abril 26, 2023

EP 26 – Ransomware Revisited: Combating the Identity Explosion

Andy Thompson, Offensive Security Research Evangelist at CyberArk Labs, returns to Trust Issues for a dive with host David Puner into the latest developments in the world of ransomware. With ransomware events on the rise, Thompson sheds light on the alarming trend of data exfiltration and double extortion. But what’s causing this surge? Thompson connects the dots between the rise of digital identities and the increasing frequency of ransomware attacks. As more organizations adopt cloud and DevOps technologies, the number of digital identities has skyrocketed, providing attackers with more accounts to exploit. However, Thompson emphasizes that staying vigilant about properly configured identities and analyzing their behavior can go a long way in mitigating the risk of ransomware attacks. Tune in to stay ahead of the curve in the ever-evolving landscape of cybersecurity threats.

[00:00:00.250] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in Identity Security. Hello, and welcome to another episode of Trust Issues.

[00:00:27.930] – David Puner
Today’s show marks a bit of a milestone for us. It’s been a year since we launched our first episode. The focus of that first episode was ransomware. We covered a lot of ground from its inception to current trends. I listened to it again the other day, actually, to prepare for this episode, and unfortunately it holds up, because of course, ransomware attack vectors like phishing, social engineering, and abuse of trust continue to be cybercrime hotspots.

[00:00:57.010] – David Puner
In fact, 73% of global IT security decision-makers report at least one ransomware attack on their organization in the previous twelve months. Recent IBM data puts the global average total cost of a data breach at $4.35 million and $9.44 million in the US. But it’s not all doom and gloom. While there’s no silver bullet for ransomware, with an assumed breach mindset, a strong defense, in-depth approach, and an identity focus, organizations can block ransomware across the attack lifecycle and drive greater cyber resilience.

[00:01:39.470] – David Puner
Now, a year after the very first Trust Issues podcast conversation on ransomware, we’ve got lots of new ground to cover. That’s why it’s only fitting that our very first podcast guest returns today. CyberArk Labs, offensive security research evangelist, Andy Thompson, and he’s bringing his A game as always. Thank you for listening to Trust Issues. We’re thrilled you’re along for the ride. Here’s my conversation with Andy Thompson.

[00:02:12.810] – David Puner
Andy Thompson, offensive security research evangelist at CyberArk Labs. Thanks so much for coming back onto Trust Issues.

[00:02:20.990] – Andy Thompson
Thanks for having me.

[00:02:22.180] – David Puner
You were our first guest, episode one, an episode called Talking Ransomware that launched this entire podcast on April 26, 2022. It’s a subject a lot of people are interested in, and so I guess, really to start things off, what’s changed in the world of ransomware in the last 12 months, and ransomware bad actors for that matter?

[00:02:45.000] – Andy Thompson
Well, there’s been a lot that’s gone on since we last chatted. Some things change, and some things never seem to change. Statistically, we’re seeing, again, an uptick in the number of ransomware events. We’re seeing a lot of movement toward data exfiltration, and that double extortion we mentioned. That’s definitely a more aggressive tactic they’ve taken as of late.

[00:03:12.760] – Andy Thompson
The targets themselves are changing. We’re seeing certain ransomware groups targeting the white whale, the big fish. These targeted attacks subsequently have larger ransoms, but again, we also see ransomware actors going the completely opposite direction, targeting small, medium sized businesses. It just really depends on the ransomware actor.

[00:03:39.510] – Andy Thompson
Another thing that we’re seeing is the way that they’re doing their techniques. We’re seeing the exploitation of zero-days being the initial access, quite often in huge chunks. When a zero-day is exposed, you’ll see a huge rash of ransomware victims due to these vulnerabilities and exploits. I think the amount of interaction that you’re going to see of different ransomware groups, whether they’re adversarial or collaborative.

[00:04:14.110] – David Puner
What else has changed in the last year as far as ransomware goes?

