At the end of June 2016, a hacker, with the moniker “The Dark Overlord (TDO),” claimed a compromise of a medical Software as a Service (SaaS) company’s product.
As proof, TDO offered to sell source code and other software underlying infrastructure secrets to the highest bidder, with it being shopped for approximately 800 bitcoin, or about $500,000.
Why is this significant? It was simply another hacker holding a company ransom which happens all the time, right?
Wrong. This incident seems to be a seismic shift from what has been done previously. It is noteworthy, as it demonstrates a significant move in motivations and may drive a new strategy to how businesses can avoid escalation of ransomware activity.
First, consider the beginnings of ransomware. Back in 2012-13, the goal of ransomware was to send a phishing email to a victim, deceive them to click on a link or open an attachment, then load malicious code that would encrypt data files (Word, PPT, and Excel).
For a few hundred dollars, threat actors would send keys to victims to unlock the files. This was a solid business model for a few years. However, ransomware actors quickly began targeting small businesses with the goal to not only lock a user’s machine, but also attempt to affect file sharing as well as laterally move to other workstations. At this point, perpetrators were netting thousands of dollars from businesses versus a few hundred dollars from individuals.
SEE ALSO: Closing the Door on Cyber Criminals
The ransomware actors seemed to be content with a small-business approach from 2014 until the spring of 2016. In April/May of this year, threat researchers detected that ransomware actors were attacking webservers. For instance, the SamSam ransomware perpetrators were observed scanning the internet seeking servers operating vulnerable versions of the JBOSS platform.
Once compromised through vulnerable JBOSS versions, cyber criminals could then establish web shells at will and hold both servers and data for ransom. This became quite the transition as criminals upped their demands to the tens of thousands of dollars.
It’s now obvious this action by TDO is the next logical step in the evolution of ransomware as far as outcomes and targets. By pursuing software development teams, TDO has likely found a soft target with the potential for high payoff. A great deal of medical Software as a Service (SaaS) companies are small, if not startups, and as a way to control costs, these growing companies often use the public cloud to host development environments.
Developers love the public cloud’s agility and ease of environment orchestration. Many of these organizations have most likely not budgeted for security in development environments, making them easy prey for actors such as TDO. These consequences are reinforced in security practices known as “honeypots,” in which non-integrated networks are used to attract attackers to observe methods and behaviors. These exercises often result in malicious scans from hackers occurring within minutes of provisioning.
It appears TDO was able to compromise this particular development environment with ease due to limited, or zero security, within these small companies. Criminals like TDO now have a myriad of paths to generate revenue and ransom options. First, they could directly threaten the SaaS company, holding source codes and “keys to the kingdom” for ransom. They could also wait until customers adopt the software, then hold them for ransom. Or, offer to sell SaaS source code to other hackers. TDO has now established how to execute one or all of these vectors for big money.
With this escalation, the next question is: are ransomware actors becoming more sophisticated or are more sophisticated actors now getting into ransomware? It is most likely a combination, but more so the latter. Why would sophisticated actors pivot from successful data breaches of millions of credit card numbers and medical records to become ransomware actors? The answer is simple: ransomware offers a quicker payoff and an abundance of opportunity for repeat business.
Consider this: credit card records have a short window of value for criminals in the Dark Web where stolen data is sold. Within hours of being used for illegal transactions, more sophisticated fraud detection engages from card brands and banks, making stolen credit card data worthless.
Business owners have no real skin in the game other than paying for incident clean up and letting insurance cover credit monitoring and other fallout. So, the guys with all of the cash are not really paying anything to the cybercriminal. With criminals shifting operations from data theft to ransom, more sophisticated actors are obtaining an immediate payoff from business owners who will do anything to stop the pain and business disruption.
In some of these incidents, thousands of dollars can be lost in minutes, and business owners are motivated to make the problem go away with payment as quickly as possible. As an additional concern, some new ransomware actors are so advanced, they have customer service websites where victims can ensure payment and have their data unlocked. Depressingly, ransomware actors want to make sure they have “happy, repeat customers.”
With a better understanding about the problem, what is to be done? The answer is straight forward. The tried and true route is to protect against data theft. This translates to a solid patching program, engagement of a threat intelligence team that looks for ransomware attacks against infrastructure (such as JBOSS), and off-loading the most important data, to include critical development environments, to experts who specialize in hosting regulated or “high security” data.
While the outcomes and objectives of cyber threat actors have changed, their method for getting to those outcomes have not. An approach to go back to the basics of protecting data can offer a significant edge to thwart this metastasizing challenge.
Jeff Schilling is chief of operations and security at Armor, a cyber security company.