Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:00 PM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Big E-Crime Pivot

Criminals have begun to recognize that enterprise ransomware offers tremendous financial advantage over the more traditional tactics of wire fraud and account takeover.

The concept of "the pivot" is well-understood by entrepreneurs, who often set out to build a business or technology and realize they need to shift their strategies. Visually, one foot remains firmly in place while the other turns to reorient the rest of the body. Typically, they don't throw everything out the window and start over. Rather, they reimagine the way they can use the tools at their disposal.

The same can be said about today's sophisticated e-criminals, who are increasingly pivoting and reusing their existing technology for new ways to generate revenue.

For example, malware-as-a-service has been a prominent component of the e-crime ecosystem for the past decade. Criminals built specialized platforms for large-scale credential theft. Malware distributed this way — with names like Dridex, Trickbot, and BokBot — has long been optimized to steal account information using webinjects. That is how it inserts itself into a browser, downloads and installs other malware/tools, captures screens or memory buffers filled with sensitive information, and, in recent years, even steals cryptocurrency wallets.  

The e-criminals behind these malware platforms also built relationships with other e-criminals who specialize in spam, pay-per-install, and exploit kit development to optimize distribution. When your bread and butter is to steal credentials, the name of the game is to get your malware out as far and wide as effectively as possible. Pushdo, Smoke, and Emotet have emerged as some of the malware families/actors that specialize in getting payloads delivered to the would-be victim machines. CrowdStrike has observed the symbiotic relationships between these e-criminals for quite some time, and it has shaped our model of the e-crime ecosystem.

But in recent months, e-criminals have begun to recognize that enterprise ransomware – what we call "big-game hunting" – offers tremendous financial advantage over the more traditional e-crime tactics of wire fraud and account takeover. (We touch on this trend in the "2019 CrowdStrike Global Threat Report.")

This realization is, in part, due to the evolving cat-and-mouse game between the adversary and security practitioner; as new countermeasures are deployed to mitigate wire fraud or account takeover the cost/benefit calculus changes. Another factor is that the competitive landscape for e-criminals conducting these types of attacks has become more crowded. In general, adversaries across the entire spectrum of threat actors prefer to take the path of least resistance, rather than work harder and work smarter.

In short, margins for threat actors conducting wire fraud and account takeover have become tighter. In need of a new way to increase revenue, they are pivoting.

The first indication of the shift to ransomware can be traced back to summer 2017, when INDRIK SPIDER, the adversary CrowdStrike associates with Dridex development, began to deploy BitPaymer in enterprisewide ransomware directed against the healthcare sector. (CrowdStrike Intelligence uses the naming scheme SPIDER to describe e-crime actors.) Approximately one year later, GRIM SPIDER emerged deploying the Ryuk ransomware, a derivative of the Hermes ransomware against a variety of verticals, including financial, government, healthcare, hospitality, legal, and retail.

In March of this year, we reported on a change of tactics by PINCHY SPIDER, the actor behind the GandCrab ransomware that emerged in early 2018 with a partnership program offering a split of the profits to actors who utilized its ransomware to conduct extortion. Also this year, LockerGoga emerged as another enterprise ransomware that was employed against manufacturing and industrial companies, demanding high-dollar ransom amounts.  

Big-game hunting attacks typically begin with deployment of banking Trojans or through a compromise of an external-facing system. Adversaries seeking to deploy ransomware across the enterprise move laterally, escalate privileges, and deploy their payloads. CrowdStrike's 1-10-60 rule is one organizations should strive to achieve: It means aiming to detect an intrusion in under a minute, performing a full investigation in under 10 minutes, and eradicating the adversary from the environment in under an hour.  

The writing is on the wall for e-criminals: There is big money in big-game hunting, and it is disrupting businesses across the globe. Paying the ransom doesn't necessarily resolve the problem either. It is more important than ever that organizations and agencies have the right people, processes, technology, and intelligence to stay ahead of these threats.

Related Articles:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17223
PUBLISHED: 2019-10-15
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...