[00:04:18.530] – Andy Thompson
Okay, now this one I mentioned earlier, speed being king. What we’re seeing is ransomware actors are trying to encrypt as much information as possible before the incident is discovered and addressed, and so what we’re seeing is this new type of encryption. It’s called partial encryption. This is where rather than encrypting the entire file, they’re doing an encryption of just either the file header or just small portions of the file. This is how they’re able to so much more quickly encrypt an organization, and so this is really, in my opinion, one of the newer advancements that we’re seeing in ransomware technology is, again, that partial encryption.

[00:05:08.310] – David Puner
I know you’re chomping at the bit to tell me more about all that, but we’re going to have to leave that as a cliffhanger. I know that you and the Cyber Labs team have some exciting research that you’re going to unveil in a couple of weeks at Black Hat Asia. Is that right?

[00:05:26.070] – Andy Thompson
Oh, yeah. We have something really cool up our sleeves. I really cannot wait to tell you about it, but just suffice to say, you bad ransomware actors out there, we got something up our sleeves and it’s going to blow your socks off.

[00:05:41.020] – David Puner
All right, well, I think you’ve just gotten yourself booked on yet another episode of Trust Issues. You’ve mentioned a lot of things right there, and I’d like to unpack a couple of them before we dive deeper into all of this. We had mentioned double extortion last year. Could you tell us a little bit about double extortion and what that looks like as a trend?

[00:06:01.870] – Andy Thompson
Yeah, so what we’ve seen previously when we think of ransomware is, the typical file encryption, locking you out of your files, and that’s bad enough as it is, but the tactic that a lot of actors are taking nowadays is to in addition to encrypting, they’re also exfiltrating the data, pulling it off and holding that sensitive data ransom. There’s multiple reasons. One, you can pay to get your files unencrypted, but also you don’t want to be shamed or have this data leaked publicly, so a lot of organizations are being ransomed twice over.

[00:06:36.590] – Andy Thompson
We also talk about the concept of triple extortion, where they’re going even a step further in the extortion methods. Many times with double extortion, you’re able to pull the data out of the network way faster than you could actually encrypt it. This is why I think you’re going to be seeing more of this double and triple extortion in the future. Again, it’s all about speed.

[00:07:02.700] – David Puner
One of the other things that I wanted to go back and ask you a little bit about the exploitation of zero-days. Are there any high profile examples of that that come to mind immediately for you?

[00:07:14.490] – Andy Thompson
There was a recent zero-day exploit on GoAnywhere platform. It really demonstrates what’s at risk here. Hundreds of organizations were popped just due to this GoAnywhere. Another one that I think is interesting is the Alpha Ransomware group. They’re taking advantage of the Veritas backup exec application. Apparently there’s some bug in there, and that’s how this ransomware actor is really establishing that initial access.

[00:07:44.230] – David Puner
Are some of these folks, in addition to wanting to make money, are they just sort of looking for the prestige of being the biggest, baddest ransomware player out there?

[00:07:55.480] – Andy Thompson
Yes. I mean, these folks have some pretty big egos. The Lock pick team in the past have actually falsely claimed to have compromised organizations when they really haven’t. I think it was Mandiant. They had claimed that they had exfiltrated hundreds of gigs of data. Totally false. A lot of their claims are not quite believable unless they literally prove it, and that’s what a lot of ransomware operators are doing as part of their name and shame operations. They’re demonstrating that they actually have legitimate information. Some groups do, some groups don’t.

[00:08:34.390] – David Puner
A year ago, you had mentioned ransomware actors where were moving more toward targeting big fish, but there’s also the targeting of small and medium sized businesses. Why is that? What makes some organizations more attractive to ransomware actors than others, and what is their gain in either going small or big in their target?

[00:08:52.020] – Andy Thompson
I think one of the biggest takeaways from today’s episode is really the targets. There, again, is that white whale, the bigger organization with ultimately stronger security programs will have a much larger ransom. What we’re seeing is almost the opposite of that. These small and medium-sized businesses like auto dealerships and dental offices, lawyers, and things, these are the organizations that are being hit way more right now. These organizations don’t have the security controls and security programs that, again, those bigger organizations have.

