures that ransomware groups have built. But that same structure is also providing law enforcement with opportunities to disrupt bad actors.

Large ransomware operations leverage similar divisions of labor to those of legitimate corporations. According to Senior Director Of Detection Research And Operations at Trellix, Fred House, ransomware operators conduct research on their victims to identify the most lucrative targets. They invest in building brand awareness among hackers. They have human resource departments, call centers, and electronic portals that help them manage negotiations with victims.

This structure makes it possible for ransomware groups to manage attacks that hit multiple victims with a single infection. Managed services providers (MSPs) are a prime target for this strategy.

One MSP will often manage cybersecurity for dozens of customers, often in the same field. House explained that, while some attackers will negotiate directly with the MSP to reinstate service, others have the scale and workforce to go after each of the MSP clients individually — whether they be hair salons, as in the example House used, or banks. This arrangement can force MSP clients to negotiate with attackers on their own.

Working with MSPs is a common practice for community banks, who should discuss these scenarios with their managed services providers. It’s important to understand what the protocol is for handling negotiations after a ransomware attack, and what resources the bank will need at the ready in that event.

Aside from the sophistication of ransomware operations, their business models are a critical component driving the proliferation of attacks.

Instead of keeping their hacking efforts in-house, many ransomware groups now farm that work out to thousands of individuals who infiltrate networks and compromise individuals on behalf of the group using an affiliate structure.

The group provides the code and infrastructure. They organize different versions of their programs into campaigns, and then assign individual affiliates to those campaigns. Campaign numbers are used to track successful infections and calculate the resulting profit-share owed to the affiliate after the victim pays a ransom.

But the model driving all this growth is also helping authorities take down prolific actors. For example, REvil ransomware hackers were recently captured and had millions in crypto assets seized after the U.S. Department of Justice was able to identify them by their affiliate numbers. The numbers were embedded in the malware identified on infected machines. House explained, “that simple, technical need to identify a malware sample with a campaign and the affiliate has literally led to the ability to attribute the scope of a ransomware operator's crime.”

Even in this complex environment, the steps an organization must take to prepare for an attack are straightforward. Though, they’re not easily completed. House left the audience with these top tips:

  1. Know what your firm has on the internet. “You need to be continuously scanning your public facing infrastructure and securing it,” House said. “You can't have things like RDP [remote desktop protocol] servers on the public internet anymore.”

  2. Be able to patch systems fast. Companies no longer have the luxury of timing out patches to avoid service interruptions. They must be deployed quickly.

  3. Have secure backups of your data.

  4. Leverage antivirus software that’s configured not just to generate alerts but to actually block threats.

  5. Have answers to the tough questions ahead of time. “If you are the victim of a ransomware attack, who in your company is authorized to make a payment?” House asked. “What are the obligations in your industry for reporting? What data are you willing to lose? How long can you afford for your business to be disrupted while you try to negotiate?”

For Alloy Labs members looking to explore these topics further, game out scenarios with fellow bank leaders, and vet resources and playbooks to help prepare for a ransomware event join the Cybersecurity Center of Excellence. If you're not a member yet, reach out amber@alloylabs.com to learn more.