Cyberweekly #178 - Will 2022 be the year of ransomware?
Published on Wednesday, December 22, 2021
As we go into the next year, the question that flows around is whether ransomware will continue to be the threat to watch in 2022.
It's difficult to give a really convincing argument in either direction. There's a lot changing in the ransomware ecosystem, but I suspect that most of those will have a lagging effect, meaning that even if the most canny operators get out of the game, we'll continue to see a lot of ransomware activity. I think that for most organisations, the risk of ransomware will stay incredibly high over 2022, probably higher than any other risk, but I think it's going to tail off towards the end of the year.
Ransomware actors are mostly rational actors within an economic ecosystem. These aren't like the older hacker groups like Legion of Doom and LulzSec, who were primarily motivated by fun, by reputation and who could attack a company on a whim or for ideological reasons. These modern cybercrime actors are motivated almost entirely by money. If they can continue to get money out of the system, they'll continue to act.
Ransomware operators get a lot of money from cyber insurance. We saw reports earlier in the year of ransomware actors who deliberately set their ransom to values that they knew would be covered by the insurance firm, making sure that the company could pay out with minimal impact on them. It's no surprise therefore to see insurance firms starting to tighten up their insurance definitions. Ciaran produced a good twitter thread trying to understand the language that was being used, and a lot remains to be seen. But we can expect to see at least a few incidents of insurance companies refusing to pay out in the next year if they feel that they can exclude the action.
If that happens, there will be less money available for the criminal actors, and it'll be harder to convert victims into paying customers.
Secondly, if the Corvus research is true (and I will say that the results surprised me), it sounds like there's fewer and fewer victims quarter on quarter as firms up their defences, and in particular, invest in backups ensuring that they can restore operations without paying the ransom. That again reduces the potential number of victims in the ecosystem and reduces the profitability of ransomware.
That will drive ransomware operators to extend their ransomware as a service offerings, because anything that can scale the number of victims will increase the chance of a payout. But we might see some of the bigger operators begin to look for different compromise methodologies. Whatever methodologies they move to, they've got to be able to pay out the sort of money they are after. One of the reasons that ransomware has been so big is because it's really easy to convert from compromise to payout. The growth cyber crime industries in 2022 will be organisations searching for new monetisation strategies.
We can already see some of this in the current crop of supply chain attacks. Google’s numbers show that when hackers compromise your cloud instances, 8 times out of 10, they don’t steal your data or attack your business, they just install cryptomining software on them. That’s the cheapest and simplest thing that an attacker can do, and it results in an immediate cash out for the attackers.
There's a few links to some interesting puzzles and activities you might enjoy over the advent period. as this is the last newsletter of the year. I'll be back in January, hopefully refreshed and with some good reading to help you with your new year's resolutions.
(1) Ciaran Martin on Twitter: "There’s rightly a lot of interest in this from Lloyds of London on cyber insurance & it’s welcome they’ve put something out. The issues for me is that part of the document’s title is the problematic phrase ‘cyber war’, which it does not then try to define 1/4" / Twitter
There’s rightly a lot of interest in this from Lloyds of London on cyber insurance & it’s welcome they’ve put something out.
The issues for me is that part of the document’s title is the problematic phrase ‘cyber war’, which it does not then try to define 1/4
This is one of the best bits of analysis online about the statement from Lloyds around cyber insurance. There's a lot of difficult language in that statement that will be at the determination of the insurers to decide if you are covered
Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries - The Record by Recorded Future
The Israeli government has restricted the list of countries to which local security firms are allowed to sell surveillance and offensive hacking tools by almost two-thirds, cutting the official cyber export list from 102 to 37 entries.
The new list, obtained by Israeli business newspaper Calcalist earlier today, only includes countries with proven democracies, such as those from Europe and the Five Eyes coalition
Lots of politics are involved in this. But if the other 65 countries have an appetite for surveillance and offensive hacking tools, then I doubt that difficulty buying them direct will stop them.
Of course, by driving the purchase of these tools to more grey markets, that will reduce oversight of the tools, but will also make it more expensive and difficult for non-democratic countries to engage in this behaviour.
The findings come from Corvus Insurance’s Risk Insights Index, which analyzes cyber risk mitigation and claims data, with the commercial insurance firm’s data suggesting that the costs associated with ransomware claims are notably shifting. It discovered that while there was a rise in ransomware claims from Q2 2020 through Q1 2021, they dropped by 50% in Q2 2021, a trend that largely sustained through Q3 2021. Furthermore, ransomware claims resulting in a ransom payment shrank from 44% in Q3 2020 to just 12% by Q3 2021.