[00:09:27.690] – Andy Thompson
Now, what you’ll see is the ransom amounts aren’t going to be as much. We’re typically seeing ranges of 25 to 30K ransoms as compared to millions, but they add up, and they’re just as devastating to these organizations. Again, you’re going to see a lot more big names being compromised, but you won’t see a lot of these small and medium-sized organizations in the headlines. But trust me, they’re being hit just as much, if not more.

[00:09:57.980] – David Puner
Are these small and medium-sized organizations, are they more likely to opt to pay the ransoms than larger organizations, or is it still all across the board?

[00:10:07.010] – Andy Thompson
I feel like they’re probably more apt to pay. I mean, these organizations aren’t the ones that have proper backup and restore in place. The recovery is going to be that much more difficult. In addition, they may not have the cyber insurance to recover. I feel that these organizations, albeit smaller, are actually more of a riper target for ransomware operators.

[00:10:32.800] – David Puner
Based on everything that we’ve talked about, it’s ridiculous. But why does ransomware still exist?

[00:10:39.450] – Andy Thompson
Because people make money off of it. People are paying. I think the willingness of the victims to pay the ransom is really what’s going to continue to drive this. The US government recently named a ransomware operator and sanctioned them, and subsequently organizations aren’t allowed to do business with sanctioned organizations. Ransomware is going to exist because it’s profitable, it’s easy. There’s really a low barrier to entry if you’re moving towards, that RaaS model or ransomware as a service model, and this isn’t changing anywhere either.

[00:11:12.150] – Andy Thompson
As long as we have cryptocurrency that can provide these anonymous transactions and keep these ransomware actors safe and at bay, we’re going to continue to have ransomware. I don’t think this is going anywhere anytime soon. I wish I could tell you that if we all did everything we were supposed to do that this would resolve the issue, but even then, we have the potential for insider threat. I don’t think that ultimately we’re ever going to resolve this issue. Really, the solution is that defense in-depth approach. But even then, I dare say that we’re going to be dealing with this problem from now until the end of time. I mean, there is again, a ton of new tactics that we are seeing that aren’t viable yet. AI has changed the landscape for malware and ransomware.

[00:12:02.400] – David Puner
As far as AI goes, what are you seeing? How are these tools changing the state of ransomware? How do we get in front of something catastrophic that could potentially happen in the context of ransomware, when it comes to these AI platforms and bots,

[00:12:19.240] – Andy Thompson
I think the best way to approach AI, machine learning and its role in ransomware, is to be aware of the capacity of it and what it’s capable of. We’ve seen in the past where ransomware actors are maturing to the point where they’re providing their own service desk. We’re going to see AI being that front end to interact with ransomware actors. That’s one thing.

[00:12:49.830] – Andy Thompson
Another is using AI and machine learning to derive more intelligent, more powerful ransomware code. We at CyberArk Labs demonstrated this clearly in the last couple of weeks with the fact that we were able to leverage chatGPT to create polymorphic malware to evade EDR and XDR applications. Again, this is just with chatGPT. Imagine if we were using this for more nefarious purposes.

[00:13:20.150] – Andy Thompson
What you’re going to see in the future, I’m going to put my futurist hat on is a whole different style of extortion and ransoming, and this is using deepfake technology. What you’re going to be seeing is the creation of false video recordings of maybe you saying something that is absolutely terrible, and that in and of itself is enough to warrant possibly paying a ransom.

[00:13:44.080] – Andy Thompson
I think you’re going to be seeing AI used in unique ways from an offensive purpose, but you’re also going to be seeing it on a defensive purpose as well. At the end of the day, I’m not afraid of AI. I’m not afraid of machine learning. It’s just like any other tool. It’s how you use that tool that determines whether the user is of good or bad intent. I think that we can really leverage AI to protect from ransomware events just as much as the bad folks are using it to strike us.

[00:14:15.910] – David Puner
How is ransomware tied to identity and the massive surge in digital identities?

