Neodymium Phish Random CTI Thoughts

Should We Outlaw Ransom Payments?

Over the past couple months, I’ve observed or taken part in multiple discussions about whether to ban ransom payments for data extortion. Discussion like these, including one started by @ImposeCost earlier this week, are always important. In particular, many people get locked into a frame of reference that ignores the realities faced by other organizations. Some companies are too small to recognize the value or necessity of Incident Response planning until after they’ve been targeted. Some assume their MSSP is positioned to completely prevent these types of attacks, despite a lack of coverage on legacy hardware or other potential issues.

What Are They Paying For?

In reality, the takedown against LockBit taught us a few key points that all professionals involved in IR engagements need to consider and remind victims of. First, we now know that these threat actors aren’t being truthful about the protection of victim data. LockBit maintained copies of numerous victims who paid the ransom, despite promising that their exfiltrated data would be deleted. We also know that plenty of victim details are maintained by these threat actors after the fact, which could lead affiliates to target previously-responsive victims through their affiliate relationship with other Ransomware-as-a-Service groups.

So, really, all most victims can rely on is the decryption tool, assuming that it works as expected against servers and workstations in their environment.

Banning Ransom Payments?

There is potential value in banning ransom payments at a state or national level. Ransomware groups are only interested in conducting offensive operations to earn money. The biggest revenue source for these groups are the payments made by victims in exchange for the decryption tool and the deletion of sensitive corporate, employee, or customer data. If a government ban is imposed on these payments, ransomware groups are likely to lose the vast majority of this revenue source.

But what if a victim has no choice but to pay for the decryption tool?

To me, this is probably the most important question. Whether a ban is in place or not, there will be organizations with no choice but to pay for decryption or lose everything. Because there’s going to be a demand for decryption, there will be individuals or groups available to fill that demand. In my mind, the simplest example will be third-party groups claiming to be capable of building single-use decryption software, who actually just negotiate and pay the ransomware group on the victim’s behalf, taking the decryption tool back to their client and claiming it is a custom-built tool.

We’ve already seen similar actions taken by recovery and IR firms before, with groups reaching out via the victim chat link over Tor and negotiating, then providing a price to their client that’s significantly higher than the ransomware group’s demand. An important factor here is that the third-party group would likely have to remain vague about their methodology for creating the decryption tool, and would not be from a country that’s prohibited from paying a ransomware group’s demands.

Is Banning Ransoms Enough?

Obviously, this potential for third-party groups to pop up offering decryption capabilities assumes that ransomware operations are still ongoing against victims in countries with bans in place. Why would ransom operations be continuing against victims who are prohibited from paying?

This depends on whether the outcomes of ransomware encryption are still favorable to the ransomware operators, and whether the victims are being intentionally targeted.

Favorable Outcomes

By favorable outcomes, I mean are there other benefits these ransomware groups get from victimizing a group besides payment of the ransom.

  • These groups steal data in most cases, so maybe they shift their operations to attempt to collect more valuable information from their victims, leading to data that other entities are more willing to pay for.
  • They could continue to hit high visibility groups for the notoriety and to attempt to pressure those governments into making exceptions to their policy, resulting in payments.
  • Foreign government entities and their proxies could pay various ransomware actors to target key organizations to exfiltrate important data and impact operations without directly tying to any nation-state.

Unintentional Targeting

With mass exploitation campaigns, like Clop’s attacks against MOVEit, and recent attacks from multiple groups against Ivanti Connect Secure and ConnectWise ScreenConnect, we’ve seen that many attacks are conducted with little or no care for the nature of their victims. Groups observe a method of mass exploitation and execute it as quickly as possible, turning back to see which victims they’ve hit and attempt to squeeze value out of the most important targets after the fact. These attacks, while possibly not intentional against victims in countries with payments bans in place, would still occur, leading to disastrous effects against those victims with no means to recover.

There are Good Arguments for the Bans

I’m not saying all of this because I disagree with banning ransomware payment. Personally, I think CISA and other government entities could do a lot more to provide direct guidance on how to protect against both the execution of ransomware against sensitive networks and the effects of ransomware executed against these victims. The #StopRansomware program includes great advice and up-to-date information about the latest ransomware threats. Their Cyber Hygiene Services provide free scanning of government and critical infrastructure organizations to help identify risks relevant to ransomware engagements. Imposing regulatory requirements for data protection and prohibiting payments to ransomware actors, particularly if the organization did not hold up to the relevant portions of those regulations can create reasonable expectations among the industries to help protect against the need for ransom payments at all.

Organizations should make every effort to avoid payment of these ransoms. They need to consider the limited value ransomware groups get from holding the exfiltrate data, and include the fact that they hold the data regardless of whether their victims pay. The only value payment provides is that the ransomware group is more likely to keep the data off of their leak site, but with the proliferation of ransomware across all industries, the stigma of being hit by ransomware is far less meaningful than it used to be.

