Throughout the first half of 2022, Vedere Labs published analyses of prominent ransomware families, such as Conti, Night Sky and ALPHV. We also examined well-known ransomware incidents such as the attacks on the NFL’s SF 49ers by the BlackByte group; on a UK water utility, where the Clop gang managed to access their SCADA system; and on an NHSsoftware provider, where an unknown group managed to disrupt healthcare services in the UK for weeks.
In all these reports, we discussed mitigation actions and often provided indicators of compromise. But chronicling the evolving complexity of the ransomware landscape – with threat actors combining known tactics, techniques and procedures (TTPs) with a growing IoT/OT attack surface – prompted us to go further. In June we released R4IoT, a proof-of-concept for a full attack leveraging IT, IoT and OT, along with mitigation steps for each TTP. This type of attack is applicable in almost every organization nowadays because of the widespread presence of IoT and OT devices and is particularly dangerous in healthcare because of IoMT.
In this blog post, we review several of the events we analyzed this year as well as a few others to explore three trends of ransomware threat actors and what they portend for 2023:
- State-sponsored ransomware – There is a growing number of state-sponsored actors deploying ransomware, either for financial gain or as a subterfuge for espionage operations.
- New mainstream targets – ESXi virtualization servers and network-attached storage (NAS) devices have graduated from fringe to main targets of ransomware actors because of the valuable data they store and their often lax security posture.
- Evolving extortion techniques – Several of the major ransomware threat actors are trying new extortion techniques alongside the tried-and-tested data exfiltration and encryption.
To conclude, we discuss how you can bolster your current defense strategies to account for these developments.
State-sponsored ransomware: Bronze Starlight, Maui, H0lyGh0st
In less than a month, between the end of June and mid-July, the cybersecurity community became familiar with three state-sponsored ransomware groups from two separate countries, China and North Korea. The use of ransomware by state-sponsored actors is not entirely new, since Iran also began employing ransomware in 2020. However, it shows that other nations are exploring this threat vector and points to a trend that can lead to larger consequences: state-sponsored threat actors typically have the funding and the means to cause greater disruption than just exfiltrating or encrypting files. Below, we discuss the three recent incidents.
- Bronze Starlight – On June 23, SecureWorks released a report about Chinese threat actor DEV-0401/Bronze Starlight using several similar ransomware families (LockFile, AtomSilo, Rook, Night Sky and Pandora) against targets across the world since mid-2021 in a campaign believed to be a disguise for espionage rather than focused on immediate financial gain.
- Maui – On July 6, CISA released an alert about North Korean state-sponsored threat actors using the Maui ransomware to target healthcare organizations. The incidents were observed since May 2021 and encrypted servers responsible for healthcare services, such as electronic health records, diagnostics and imaging services. Two weeks later, on July 20, the Department of Justice announced that they would return $500,000 in ransom payments to two healthcare companies, since they were able to seize extorted funds in cryptocurrency accounts. In August, Kaspersky researchers linked the deployment of Maui to the Andariel threat actor.Maui was designed for manual operation targeting specific files on a system. It lacks some features common in ransomware families used by cybercriminals, such as an embedded ransom note and a key distribution channel. The attacks may have been part of a campaign similar to the Chinese one where the ransomware is just a distraction or a bonus on top of cyberespionage.
- H0lyGh0st – On July 14, Microsoft announced they were tracking another ransomware used by North Korean actors since June 2021, called H0lyGh0st, which had compromised small businesses in several countries. The researchers noted that this was the work of a separate threat actor (tracked as DEV-0530) with mainly financial motives that, nevertheless, communicated with and used tools developed by Andariel.
New mainstream targets
ESXi virtualization servers and NAS devices are now some of the main targets of ransomware groups because of the valuable data they store, a growing number of exploited vulnerabilities, their internet exposure and their often more-relaxed security posture, since organizations tend to focus on protecting managed endpoints.
Malware has either been created specifically for these environments or adapted for them. Many ransomware families are now written in Go or Rust for better cross-compilation, which typically allows them to target Windows, Linux (which runs on most NAS devices, many servers and several IoT) and ESXi with the same software.
We published an analysis of an ESXi version of ALPHV, but many other families targeting these environments exist, such as Lockbit, Cheerscrypt, RansomEXX and Hive (which was recently ported to Rust) as well as several emerging families, such as Luna, BlackBasta and RedAlert/N13V.
Similarly, there are several ransomware families actively exploiting NAS devices, such as Checkmate, Qlocker, DeadBolt and ech0raix/QNAPcrypt. QNAP and Synology are the most popular NAS vendors, thus also the most targeted.
In the near future, we expect even more types of devices to become ransomware targets either for initial access or impact. For instance, at the end of June groups were found to have exploited 0-day remote code execution vulnerabilities in VoIP appliances. These are among the most scanned devices on the internet, which means they could soon become a popular target for ransomware.
Evolving extortion techniques
Ransomware threat actors are constantly evolving and changing their techniques. Double extortion (data exfiltration before encryption) became mainstream in 2021, but in 2022 the major groups have already presented several innovations in their extortion campaigns.
For instance, at the beginning of June researchers uncovered the multiple extortion methods of DeadBolt, a ransomware that targets internet-exposed QNAP and Asustor NAS devices and provides ransom payment options not only for the direct victims but also for the device vendors, so they can obtain master keys to decrypt the files of all their customers impacted by the attack – obviously at a much higher price than for individual keys.
Also in June, the ALPHV gang created a website where customers and employees of their victim organizations could check if their data was stolen. The goal was that the affected people would pressure the victim organization into paying the ransom to remove that data from the web.
In July, the release of LockBit 3.0, a new version of the most prolific active ransomware, brought unusual innovations such as:
- A “bug bounty” program that would pay up to $1 million for bugs in the LockBit software
- A “brilliant ideas” program to improve their site and software
- A set of “affiliate rules” mentioning that critical infrastructure targets should not have their data encrypted but only leaked
- The possibility of allowing other threat actors to buy stolen data
In August, LockBit was the target of DDoS attacks after breaching the Entrust cybersecurity company. In response, LockBit promised to DDoS their victims in the future too, officially moving to a triple extortion model.
Takeaways and mitigation recommendations
There are two main takeaways from the trends observed in the first half of 2022:
- The attack surface is increasing. Not only IT workstations and servers are being targeted by ransomware groups, but also IoT in the form of NAS and VoIP.
- Both cybercriminals and state-sponsored actors are targeting this increased attack surface to deploy ransomware.
The focus on new targets, such as ESXi and NAS, and new techniques, such as targeting IoT and developing innovative extortion methods, tends to trickle down from the major ransomware groups to everyone else, thus increasing the risk for every organization. Case in point: version 2 of the BlackByte Group’s ransomware, recently released, copies some of the extortion methods from LockBit3.0.
Considering these trends, traditional cyber hygiene practices such as asset inventory, patching, credential management and network segmentation must be extended to encompass your entire digital terrain. They must prioritize the increased attack surface based on up-to-date threat intelligence showing what types of devices are currently targeted.
Start by focusing on your ESXi servers and NAS devices. Ensure that you have full visibility on these assets and that they comply with your organization’s security policies. Then extend this to emerging classes of targeted devices, such as VoIP, IP cameras and other vulnerable IoT devices. As this review of 2022H1 demonstrates, ransomware groups and their tactics evolve quickly, so closely follow the work of Vedere Labs and other threat researchers to stay current.
For a deep dive into the current state, evolution and mitigation of ransomware threats, read our eBook: When Ransomware Meets IoT and OT