Ransomware’s three-act playbook

Ransomware is escalating with 2.7 million recorded cases in ASEAN alone in 2020. It becomes all the more concerning with research showing that Asian organisations take 1.7 times longer than the global median to discover a breach, and spend 47% less on information security than North American firms. It goes without saying that the need for organisations in Asia to evolve is more important than ever as we make our way through 2022.

The largest global ransomware demand currently stands at US$70 million by REvil criminals, centred on U.S. information technology firm Kaseya. Singapore is no stranger to ransomware either: Attacks on a Singapore eye clinic (which affected 73,500 patients’ data), and a marine insurance company shed light on the severity of the issue just last year.

Ransomware gangs have expanded their playbooks to adopt advanced east-west manoeuvring, amplifying damage and halting business operations to improve their payment calculus. Today’s modern ransomware is exploiting IT infrastructure by moving stealthily and persisting for longer periods before springing into its trap, placing security and IT teams at a disadvantage.

Evolution of the Ransomware Three-Act Playbook

We like to think we already know how ransomware works—but ransomware crews have added a new act to their playbooks. They now expand their blast radius through the use of advanced land-and-pivot-style tactics to ensure a handsome payout from companies struggling to regain operations without significant data leakage or reputational damage. Modern ransomware is carried out as a three-act playbook: initial access, midgame, and extortion.

  1. Initial access is where they gain a foothold through a wide range of techniques proven effective over time, including phishing emails.
  2. The midgame is where the attacker pivots through your infrastructure, accumulating assets and compromising data before springing into their extortion trap.
  3. The extortion cycle is when the attacker has succeeded and has sunk their teeth into the network. Backup is critical at this stage, but there still remains the massive costs incurred to alleviate the impact of the attack. This includes downtime, network cost, ransom paid, and lost business opportunities.

Conventional wisdom says that access management and backup strategies are the remedies—but these haven’t slowed the ransomware-as-a-service (RaaS) industry. Unfortunately, initial access prevention relies on 100% efficacy, and because gangs are moving beyond mere encryption by exfiltrating and exploiting sensitive information, once backup comes into play, the damage is already done regardless of how you handled the extortion demand.

Act 1: Initial Access – Foothold

Initial access is how the attacker breaks into the infrastructure – and they have countless ways to get in.

Motivated attackers have consistently proven that they can gain a foothold and will find a way into porous hybrid perimeters. With today’s specialised RaaS ecosystem, even an inexperienced, extortion-motivated attacker can buy a foothold from initial access brokers.

If that isn’t alarming enough, phishing continues to be a favourite access technique for ransom-driven intruders. Oftentimes, victims use a link that leads to fake bank websites, where they enter their banking account login details. Such incidents reflect that people are still prone to opening suspicious links. Troubling recent events of a phishing incident – where nearly 470 customers of a bank in Singapore reported a loss of up to $8.5 million – demonstrate that users still take the bait.

Act 2: Midgame – Optimise Collection Calculus

The midgame is the stage of the chain where attackers pivot through your IT infrastructure, identify targets, escalate privileges, and compromise assets to require payment. This is where modern ransomware operators get to work on their exploit, causing sizable damage and leveraging game theory tactics to compel businesses to pay.

The crippling business damage is often proportional to the ransomware campaign duration—specifically the midgame. If you’re watching from within the network, the midgame is where you can stop intruders before they set their extortion trap.

Targeting domain admin privileges like exploited Active Directory (AD) allows attackers to speed up asset collection operations. Because of this, ransomware trends now include shockingly short average dwell times—just five days, according to FireEye-Mandiant’s 2021 M-Trends report. Gaining domain admin privileges gives intruders keys to the kingdom, where they can escalate privileges to own the Exchange, databases, and file systems service. Numerous post-mortem advisories on ransomware gangs such as REvil and BlackMatter (a rebrand of DarkSide) point to AD as the preferred fast path toward ransom collection.

Act 3: Extortion Cycle – Houston, We Have a Problem

When organisations are disrupted by attacks and ransomed, they have no choice but to go into recovery mode. Without an incident response plan, companies may be left with the inevitable choice of paying a hefty ransom or completely rebuilding their business systems from scratch.

Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for just 10% of the actual damage to victims. The other 90% is a by-product for the victim, regardless of how profitable the exchange was for the attacker.

Modern Ransomware Kill Chain in the Midgame

The best chance to avoid paying ransoms, maintain your reputation, and protect your customers and organisation is to build defences that interrupt attackers in the midgame.

The primary resource that attackers have on their side is the ability to slink around your environment undetected. Therefore, a defensive strategy in the midgame must include the ability to spot corners where they’re hiding and living off the land.

The good news is that cyberattackers are not the type to stay in one place. Their shameless drive for profit means they’re regularly mobile, looking for meaty data to use as leverage. But hidden in their greed is your opportunity as they’re walking around your network.

The network, specifically network detection and response (NDR) solutions, is the missing piece of the triad, with the data available to stop a ransomware attack in the midgame before they spring their trap. You have ownership and visibility over your environment, and if you’re watching for the midgame tactics, you’ll find your perpetrator.

Preventing initial moves by ransomware actors may not be possible, but NDR can stop intruders in their midgame before real damage is done. NDR detects ransomware-driven intruders as they pivot through the victim’s IT infrastructure, closing security gaps to prevent ransomware recurrence, and proceeding to confident recovery.