In Conclusion

I need to figure out how to write my blog in a more interesting way… I feel like that was pretty boring, but I can’t distill thoughts down to 280 characters like so many of the thought leaders in this space. Hit me up on X with additional thoughts or feedback!

What Happens After LockBit?

Operation Cronos

A lot’s already been said about Operation Cronos and their actions taken against LockBit. SANS even jumped on pretty quick to talk about the disruption and review the details posted by the Cronos Task Force shortly after the takedown went into full effect.

I want to talk about what happens next. What should we expect to see from LockBitSupp as he tried to recoup his significant losses ($100 Million+, ouch!)? Most importantly, how are other groups going to change or spawn as the debris settles?

First, Let’s Discuss the Future of LockBit.

As a Ransomware-as-a-Service group, affiliates put a lot of trust in LockBit that their information would be kept anonymous. Most of them likely expected that their information wouldn’t be maintained any more than is necessary to keep them set up as affiliates. Operation Cronos made clear that a good deal of information is stored by RaaS operators, hopefully leading to further arrests against these affiliates. This has the potential to severely hamstring LockBit’s ability to recruit future affiliates.

LockBitSupp has already brought site backups back online, with multiple new victims listed. This definitely suggests some effort to either restore his image or recoup some of his lost funds from the seizures. More concerning is the lack of rules applied against affiliates now, allowing for targeting of critical infrastructure, hospitals, and government entities.

How Traditional RaaS Might Change

The real danger is in the level of OpSec future groups gain from watching Operation Cronos take place. We saw that LockBit maintained copious records about affiliate performance. Other RaaS groups may decide to anonymous or delete this data entirely. LockBitSupp staged his Bitcoin wallets in ways that made them accessible to law enforcement after taking control of his infrastructure. Other groups are more likely to direct their funds to cold storage or offsite addresses to disconnect them from their RaaS infrastructure as much as possible. Without a doubt, other groups are definitely going to ensure they have solid backups, so they can easily recreate their infrastructure in case they’re ever hit by a Cronos-level takedown.

What Will “Non-Traditional” RaaS Look Like?

One potential change I’ve been mulling over for a while now involves the fact that RaaS groups operate the infrastructure for coordinating negotiations and payment, providing the “negotiation room” for affiliates and victims to interact. While the centralized site and list of past victims adds validity to their operations, this infrastructure puts these groups at a higher risk of capture. I predict that we may see a new form of RaaS operators who focus on creating single-use encryption/decryption executable pairs, intended for single engagements. Through this “license model,” an affiliate buys the single-use package, encrypts the victim’s network, exfiltrates data, etc. Future implementations of the tool may even come with a single-use VM designed to manage the victim chat over Tor.

Why Might This Model Make Sense?

It protects the RaaS operator in that they are not directly connected to the criminal activity. Technically, an argument could be made that they did nothing illegal, although there’s little chance that the argument would hold in court. With the VMs and their management of the encryption software, they can leave a trace indicating the name of the encryption software, which could help add validity to the affiliates’ claims that the decryptor they provide upon payment will work on the data they’ve encrypted. The only unknown becomes whether you can trust the affiliate. This is where the RaaS operator adds additional protections and value against bad affiliates by offering a submission page for victims to claim they were cheated, where they can provide the code/marker left behind by their encryption software and proof that the affiliate didn’t hold up their end of the bargain. RaaS operators could ban the affiliate, provide a decryption key to the victim, or maybe develop some additional processes to handle situations like these in order to further establish themselves as a valid Ransomware organization.

There are real issues with all of these possibilities, to be sure. For example, maintaining any records of which affiliates purchase which encryption/decryption pairs poses a risk if their infrastructure is ever infiltrated, like with LockBit. A more careful group might allow anyone, including law enforcement and ransomware researchers to buy an encryption/decryption pair, trusting that their software is strong enough to avoid reverse engineering efforts or other circumvention techniques. This protects them from having to interact with affiliates. They may also decide to piecemeal their offerings, demanding extra payments for ESXi or other non-Windows systems encryptors.

We Have to Plan Accordingly

I’m not posting these thoughts to help button up Ransomware operations; I want us to be prepared and to think about these things with the mindset of a financially-motivated cyber criminal. I don’t know what the best path forward would be if my “licensing model” takes off among Ransomware groups. One reason we might not see this come to fruition is if affiliates aren’t willing to pay so much up front for the encryptor/decryptor pair, for example. But it’s important to think about how the landscape might shift and start to develop plans for if and when that happens. As researchers, we’re in the comfortable position of making educated guesses and seeing what happens from there. No matter how Ransomware changes, the usual recommendations always apply: know what data is most important, both in terms of exposure to the public or malicious actors and lack of access; have reliable and regular backups; have a response and disaster recovery plan.

Thoughts and Ideas Welcome

I’d love to continue discussion on this topic. Please reach out on X!