[00:14:22.710] – Andy Thompson
This is a scary one. Large organizations are starting to adopt cloud and DevOps and all these other technologies. The identity scope, just the sheer numbers of accounts and everything has just exploded at an exponential rate. This expands the attack surface for attackers, meaning that there’s a whole lot more accounts to choose from to compromise. This also expands the scope of ransomware events. We’re seeing ransomware events in the cloud. We’re seeing them instantiated in DevOps processes. We’re seeing them on the endpoints and in the traditional data center. The point I’m trying to make is, as identities continue to grow at an exponential rate, so does the attack surface for these ransomware operators.

[00:15:12.680] – David Puner
How can visibility into identity or identities, and managing identities help address the ransomware threat?

[00:15:20.060] – Andy Thompson
There’s a defense in-depth approach that we can apply to managing the risk of ransomware. With all the identities in our organization, I think discovery and awareness of the potential, what’s your scope, what’s your risk profile. That’s a key thing. Being able to analyze the behavior of your identities. Oh, my gosh, that’s a huge one. We’ve seen in multiple data breaches where legitimate accounts were being leveraged in an illegitimate means.

[00:15:54.370] – Andy Thompson
Again, being aware of your properly configured identities and making sure that their behavior falls in line with their heuristics, that’s a big one. Just being able to manage the existing identities you have, making sure that what behavior is happening on the endpoint is actually what it’s supposed to be doing. It’s going to be a huge challenge, but with multiple controls, we can manage it.

[00:16:19.660] – David Puner
In the last year, has that blossomed even more? You talked last year about the rise of ransomware as a service.

[00:16:26.810] – Andy Thompson
We’re seeing people pooling their resources in order to really focus on some of those bigger targets. That’s what we saw continuing to happen. But this is where it’s been interesting. A lot of ransomware actors are starting to be worried about this RaaS model. I mean, let’s face it, these are the organizations that are going after the bigger fish, and so they, in and of themselves have a bigger target on their back, and because there’s all this potential risk of them being arrested, a lot of the ransomware actors are embarking on their own and actually moving away from the RaaS model because of the fact there’s less of a possibility that they’re going to be apprehended.

[00:17:13.170] – David Puner
As far as the repercussions from all this arrests, apprehension, those things, are we seeing more of that now than in the past?

[00:17:24.350] – Andy Thompson
Honestly, I feel like as we catch one, two more come up. Even legitimate ransomware groups are shutting down and starting up as different ones. So I don’t necessarily know if we will ever be able to provide an accurate assessment of whether we’re actually winning this war on ransomware. There’s just so many unknown variables here.

[00:17:46.620] – David Puner
I think it’s safe to say that ransomware groups, individual ransomware groups, don’t necessarily peacefully co-exist. Do they compete against one another?

[00:17:54.810] – Andy Thompson
Yes, they will compete against each other, but they’ll also collaborate. But we’re also seeing ransomware groups going after other ransomware groups. Just depending on who they are, they may be good buddies or they may be adversaries, we just don’t know.

[00:18:08.670] – David Puner
Are these getting to be even more official organizations with communications departments and stuff like that?

[00:18:15.650] – Andy Thompson
Conti is one of the ones that not only do they have a help desk, they have HR and payroll. This is a legitimate straight up operation that these folks are running, and it’s scary how organized they are, but at the same time, you’re seeing fly-by-night lone wolves too. It really depends on the actor, their sophistication, their target, their tactics. There’s so many variables here.

[00:18:41.990] – David Puner
Do we know where they primarily are or is there a primary place they are located?

[00:18:47.070] – Andy Thompson
We’ve seen a large and consistent base of ransomware actors in Eastern Europe. They have operators literally all over the globe. In fact, I can guarantee that you will have ransomware actors here in the United States just as much as anywhere else, but there is a large concentration in that Eastern Europe portion, but again, there’s ransomware actors everywhere.

