Trend

Ransomware

Ransomware continued to dominate the 2021 threat landscape, with operators taking new approaches.
Pairs With This Song
Take Action

 

Throughout 2021, ransomware remained one of the top threats to every organization. While some groups focused on traditional encryption, 2021 also marked the rise of additional tactics such as double extortion, which amplifies an adversary’s leverage and further compels victims to pay up. Ransomware has become particularly challenging to track and prevent due to several trends we observed in 2021, discussed below.

The affiliate model

One challenge in responding to ransomware intrusions is that different adversaries are often involved at different phases of the intrusion. Ransomware groups usually rely on multiple affiliates to give them initial access to an environment before they encrypt files or take other actions. This makes tracking ransomware groups even more difficult, as intrusions can be a “mix and match” of different affiliates providing access to different ransomware groups.

Red Canary carefully tracks affiliates of ransomware groups and the malware they use, since these adversaries are the ones who sometimes gain initial access to an environment. These affiliates frequently use crimeware such as Bazar and Qbot to gain initial access to an environment, later passing off access to ransomware groups. A few common combinations of malware and ransomware we observed in 2021 include:

Malware family (precursor)Ransomware group
Malware family (precursor):

Qbot

Ransomware group:

Egregor

Malware family (precursor):

Qbot

Ransomware group:

Sodinokibi/REvil

Malware family (precursor):

Qbot

Ransomware group:

Conti

Malware family (precursor):

Bazar

Ransomware group:

Conti

Malware family (precursor):

IcedID

Ransomware group:

Conti

Some things change, but some things stay the same

Challenges in understanding the ransomware landscape are not limited to tracking affiliates and payloads. Defenders must also contend with new groups emerging and others seemingly disappearing (often to be reincarnated in a different form as another group). Some of the ransomware families we bid farewell to in 2021 were Egregor, Sodinokibi/REvil, BlackMatter, and Doppelpaymer. While some seemed to fade away due to law enforcement actions, others disappeared for reasons that researchers haven’t pinned down.

Where one ransomware family disappeared, however, another was ready to step into its place. 2021 saw the dawn of many new ransomware families, including BlackByte, Grief, Hive, Yanluowang, Vice Society, and CryptoLocker/Phoenix Locker. Many new ransomware families displayed close similarities to old families that “disappeared,” leading analysts to assess that known adversaries simply resurfaced using a new name. For example, Grief ransomware displayed many similarities to Doppelpaymer, including its deployment following Dridex malware.

Beyond encryption

A significant ransomware trend in 2021 was the increase in adversaries expanding their threats beyond data encryption. Multiple ransomware groups pivoted to stealing and exfiltrating data before encrypting it, then demanding payment to prevent the data from leaking publicly on a dark web site. While this practice isn’t new (it dates back to at least 2019), what was significant in 2021 was the number of groups who adopted this approach—to the point where it became the standard.

Adversaries realized they could demand payment for more than just the threat of a data leak or encryption. An adversary known as Fancy Lazarus (no affiliation with Fancy Bear or Lazarus Group) extorted victims by threatening to conduct a distributed denial of service (DDoS) intrusion if they didn’t pay.

There is no one simple way to prevent ransomware. The same security approaches you take to prevent any malware also should help prevent ransomware. It’s critical to regularly update software, as we often see ransomware after operators exploit a vulnerability in an internet-facing application. Additionally, internet-facing remote desktop protocol (RDP) connections without multi-factor authentication (MFA) are a common ransomware vector, making MFA for any accounts that can log in via RDP a high priority.

Ransomware also frequently gets into an environment as a follow-on payload for malware delivered via phishing emails. Looking for these malware families, such as Qbot, Bazar, and IcedID, can be an effective way to identify a potential ransomware intrusion chain early and stop it in its tracks. Robust detection for other common post-exploitation behaviors and tools like Cobalt Strike are also effective in limiting the impact of ransomware, as adversaries conduct multiple phases before data exfiltration and encryption.

It’s also important to remember that backups are no longer sufficient ransomware protection. While creating offline backups is an excellent security practice and may help restore an environment after a ransomware intrusion, organizations cannot rely on this entirely because adversaries regularly exfiltrate data before encryption, although this too offers potential opportunities for detection. Backups will allow an organization to get back up and running more easily, but will not protect you against leaked data.

While this report focuses on what security teams can do, when it comes to ransomware, it’s also important to remember that this problem is monumental and extends beyond defenders. Policymakers are also taking a close look at ransomware, and it’s necessary for the security community to help them better understand what we do so they can make better decisions.