ThreatLabZ update: Pipeline ransomware blues and a new ransomware report

The big news over the last week has been the Colonial Pipeline ransomware attack. How did it happen? Was it preventable? What does this mean for other critical infrastructures? 

Colonial Pipeline halted all operations over the weekend and forced a “precautionary shutdown” in order to mitigate a DarkSide ransomware attack. DarkSide is a ransomware-as-a-service (RaaS) group that develops attacks and shares the proceeds from the cybercriminal actors who deploy it. DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. 

Officials say the malware used didn’t spread to critical systems that control operations, but that it could have is very concerning and demonstrates the dangers posed to infrastructure in today’s world. 

The Federal Bureau of Investigation (FBI) released a cybersecurity alert related to the infection, targeting the manufacturing, legal, insurance, healthcare and energy sectors. The Zscaler ThreatLabZ team also released an advisory on how to better protect your organization against DarkSide ransomware. 

As more information comes out, this attack seems to follow a now-typical ransomware attack strategy and pattern: find a (human) security weak point, exploit vulnerable infrastructure, lateral propagation across the network, exfiltrate and encrypt data, and demand ransom. 

Ransomware is one of the most frequent topics of conversation that Zscaler ThreatLabZ has with our customers—and for good reason. Ransomware was the third-most common and second-most damaging type of malware attack in 2020: 27 percent of attacks for a total of $1.4B in ransom demands and an average of $1.45M to remediate an incident. With cybercrime up 69 percent compared to 2019, the threat of a ransomware incident weighs heavily on the minds of security leaders, as each incident has the potential to cost millions of dollars in ransom payments, data loss, business disruptions, and reputation damage.

ThreatLabZ Ransomware Review: The Advent of Double Extortion

In a new report titled ThreatLabZ Ransomware Review: The Advent of Double Extortion, the Zscaler ThreatLabZ research team analyzed threat intelligence and data from 150B+ daily transactions on the Zscaler cloud to detail the sharp rise in double extortion ransomware attacks since late 2019, along with other ransomware trends which include DDoS and third-party supply chain attacks. Double extortion gives cybercriminals additional leverage, resulting in larger ransoms and higher success rates. 

What we have seen over the past year is the increase in the “double-extortion” tactic in ransomware attacks. The ransomware attack chain involving double extortion tactic looks like this:

Figure 1: The double-extortion ransomware attack chain

Attackers use a variety of intrusion vectors to gain access to systems, including phishing emails, exploits of vulnerabilities in remote or virtual private network (VPN) tools, and using brute-force or stolen credentials to access exposed services like Remote Desktop Protocol (RDP) application. Upon success, they proceed to gather victims' infrastructure information and move laterally across network, stealing sensitive data to use as a secondary extortion tactic by threatening to leak the stolen data. This provides additional leverage even if the victim is able to recover the encrypted data from backups. Next, they deploy and execute the ransomware, encrypting all the files in the network. Ransomware typically terminates processes related to security software and databases in order to maximize the number of files it is able to encrypt. Shadow copy backups are also usually deleted from the system to hinder file recovery.

Once victims contact the threat actors, the cybercriminals ask for a ransom. Even if the victim is able to recover encrypted data from backups, cybercriminals will threaten to leak the stolen data. If the victim does not engage to pay ransom, some ransomware actors will wage a distributed denial of service (DDoS) attack on the victim’s network or website to gain additional leverage.

The ThreatLabZ report dives deep into the attack chains, victim profiles, and business impact of a number of notable ransomware families that have used these tactics over the past year, including:

• Maze / Egregor
• Sodinokibi/REvil
• Doppelpaymer
• Ragnar Locker
• Avaddon
• Conti
• DarkSide

Ransomware is a growing concern across a majority of industries. ThreatLabZ research has broken out the number of verticals hit with double extortion ransomware attacks in the last year from 15 different malware families: 

Figure 2. Ransomware infections by industry

The ThreatLabZ team foresees that ransomware attacks will become increasingly focused on specific industries and organizations with a higher likelihood of ransom payout. Our analysis of recent ransomware attacks reveal that cybercriminals arm themselves with data about the victim's cyber insurance coverage, security posture, and critical supply-chain vendors (who may also become targets of these attacks).

How to protect against ransomware

A Zero Trust architecture and consistent security policy are essential to stopping ransomware. The following broad guidelines are key points in maintaining a security posture designed to limit ransomware (and other cyber attack) success and limit exposure:

1. Enforce a consistent security policy to prevent initial compromise. With a distributed workforce, it is important for organizations to implement a secure access service edge (SASE) architecture that can enforce consistent security policy no matter where the users are working (in-office or remote). 
2. Implement zero trust network access (ZTNA) architecture that operates on an adaptive trust model, where trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined by granular policies. ZTNA gives users seamless and secure connectivity to private applications without ever placing them on the network or exposing apps to the internet.
3. Deploy in-line data loss prevention strategy that is consistent for all user devices and servers to prevent exfiltration of sensitive data.
4. Keep software and training up-to-date. Conduct regular security awareness employee training and apply software security patches to reduce vulnerabilities that can be exploited by cybercriminals.
5. Have a response plan. Prepare for the worst with cyber-insurance, a data backup plan, and a response plan as part of your overall business continuity and disaster recovery program.

Here is how organizations can leverage Zscaler’s Zero Trust Exchange to safeguard against targeted ransomware attacks:

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 100 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.