Transcript
Note: This transcript has been edited for clarity.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group and to discuss ransomware trends, it is my pleasure to welcome from the Institute for Security and Technology: Taylor Grossman, the deputy director for digital security and Trey Smith, future of digital security associate. Welcome to you both. Thank you very much for being here.
Grossman: Thanks so much for having us.
Schwartz: So we're catching up, because you work on IST's Ransomware Task Force, and I know that you've been looking at some trends of late in terms of global ransomware incidents, and specifically for the year 2023 and what we can learn from what you've been seeing. What did you find?
Grossman: So 2023 it was a very interesting year - we wrote this report based on the IST's Global Ransomware Incident Map. Every year since the Ransomware Task Force's first report in 2021 - and our goal here is to really use as much of that data as holistically as possible to get a sense of what's going on. So we did see an interesting dip in 2022 due to a lot of factors, particularly Russia's invasion of Ukraine, and some potential law enforcement activity.
But unfortunately, things are back on the rise, and we saw a very big surge in 2023. I think the numbers that we have reported in the map are a 73% increase in ransomware attacks over the course of the year, and a lot of that is due to what folks in the industry call big-game hunting. Also to the targeting of particular technology - and a lot of that was remote-access applications or file-transfer services that are used ubiquitously across a lot of different industries. And so with one hack, one incident, one exploit, you're able to hit a lot of targets very quickly.
Schwartz: From an innovation standpoint, I remember big game attacks surging several years ago or so, and then going away for a bit. Was that downturn a consequence of law enforcement disruptions, or some other factors?
Grossman: There were certainly some definite changes. I think one in particular was related to the Conti group dismantling in 2021 which was a byproduct of internal politics. We'd love to take credit for it, but they also fell apart for a lot of other reasons. There was a period when the U.S. was able to work a little bit more closely with Russia to curtail some of this activity. Of course, if you look at what's happening around the globe, and particularly with U.S.-Russia relations, there's a lot of real sticking points. Anti-ransomware collaboration has fallen off, unfortunately, and we haven't, or at least the government hasn't, been able to make as much progress in terms of really calling out this behavior and making big moves.
When we get to 2024, and Operation Cronos, which I hope we'll talk about later, and the big LockBit disruptions that happened under that, there's some real sense that, potentially, that could have more of an impact. But again, it's, it's still too early to tell how these disruptions are able to not just tactically disrupt groups, but really strategically pull them apart and make it harder for them to regroup.
Schwartz: Definitely, I want to touch on disruptions. I do want to go back though, because you mentioned some of the big findings from 2023 and MOVEit attacks looming large. What's your takeaway from these types of supply chain attacks should we expect to see more of them?
Grossman: So MOVEit is really interesting. Trey spent a lot of time looking at that when he was writing the report. I do want to caveat, just to start with, that the data we're looking at is from double-extortion incidents. So we're taking as holistic a look as possible at the overall trends for the year, but we are using one particular data source, which is sort of the second-stage ransomware actions. So not the first action of actually encrypting data and asking or demanding for payments from victims, but that next step of when victims don't pay, or if they even if they do pay, groups threaten to leak that information online, on a dark website, and demand an additional payment.
eCrime.ch, the source that we use, is tracking that data, and so we are seeing a particular picture of the activity. We talk a lot at the RTF about how important it is to get even fuller information - and so just to caveat, while what we see is one particular angle, there are real benefits, but also limitations to any kind of data collection in this space. When it comes to MOVEit, which was a really, really big incident, and certainly for the Clop group, which had been around for a couple of years, this was really a big showing for them, and we were able to attribute a huge spike in activity over the course of the summer - in June and July 2023 - to the attacks. What's interesting about MOVEit is they were able to attack this particular file-transfer service that was used across so many different industries, including a lot of critical infrastructure. Definitely it was an incredibly profitable attack. Ransomware researchers and security researchers really mark it as the biggest single incident of 2023, which I think we would agree with.
But it's not the only kind of thing that happens. And one of the things that our report highlights, and that I think Trey and I certainly feel, as do the RTF members as a whole, is that there's still a lot of profit out of the general ransom-as-a-service model, just through plain old phishing and business email compromise. So while an incident like MOVEit - and Clop in particular - has used a couple other zero days to attack some of these broad-based software applications, a lot of groups are still making a lot of money just with sort of more simple bread and butter attacks.
I don't know, Trey, if there's anything you want to add, particularly about your having a close look at Clop and MOVEit?
Trevaughn Smith: No, I definitely think that caveat is important. The MOVEit attack definitely was unique in the sense that it was able to target the software that isn't necessarily as publicly known. I think about financial clearinghouses: people think that when you swipe a card, magic happens behind the background. But in fact, it is a huge technological feat to have all those pieces together. So when we see attackers targeting that, that type of software that isn't necessarily well-known by the average consumer, and if security may be lacking in that type of industry, we can see devastating attacks such as MOVEit and other zero days that Clop used.
