Ransomware is now a bigger threat to global security than nation-state campaigns, two infosec experts divulged during an RSA keynote Thursday.
Dmitri Alperovitch, chairman of Silverado Policy Accelerator, and Sandra Joyce, executive vice president and head of global intelligence at FireEye, led a discussion on the current global threat landscape, and ransomware attacks topped the list. While nation-state groups instill fear by taking advantage of the global pandemic or targeting things like critical infrastructures, and new trends like DNS hijacking are returning, they said ransomware is affecting everyone. The risk has only advanced over the years, as ransomware gangs turn to extortion and double extortion tactics. During the keynote, Alperovitch and Joyce revealed that the next step in ransomware's evolution may be far more dangerous.
Dmitri AlperovitchChairman, Silverado Policy Accelerator
Alperovitch said that overall, the threat environment is becoming the worst it's ever been -- not just from a technical stance, but also from a geopolitical perspective as. "The four adversaries we face -- Russia, China, Iran and North Korea -- our relationship from the western standpoint is the worst it's been probably in at least 60 years," he said during the session.
The infosec experts outlined a multitude of reasons for the menacingly high threat landscape, and much of it has to do with simple evolution of tactics and techniques. Joyce referred to cyber as a "tool of national power" that nation-states and threat actors are trying to claim by evolving their methods and tactics -- and they are doing so without fear of retribution.
Currently ransomware operators encrypt systems, then demand a ransom in return for unlocking the computer. Operators behind ransomware gangs run public-facing data leak websites where they publish data if a ransom is not paid. The shame-and-name tactic was popularized by the Maze gang, and while they have retired, the method has not. According to Joyce, threat actors may skip ransomware and go straight to the data theft and threat of exposure. They will continue to capitalize on the shaming aspect of the extortion, by calling competitors and customers, which Joyce said puts organizations in an impossible situation. Giving into the ransom demand comes with risks, such as paying out Office of Foreign Assets Control (OFAC) countries in that are in violation of sanction laws.
Not only is extortion increasing, but ransom demands are also skyrocketing. Joyce referenced an extortion amount for $50 million she saw recently, when just a few years ago it was a few hundred bitcoin. And Bitcoin was worth a lot less than it is today. The demand was made by the ransomware gang known as REvil or Sodinokibi against PC manufacturer Acer earlier this month.
"We've seen $10, $20, $30 million. This is just getting out of hand," Joyce said during the session.
It's getting so out of hand that Alperovitch referred to ransomware as almost a side business to the overall extortion business. And getting assistance from the nations from which the actors operate is seemingly out of the question. "It puts these organizations in a position where even law enforcement can't touch threat actors sitting on the other side of the world, in governments who are just turning a blind eye," Joyce said.
Alperovitch added that most of the actors developing malware are in Russia, or are Russian speaking. "Many of them are being hidden or in some cases assisted even by the SVR," he said.
Alperovitch said that while China, Russia and Iran are becoming more aggressive, North Korea is one of the most innovative of the U.S.'s top nation-state adversaries. The techniques of North Korean cybercriminals have reached an incredible level of sophistication, and a lot of that is homegrown. Additionally, Joyce said it's one of the first nation-states to fund the government with cybercrime. "At one point, they were targeting 16 different financial institutions at once," Joyce said.
North Korea has also been a pioneer in supply chain hacks, one of the most concerning risks to the threat landscape of late. Alperovitch said it has targeted AV vendors and cryptocurrency software to install backdoors.
Activity from another nation-state also surprised the two infosec experts in 2020: Iran. Of particular note was when hackers posed as the far-right group the Proud Boys during the Presidential election to send intimidating emails. "That was a big surprise to us, because everybody really was focused on Russia and that didn't materialize. But what we saw was a real evolution in the use of information operations," she said.
China is also evolving, Alperovitch said, emerging as one of the top users of zero days going forward. The most interesting aspect is that much of its wide-spread targeting is happening in broad daylight, and Chinese-state sponsored threat actors don't seem to care if they are caught. To further that point, Alperovitch said China-state sponsored attackers are not changing up their tools very often, and it's a tell-tale sign. "They've being using China Chopper so long and it's a one-line webshell," he said.
Joyce said one reason may be that attackers are testing the new administration in Washington, D.C. "There's a complete disregard for operational security," she said. "You have a threat actor that's not afraid of the consequences or is trying to send a message, or both. And I think that's what's happening here."
Their emboldened tactics are reaching all spheres. According to Alperovitch, the security industry has become a top target for every single actor. Joyce said security researchers are now being personally targeted because it's a "shortcut to a lot of great information." But security researchers may not always be prepared and have fewer measures than an enterprise that is targeted.
"Let's face it: Unfortunately, there is a of double talk in our industry, and people who should be practicing better security and know better are not doing what is needed," he said.