The conversation with Don was not about direct security research, but around the threat landscape in general as well as some of the reporting on it (not journalistic reporting, but industry reports). In particular we talked a bit about how organizations get into the habit of fighting the “last war” in the way they slowly adapt to new threats. Which I know I have talked about ad nauseum. To simplify the simplification, organizations are not as nimble as attackers and are too often bound by logistical and tactical constraints (budget and staffing). On the other hand, attackers can be much nimbler, they live outside of corporate budget constraints but are very aware of them and also aware of changes in regulations affecting their preferred target environment. Some changes to regulations or cybersecurity postures will generate a more significant response from the threat groups, while others might not have an impact. Still, they have the advantage in the fight, as they (the threat groups) have a far better understanding of modern business practices than modern businesses have of them.
So how did we get here? Well, some of that is due to the way that marketing reports and industry reports are processed. As I have mentioned before, a “report” or “analysis” is an interpterion of data points with a conclusion on what those data points might mean or point to. In a normal work product, you would want to ingest as much data about the landscape as possible as it gives you the best understanding for your conclusion. In the industry… this is not always the case. Don added some good context on this, as we talked about the claims that Ransomware attacks are increasing.
There are multiple and conflicting reports currently out on the state of ransomware. Most of these tend to say the rate of attacks are increasing because they are looking at attacks from all groups classified as ransomware groups. This is not a bad way to cover this particular threat but requires a bit more context to understand the reality of it. Ransomware is usually thought of as an encryption event. If you get ransomware, your data is encrypted, and you pay the ransom to get it back. However, a more expanded definition of a ransomware attack would be any attack that leverages data as part of the extortion process. This means that attacks where there is no encryption event, but data is exfiltrated and a ransom is demanded is still a ransomware event (like the Clop attacks on MoveIT). So now we have two definitions of Ransomware and multiple sets of data to pull from.
Let’s take a look at how each set of data can inform the final report. As we mentioned, how you view “ransomware” will help build the data set and your analysis. Looking at it from a law enforcement perspective, we see their data show an increase in ransomware events. This is based on the activities of the threat actors in this group forming a form of actor bias. Leak sites where the threat groups leak their stollen data also have actor bias, but if you only count data gathered as part of an encryption event, they show attacks as flat. The last is direct IR data, according to Don, SecureWorks IR data shows ransomware trending down. IR data, however, has a customer bias that brings in an interesting factor.
A quick sidestep to talk about data and certain types of bias. Data is nothing more or less than blobs of information plotted out in a 4-demensional space. Each blob contains the four basic “dimensions” of “who, what, when, and where”. It exists as a raw source until you add to it, subtract from it, or analyze it in a particular context. These three actions are there the bias can come from. If I build my dataset with only encryption events, then I am showing an event bias. If I build is based on the actions associated with actors in a particular category, that is actor bias. The same can be said for building it using leak site data as that is only information from the actors themselves. Building a data set based on incident response brings in customer bias as the data contained in that set is based only on the actions of customers in response to an event. As Don mentioned, many organizations are not reporting events, or they are dealing with them internally (restoring a backup etc.) There has been a decrease in large scale IR efforts because of this. For SecureWorks’ own internal teams, they have not seen a multi-site encryption event which has taken down an enterprise level organization. This makes it very difficult to track ransomware like you do other cybersecurity efforts.
To further add to this mess of understanding the threat landscape there is threat actor exposure. This is when an event happens that brings greater focus on them from a law enforcement perspective. In the case of ransomware, the Colonial Pipeline attack brough many of the Ransomware as a Service (RaaS) groups under greater scrutiny. We saw advertisements for affiliates drop significantly and some service providers even closed access to their platforms to new affiliates. This did see a small reduction in attacks from RaaS. Now we are seeing some of those same RaaS players offering significant cuts of ransomware profits to get affiliate back. We are seeing more source code and ransomware builder leaks which will add more predators to the field. All of this at a time when Clop’s attack on MoveIT has hit more than 1,000 affected organizations which is sure to bring attention from Law Enforcement.
So, what does all of this mean? It means that the threat landscape is not always reported on accurately. It means that organizations looking to best spend their money and time are not always getting the best information. It also means that large scale events can have two potential impacts on the landscape, one is a slow down of attacks and the other is a diversification of players in the same space. With the attention that Clop has brought we have not yet seen an indication of a slowdown. Instead, we have seen leaks of ransomware builders, source code for some advanced bootloaders and an increase in revenue sharing for affiliates. This means that the feudal lords of the ransomware economy have decided that there is safety in numbers and that they are better served my increasing the number of players rather than slowing down operations.
As Don indicated during our conversation, some of this change could be in the fact that many organizations are not reporting to law enforcement, or other agencies. They are handling things in house and hoping that insurance covers it. Even in the face of double extortion these companies seem determined to keep things in house (look at MSI). It was this kind of mentality that led to the double extortion events and is what has led to the new triple extortion. This new pivot is where the attackers go to your insurance company with the details on how they got in. This information could lead to insurance companies denying claims for a ransomware event. While the new pivot is obnoxious, it might be one thing that pushes a real change in how organizations are dealing with cybersecurity and ransomware in particular.
My conversation with Don was an interesting one. I was able to garner some good insights into how SecureWorks views the landscape and why ransomware is not a good indicator of the general cybercrime ecosystem. It might be part of it, but between definitions of what ransomware is and how each subset of data is collected, it cannot really be included in the general landscape. It has become its very own feudal economy and one that I have a feeling is not going anywhere any time soon. We might see I increases and decreases, associated with increased law enforcement attention and sadly not improvements in cybersecurity, but it is not going to stop.