But again, when it's compared to the typical models of business email compromise and phishing, it pales in comparison. I like to think of it as a splashy incident - it definitely contributed to huge numbers in the summer, but ultimately, we still are seeing that the classic phishing model is persisting, as is the ransomware-as-a-service model.
Schwartz: That's a bit of a downer, right, that these sorts of basic attacks BEC, phishing and also the ransomware-as-a-service-model itself, which has been around for a while now, still leading to some really big bucks for the attackers?
Grossman: Security researchers, for very good reasons, will focus in on these zero-day or even n-day attacks against some of these major file-transfer services, remote-access applications. Clop has used four zero days now over the course of its lifetime; that's really important to look at. But the bad news is that a lot of actors don't need to rely on zero days to, again, make a very healthy, illegal living in this space.
Schwartz: I love the caveat that you had there in before, in terms of where you get the data from, because without obviously inserting a 10 minute disclaimer here: ransomware groups lie, and it's really difficult to get precise data about who they're hitting, who's paying, what exactly the disruption might be, in part because victims often aren't sharing that information. With all of that aside, one of the things that jumped out to me from your report was that unfortunately, disruptive action appears to generally be "tactical and temporary." Did that finding surprise you?
Grossman: The Ransomware Task Force's first report, in 2021, broke things down into deterrence, disruption, preparation and response. Disruption has always been a really key linchpin in thinking about ransomware as a whole, right? There's a lot that we still need to do on preparation and response, but especially when we're looking at most ransomware actors in Russia, the deterrence capabilities that we have right now are not the most robust.
So really thinking about getting beyond just those tactical disruptions and thinking more strategically about breaking down the entire lifecycle of ransomware actors - not just the extortion, but all the ways that they're mixing and laundering funds to get through a lot of different systems, so that they're able to recoup gains, and then also the money that they're investing in infrastructure to be able to continue to perpetrate these attacks. Unfortunately, I don't think - and I won't speak for Trey - but I wasn't surprised to see that we're really seeing a lot of tactical-level, and in short more short-term disruption.
Unfortunately, a lot of these groups are dispersed enough and have enough different actors that they're able to rebrand and regroup fairly quickly. The one piece that's been helpful is when we're able to discredit the credibility of a group as well. So what we can talk a little bit about the LockBit disruptions that happened through Operation Cronos this year. Of course, we didn't really talk about that in the map because we really wanted to look at 2023. But I think there is, potentially, some optimism in the community of researchers that that could have a longer-term effect, because there was a lot of discrediting of LockBit as this ransomware service that people could really go to. So that's one piece, and the other piece is, again, really just getting enough information, coordinating with enough law enforcement agencies that they're able to dismantle, not just those initial extortions, but again, the infrastructure that groups are using to be able to, build up and then extort new victims.
Schwartz: Not to put you on the spot, Trey, but were you surprised, in terms of disruptions? They don't seem to have derailed a lot of these activities. As Taylor said, a lot of these groups just seem to rebrand and carry on.
Smith: Yeah, I think it's important to contextualize what disruptions mean. Disruption means in the context of the data that we that we got from eCrime. Generally, I think when law enforcement takes a disruptive action, it may not necessarily show in the context of the activity that we track through eCrime. It could manifest in other ways, such as affiliates shifting underground, maybe payments decrease, which may correspond to a decrease in activity, but not necessarily a decrease in ransomware attacks.
So there are some caveats when it comes to disruption, and I think we noted that in the report, where we were not necessarily seeing strong dips that could directly tie to a disruption, especially if we don't have the timeline, which is what makes Operation Chronos so interesting. We can investigate that next year, now that we have a general sense of when that happened. But it's important to realize that when we look at the data set that we have now, it may not necessarily show any disruption on its face. But that doesn't necessarily mean that there couldn't be some other avenues that law enforcement may be pursuing, something that may not be as publicly accessible or searchable - such as the data leak site - that could be potentially having impact on ransomware operations. Again, with Operation Cronos and how much information we know about that, it'll make something interesting for us to investigate in 2024.
Schwartz: Way to preview the next report, Trey. That sounds really, really good; I'm looking forward to that. So, Taylor, you mentioned talking about discrediting ransomware groups, and one of the things that was fascinating for me with the LockBit disruption was the extent to which it's involved law enforcement trolling the bad guys.
Grossman: That's one of the biggest law enforcement operations that I've been looking into with a couple of other researchers. Trey and I both are definitely watching it really closely. Again, we already are getting a lot of interesting data, but we wanted to wait - and I think we were proved right by the fact that there was more law enforcement activity right last week in this continuing Operation Cronos.
Also you do see some of U.K. National Crime Agency's particular flavor of doing this come through, in terms of actually taking down websites and then putting up ransomware remediation tools. There is something about that, that I think is a powerful signal about what law enforcement's doing, and also how aware law enforcement is of the problem and what's needed - just on the point about disruption in general.
