CyberGuide - Information Security and Cyber Risk Management



Fighting sophisticated ransomware attackers 24/7 with Arete

By Chad Hemenway, Advisen

Marc Bleicher

Please forgive Marc Bleicher and his team of forensics and incident-response pros at Arete if they need to cancel social plans because, without warning and with increasing frequency, they are fielding calls to respond to sophisticated ransomware attacks.

“Ransomware is turning into a true data breach,” said Bleicher, managing director of incident response at Arete. “Exfiltration of data usually takes place prior to encryption of the environment.”

Ransomware has gone through many transformations since it first started to readily appear around 15 years or so. In unison with the constant evolution of technology, attackers engage in research and development to monitor behavior, identify new entries into systems, and find sneakier ways to move within systems without detection.

Ransomware has become a business, and business is booming. Bleicher said the ransomware-as-a-service business model is ramping up variants of this cyber risk. While the Maze ransomware has made headlines, many more organizations are in on the game too, and it takes an experienced response team to know to handle each one.

“Threat actors have taken this model and run it better than some legitimate software companies,” Bleicher said. Ransomware organizations are reinvesting monetary gains back into the “company” and creating new variants, or franchises. They have developed support structures and helpdesks to talk enterprises through the decryption process once keys are purchased.

“Here, we think of attackers as criminals, and they are. You always have that mindset, but you need to consider the socioeconomics of certain parts of the world where this is completely accepted as a legitimate job that may even be supported by their government,” Bleicher explained. “It is a business. They put food on the table for their families this way. They look at it as if their reputation is at stake. They are very professional.”

Once a company has been notified it is a victim of ransomware, Bleicher said Arete gets on an “initial scoping call” with the victim to provide immediate recommendations while the environment is locked down, and visibility is gained into the network to see what’s going on. And, yes, back-ups are often affected, Bleicher said.

This activity is usually the signal to the attackers that the victim has started to remediate, and negotiations begin, Bleicher said.

“We handle the purchase of the decryption key,” he said. “For each ransomware variant we keep track of metrics to determine a range for negotiations. If you negotiation down too low, you run the risk of re-extortion. That’s part of the game.”

The Ryuk ransomware group, for instance, will send tickets to its support desk and everything from negotiations to providing “proof of life” is run within that organization. Ransomware negotiations are run through a set of bosses.

This can be a delicate back-and-forth because both sides have done their homework. Arete knows ransomware groups to develop a course of action but the groups are also likely to have been researching a target’s internal files for some time to come up with a ransom request they think can be paid. Once they gain access, actors are becoming increasingly good at using existing exploits and tools within a company’s system to move around and acquire data without detection.

“The less they introduce new things into the environment, the more they can keep a lower profile – a smaller footprint,” Bleicher said.

When a key is purchased, Bleicher said the “hard work begins.” Arete helps victim enterprises restore and recover its networks to get back up and running. Access to critical systems to resume operations usually can occur within three days, he said.

Bleicher said enterprises should deploy advanced, endpoint detection programs to detect and tools that are remotely suspicious. Also, he recommends offline backups that are secure. He is also concerned about additional collateral-damage attacks after a ransom issue has been settled. Because credentials were likely stolen, he tells companies to change electronic locks. It is additionally difficult to tell what other sensitive data might be put up for sale somewhere else on the Dark Web, or if it could be used for another kind of attack, such as business email compromise.

But, “Ransomware is here to stay,” Bleicher said. “It’ll be around in one form or another because this is how some people make a living.”

Luckily, people like Bleicher and his team at Arete also make a living fighting it.