The firm surmised that the changes were due to improved focus on preparedness and resiliency by policyholders, with strategies such as effective data backup management allowing for better and more efficient ransomware recovery. The research also suggested that technology vendors with larger customers have more incentive to prevent and recover from a ransomware attack due to the potential legal ramifications of an outage. For example, a company with 250 or more employees is 216% more likely to sue their tech vendor than a company with 10 or fewer employees, and twice as likely as a company with 11-50 employees, the data showed.
Fewer claims means in many cases fewer payouts to ransomware operators, which means fewer profits for those gangs.
The implication here from the Corvus findings is that they think it's because more firms are spending more time and money on defending against ransomware, as well as better defences from the underlying technology providers. The implications of the legal ramifications may well be causing companies to rethink the opportunity cost of putting off critical investment.
Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea.
George described Medayedupin as smart, a quick learner, and fairly dedicated to his work.
“He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.”
What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks.
After all, the majority of the cybercrime that originates from Africa — think romance scams, Business Email Compromise (BEC) fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria.
The media breathlessly reported that the big new threat to your network was going to be insiders deliberately installing ransomware on their own networks.
In reality, very few people responded to this, and I'd wager that the interest marked here was from cybersecurity analysts who wanted to find out how this would work.
Most people understand that if they deploy ransomware on their own company computers, from their account, that they are both highly traceable, and they could face local prosecution. Secondly, done well, their company might go bust, leaving them unemployed. Many of the incentives are simply not aligned for this sort of attack. We might see a couple of instances, but I doubt that it'll become a regular risk the way that externally deployed ransomware is.
Now, in Bugs in our Pockets: The Risks of Client-Side Scanning, colleagues and I take a long hard look at the options for mass surveillance via software embedded in people’s devices, as opposed to the current practice of monitoring our communications. Client-side scanning, as the agencies’ new wet dream is called, has a range of possible missions. While Apple and the FBI talked about finding still images of sex abuse, the EU was talking last year about videos and text too, and of targeting terrorism once the argument had been won on child protection. It can also use a number of possible technologies; in addition to the perceptual hash functions in the Apple proposal, there’s talk of machine-learning models. And, as a leaked EU internal report made clear, the preferred outcome for governments may be a mix of client-side and server-side scanning.
In our report, we provide a detailed analysis of scanning capabilities at both the client and the server, the trade-offs between false positives and false negatives, and the side effects – such as the ways in which adding scanning systems to citizens’ devices will open them up to new types of attack.
We did not set out to praise Apple’s proposal, but we ended up concluding that it was probably about the best that could be done. Even so, it did not come close to providing a system that a rational person might consider trustworthy.
The underlying paper is worth a read as well if you are interested. This is authored by a whose-who of computer security. It determines that client side scanning for such things child sexual abuse material cannot be separated from tools to enable any government surveillance as a technical measure.
That leaves us with democratic and legal measures that ensure that these features are not abused, and that might be ok, but we need to ensure that those measures are appropriate and work globally, which is something our governments and laws have not yet caught up with
Coordinating containers running on a single host is hard. But coordinating containers across multiple hosts is exponentially harder. Remember Docker Swarm? Docker was already quite monstrous when the multi-host container orchestration was added, bringing one more responsibility for the existing daemon...
Omitting the issue with the bloated daemon, Docker Swarm seemed nice. But another orchestrator won the competition - Kubernetes! So, since ca. 2020, Docker Swarm is either obsolete or in maintenance mode, and we're all learning a couple of Ancient Greek words per week.
Kubernetes joins multiple servers (nodes) into a coordinated cluster, and every such node gets a local agent called kubelet. Among other things, kubelet is responsible for launching Pods (coherent groups of containers). But kubelet doesn't do it on its own. Historically, it used dockerd for that purpose, but now this approach is deprecated in favor of a more generic Container Runtime Interface (CRI).
This is a good walkthrough of how containers, docker and kubernetes kind of works underneath. Bonus points for an extensive further reading list at the end.
While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Most recently, our internal security teams have responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact.
The cloud threat landscape in 2021 was more complex than just rogue cryptocurrency miners, of course. Google researchers from TAG exposed a credential phishing attack by Russian government-supported APT28/Fancy Bear at the end of September that Google successfully blocked; a North Korean government-backed threat group which posed as Samsung recruiters to send malicious attachments to employees at several South Korean anti-malware cybersecurity companies; and detected customer installations infected with Black Matter ransomware (the successor to the DarkSide ransomware family.)
Across these four instances of malicious activity, we see the impact of poorly-secured customer installations. To stop them, we embrace a shared fate model with our customers, and provide trends and lessons learned from recent cybersecurity incidents and close calls. We suggest several concrete actions for customers that will help them manage the risks they face. Vulnerable GCP instances, spear-phishing attacks, patching software, and using public code repositories all come with risks.