One of the things that the RTF has been working on for years, and that we really care about, and I think the good news story is again, looking at the data can make you pessimistic, but there has been this huge shift in thinking about ransomware, not just as a cybercrime issue, but as a national security issue, and that means that we're putting in more resources. We just had the Counter Ransomware Initiative meeting in D.C. last week with over 68 countries coming together to talk about this issue. So the prioritization of this has increased, and not just thinking about this as run-of-the-mill crime that were whack-a-mole trying to snuff out, but really getting at the source and thinking about this as a real problem for countries and for populations.
Schwartz: Excellent. It's always nice to hear some optimism from people who have been tracking ransomware. Now you've mentioned some of the collaborative efforts that are happening to try to combat ransomware, and I know that the Ransomware Task Force has put out a number of recommendations, I think about 48 some of which have now come to pass. So we don't have time to go into all the recommendations and the status of them. But are there any favorites that you have or things that you think we should be doubling down on?
Grossman: When it comes particularly to disruption, the collaboration between different law enforcement agencies and countries is really important. That's something that we've worked a lot on, and Trey runs our working group on the payment ecosystem, and we've done a lot of work with former colleagues and others, basically just mapping the different ways that money goes from a victim all the way through all these different mixers and cryptocurrency exchanges and gets to ransomware actors, which gets into the infrastructure resourcing phase, and then goes through the cycle all over again.
Many different law enforcement agencies see different pieces of that, and there hasn't always been a coordinated approach of actually bringing that information together and making it as powerful as possible. So, you have Europol, and have Eurojust seeing certain things. You have different national police forces seeing certain things. You have the FBI and Secret Service seeing different things.
We've really been working on pointing out some of those pinch points of where information is not getting through to the right folks, and also trying to put them together. You also have a lot of incident response firms that are seeing different pieces of the puzzle, and actually bringing those together too is super important, because in a lot of cases, we have a lot of the information we need. We're just not coordinating well enough to get that in one place where we can not just take action, but take swift, timely and effective and efficient action. I don't know, Trey, if as the resident payment ecosystem expert, there's anything you want to add on that?
Smith: I think the first step to understanding, to tackling the problem, is understanding it. That is the core of the payment map research that we've been doing. Ultimately, we want to have a bird's-eye view of exactly what's happening in the ransomware ecosystem - from attack, to the resourcing phase post-payment, and how that feeds back into this vicious cyclical cycle that is the ransomware-as-a-service ecosystem. Our next step of research is ultimately figuring out ways to disrupt that tactically, that we can ideally entrust to partners at law enforcement to execute. So that the payment map research is particularly fruitful.
My personal favorite recommendation is 3.1.1, which talks about the establishing of framework for ransomware recovery, which segues really well into the IST Blueprint for Ransomware Defense, which is a set of 40 recommendations geared specifically towards small and medium enterprises to help them tackle ransomware and ultimately improve their cyber hygiene. It's a completely free resource on the IST website, we have accompanying resources, such as our quick-start guide, which can help people who aren't necessarily as technically apt to understanding a lot of the controls in the blueprint, as well as our tooling Guide, which has over 100 free and reduced cost resources to help implement some of the recommendations that we have. So it is a has a great place in my heart. I think preparing naturally is the best way to avoid putting yourself in a situation where you may need to consider ransomware payments, and the blueprint does a really good job of helping to stay at all. Fantastic.
Schwartz: I do keep hearing from ransomware incident response firms that SMBs are bearing the brunt of a lot of these attacks. So this is great advice. Hopefully, if you prepare, you'll never have to worry about maybe having to think about paying a ransom.
Smith: Yeah. And I think 99% of the businesses in America are small businesses. It's important to contextualize when we provide resources, to remember the audience that we're providing it to. Your average small business owner isn't thinking about security controls and firewalls and configurations - the things that, ultimately, threat actors will use, that lack of knowledge, to execute a ransomware attack. The resource that we provide helps to close that gap.
Grossman: One of the pieces of big game hunting is that that's so pernicious; it's not just targeting big companies. It's targeting the infrastructure that a lot of companies, including smaller companies, use. Obviously, the sorts of high-profile attacks like you saw against Change Healthcare - which had a huge incident that we've all followed - and at a few at casinos last year, for example, those tend to get flashy headlines. But something like the MOVEit file transfer service was used by so many companies, big and small, and that entry point is going to effect $100 million companies, but also your small and medium businesses.
Schwartz: That's a great point about how one discrete attack can cause so much disruption and fallout. Well, even so, it's always good to touch base with people who've been keeping a close eye on ransomware and who still retain a sense of optimism and hope about the state of current efforts and where we're going. So thank you Taylor and Trey. Very much for your time and your insights today.
Grossman: Thank you so much for taking the time. It's great to speak with you.
Schwartz: Thank you. I've been speaking with Trey Smith and Taylor Grossman of the IST and its ransomware Task Force. I'm Mathew Schwartz with ISMG. Thanks for joining us.