2022 Ransomware Attacks and Evolution of Data Exfiltration

34

By: Anthony Webb, VP International at A10 Networks

Ransomware is one of the most sophisticated and feared attacks in the modern threat landscape. A specialized form of malware, ransomware is designed to forcibly encrypt a victim’s files. The attacker then demands a payment from the victim in exchange for the decryption key to restore access to the data upon payment. Costs can range from a few hundred dollars to millions, in addition to the disruption suffered while data remained inaccessible. And even if the ransom is paid, there’s no guarantee that the promised key will be provided. The ability of a ransomware attack to render its victim’s data inaccessible makes it a far greater threat than simple data theft—making ransomware protection a top cyber defense priority for every organization.

Notable ransomware attacks of 2022

1. Costa Rica ransomware attack (government)

In May 2022 President Rodrigo Chaves of Costa Rica declared a national emergency due to Conti ransomware attacking numerous government institutions including the Ministry of Finance, Ministry of Science, and the Costa Rican Social Security Fund (CCSS).

Conti, a ransomware-as-a-service, has been wreaking havoc since 2020. Conti ransomware has several unique features not seen before, including the ability to run 32 encryption threads simultaneously, and remote control through command-line options. This enables it to encrypt crucial data quickly without rendering the system inoperable, allowing an organization to take action.

2. Puma ransomware attack (enterprise)

Puma was alerted to a security breach on 10 January, caused by a ransomware attack on Kronos, their workforce management solutions provider. With ransomware and data exfiltration, the goal, personal data of over 6,600 employees, including Social Security numbers, were taken and encrypted, but no customer information was compromised. Kronos regained access to their data soon after, issuing two years of complimentary Experian IdentityWorks to affected Puma employees as compensation, including credit monitoring, insurance and restoration.

3. French hospitals targeted with ransomware (healthcare)

In August, hackers used LockBit ransomware and targeted French hospital Centre Hospitalier Sud Francilien with data exfiltration. In retaliation for not paying a ransom, the attackers leaked patient data, including laboratory analyses, radiology reports, and more. The attack caused disruption of all health services, forcing transfer of patients to other facilities and postponement of surgeries.

Another French hospital, André Mignot hospital in Versailles, was also hit with ransomware in December. They had to shut down their network as a security measure. André Mignot limited the admission of new patients and even moved some to other hospitals.

What was the prevailing ransomware variant of 2022?

According to a Mawarebytes report, LockBit (formerly “ABCD” ransomware) was the main ransomware variant of the year. LockBit ransomware scans for targets of value, propagates itself, and encrypts any computers that are connected to the network.

“LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.”

– Source: Kapersky Lab’s article LockBit ransomware — What You Need to Know 

How do ransomware attacks work?

Ransomware attacks can be initiated in many ways. One of the most common is a phishing exploit, in which an email delivers an attachment disguised as a legitimate business file. Once it has been downloaded and opened—often by a victim with good intentions and no awareness of the threat it contains—the malware takes over the victim’s computer, and can even use built-in social engineering tools to gain administrative access. At this point, the ransomware can spread laterally from one computer to another and ultimately infect the entire network. The most aggressive forms of ransomware, such as Petrwrap/Petya, bypass the user entirely and infect computers via existing security holes.

Once the malware has taken over the victim’s computer, the typical next step is to encrypt some or all of the user’s sensitive files and forcibly reboot the user’s system. The user is then informed of the exploit and notified of the ransom being demanded, usually in the form of an untraceable Bitcoin payment, as well as a deadline for payment. If the targeted organization pays the ransom, the decryption key will be provided—or that’s the promise. If not, the data will remain permanently encrypted and inaccessible.

While any kind of organization can fall prey to this exploit, targets for ransomware attacks are often selected based on factors such as their perceived vulnerability, the sensitivity of their data, or their desire to avoid harmful publicity. For example, universities tend to have lower levels of ransomware protection and other cyber defense than other organizations and have a high level of file sharing, making them relatively easy prey for a phishing attack. Cities and other government agencies rely on computer systems for vital public services such as law enforcement, emergency response, public transportation, and the court system, increasing the pressure for a rapid restoration of data access. For hospitals and other medical facilities, data can literally be a matter of life and death. Financial institutionslaw firms, and major corporations may be willing to pay quickly to avoid being associated with a ransomware attack—and have the resources with which to do so.

In a sense, ransomware attacks can pose an even greater danger than simple data theft. While data theft can be embarrassing and costly to its victim, the data that has been compromised remains accessible. In a ransomware attack, on the other hand, the data is effectively gone—making normal business operations impossible.

How does data exfiltration relate to ransomware and data theft?

Ransomware attacks continues to evolve in terms of both technology and technique. In recent months, cybersecurity experts have been alarmed by the convergence of ransomware with data theft and data exfiltration to create an especially pernicious threat.

Traditional data exfiltration is itself a blend of data theft and extortion. A hacker compromises an organization’s defenses and exfiltrates sensitive data of measurable value—financial records, intellectual property, business data, and so on. After offering the data for sale on the black market to establish its value, the attacker then contacts the victim and demands a payment to prevent a sale. The attacker’s leverage in this case is the significant reputational damage, potential regulatory files, and other fallout that would result from the data’s release. Still, the data itself remains available to the victim.

Ransomware variants such as Maze and DopplePaymer have been used to add the threat of data exfiltration to a ransomware attack. If a victim hesitates to pay the demanded ransom, the hacker releases a portion of the data to publicize the exploit and heighten the pressure. Combining the reputational damage of data theft or data exfiltration with the operational disruption of a ransomware attack, this type of attack can be dangerously effective in countering the use of data backups as a defense against ransomware, as advised by the FBI.