From the report, 86% of compromised cloud instances were used for coin mining, and around 10% were used for scanning for other targets.
Although Google points out the concerns around the most advanced actors, the vast majority of attacker noise out there are people attempting to mine new coins to enable the cryptocurrencies to thrive and prosper.
Malicious Python packages caught stealing Discord tokens, installing shells - The Record by Recorded Future
The operators of the Python Package Index (PyPI) have removed this week 11 Python libraries from their portal for various malicious behaviors, including the collection and theft of user data, passwords, and Discord access tokens and the installation of remote access shells for remote access to infected systems.
According to the security team at DevOps platform JFrog, which discovered this set of malicious libraries, the 11 packages had been downloaded and installed more than 30,000 times before the packages were spotted and reported.
This is a different form of supply chain attack, but one that is still a growing issue for the software community.
There's increasing work on the software bill of materials concept which is designed to attempt to tackle this. While it probably won't prevent all of this, because it simply says that the included libraries are the versions that the author posted, which doesn't help you if the author is malicious. What it will do is help you identify what impact any notification of these libraries has, and trace that throughout your system.
We can't introduce these any better than Maciej Ceglowski did, so read that blog post first.
We've built a collection of 48 exercises that demonstrate attacks on real-world crypto.
This is a different way to learn about crypto than taking a class or reading a book. We give you problems to solve. They're derived from weaknesses in real-world systems and modern cryptographic constructions. We give you enough info to learn about the underlying crypto concepts yourself. When you're finished, you'll not only have learned a good deal about how cryptosystems are built, but you'll also understand how they're attacked.
If you've got some spare time over Christmas, nothing will get you a better understanding of modern cryptographic systems than this set of cryoptographic puzzles.
There's nothing quite like attempting to implement your own cryptographic routines to really understand how it works. Not to mention the experience of looking at a couple of hundred possible decrypts and knowing intuitively which one is the right one, but not being able to get the computer to detect the one that has legitimate plain text in it.
Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.
You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
It's that time of year again, and there's an advent of code, a set of programming puzzles that you can solve every day throughout advent.
I'm trying this, although I've never yet completed a year with other things like life getting in the way, but you can follow my poor python programming if you want
Some will say gluttony is a sin. But not if you’re a CISO. Of course we’re talking about data here. Ingest all the logs, put something to capture data on every endpoint, every router, switch, and firewall. Ingest it into one on-prem SIEM from where you can send data to your cloud-based SIEM, and a smaller subset to your expensive SIEM that charges you per MB.
Acquire all the threat intelligence you can, 5 sources should be the minimum. Subscribe to analyst reports, and call in trusted advisors every 3 months for a planning session.
That way, whenever anyone asks you a question. Especially if they’re an auditor – you can point them to the logs and say, “it’s in there somewhere” wink at them and walk away. It’s always better to have more data, even if it’s a messy mountain in which you can’t find anything, than not enough data.
Just don’t tell your records management person about it. They’re difficult people to deal with.
Some of you will know that I'm a fan of Mark Delgarno's Anti-Problem process, in which you state how you would deliberately be bad at something. You can use this to identify the things that you currently do that prevent you solving the problem you actually have, It's a neat psychological trick that leans into peoples desire to be sarcastic and critical of things (or at least, it works in the UK very well in my experience).
Javvad is doing much the same thing here. This description of how to succeed as a CISO is of course tongue in cheek, but it's worth noting from this list, which you are actually doing today, and whether that's working for you. If all your projects are Amber, or your SIEM is petebyte scale with few detections, then maybe what you are setting out to do isn't helping you achieve what you need to do.
You would imagine that with most of our lives having moved online in these panoramic times, and with a sharp increase in news of someone, somewhere getting hacked, we would be a little more cautious about what our sacred passwords are. Unfortunately, a list of the most common passwords in 2021 put out by NordPass will leave you with little hope for humanity.
The top-of-the-class honours went to the password “123456,” having been used 103,170,552 times. Come on, people.
Next in line was “123456789,” which meets the eight character minimum requirement, but not much else in terms of actual security. Apart from more highly hackable number combinations, the top 10 list also has “password” and “qwerty” on it. All of these would take less than a second to breach. While 73 percent of the top 200 passwords from 2020 could be cracked in less than a second, the number has gone up to 84.5 percent in the new list.
People are bad at passwords. This should be a truth that we just accept as security researchers.
The best possible way to deal with this is to remove as many rules as possible, only blocking passwords that are known breached or in the top few passwords. Enable MFA for central passwords, and put in place time delays to prevent brute force attacks.