[00:19:15.250] – David Puner
What about deepfakes? Are they figuring more prominently in the ransomware attacks these days, and what can protectors and defenders do?

[00:19:23.590] – Andy Thompson
This is something, again, that I think we’re going to see more so in the future. I think that being aware of deepfakes and some of their indicators, could help in preventing some of these deepfake ransom extortion attempts. Just a real quick tip: If you’re looking at a video and you don’t know if it is a deepfake or not, pay attention to the eyes. See if the potential person you’re watching blinks. If they don’t blink, this is a very key indicator of a potential deepfake. I think, again, end user awareness training of what a deepfake is, and those indicators will go a long way in preventing someone from actually paying a ransom from a deepfake.

[00:20:12.520] – David Puner
We talk about ransomware and how it’s not going away. It’s probably never going to go away. To get back to what organizations can do as far as prevention and protection, what has changed in the last year as far as that goes, and what hasn’t changed?

[00:20:33.280] – Andy Thompson
This is the hill that I will literally die on. Okay? I said it before and I’ll say it again. Yes, a defense, in-depth approach is the way we want to go for sure. But even beyond that, application control. If you prevent the execution of the ransomware, it doesn’t cause a ransomware event. It stops that initial access. Application control, not least privilege, application control, in my opinion, is one of the strongest mitigating controls against ransomware, and I will debate anybody anytime on that topic alone.

[00:21:05.370] – David Puner
What is application control for the folks out there who may not know what it is?

[00:21:11.670] – Andy Thompson
Really? It boils down to, can I launch this process or no. This is a concept that can be applied anywhere from an endpoint, to a server, to cloud infrastructure, really stopping the execution of whatever that process is. This is a difficult challenge for many organizations, but there’s absolutely ways to address that. CyberArks’ endpoint privilege manager has a lot of built in, out of the box controls that, by flipping a switch, enable ransomware protection.

[00:21:46.920] – Andy Thompson
I’m actually working on a presentation right now where we are literally using real ransomware from some of the actors that we’ve discussed today in our environment. Again, just putting that one simple policy goes a long way in preventing these ransomware binaries to process because they’re blocked by our application control.

[00:22:10.300] – David Puner
As the offensive security research evangelist at CyberArk Labs, you’ve obviously got your finger on the pulse of a lot of really interesting stuff. For the folks who may not know what CyberArk Labs is, what is that group within our organization?

[00:22:25.070] – Andy Thompson
I’m really proud to be a member of this team. CyberArk Labs is an offshoot in our R&D where we specifically focus on offensive security and developing of vulnerabilities and disclosing these findings. It’s really, like bleeding edge stuff, and I get to be part of it. It’s so cool. If you really want to learn more about the research that we’ve previously done and some of the cool tools that we’ve released, oh, man, there’s tons of tools. Check out labs.cyberark.com. That’s really our main presence online. Also, if you want, follow me on LinkedIn. I post all of the latest and greatest Labs research from my social media accounts as well.

[00:23:08.400] – David Puner
You were the MC and co-organizer of the Dallas Hackers Association. Anything interesting going on there lately? How’s the crew?

[00:23:16.710] – Andy Thompson
Well, the crew is rocking and rolling. This is my passion. I was doing hacking well before CyberArk offered to pay me, so this is something that’s truly near and dear to my heart, and our group is just amazing. Every month we have just amazing talks. We have multiple workshops and rooms where we teach lock picking, a career counseling, all sorts of stuff. We recently reconvened after COVID, and we’re back to having on prem meetings at family karaoke every first Wednesday of the month, so feel free. All are welcome. I highly encourage you to check out Dallas Hackers Association. It is literally the coolest hacking crew on the planet.

[00:24:01.770] – David Puner
Thanks a lot for coming back onto the podcast.

[00:24:04.810] – Andy Thompson
I really appreciate the opportunity to share the labs, research and all the cool stuff we’ve been doing, so really thank you.

[00:24:21.650] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors, and don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it, are kind of like comments. Our email address is trustissues, all one word, @cyberark.com. See you next time.