Ransomware evolves from side hustle to main gig
- By Derek B. Johnson
- Mar 04, 2020
It will come as no surprise to government IT managers that the number of ransomware attacks is growing, especially among local governments and school districts – entities often least equipped to protect or defend themselves, according to the latest version of CrowdStrike’s annual global threat report.
Starting in spring 2019, municipalities and local governments became popular targets as attackers succeeded in squeezing payments out of more than a handful of cities. By summer, criminals turned ransomware on public school systems in the U.S., with attacks building during the back-to-school season and continuing intermittently through the end of the year, the report said.
Previously, hacking groups would tack on a ransomware component to other attacks in the hopes of squeezing out a few hundred dollars in profit, but now they increasingly see ransomware as a main attack vector to steal data, make big money and take advantage of "the operational necessity to be up and running," CrowdStrike’s Vice President of Threat Intelligence Adam Meyers said.
"If you look at the history of how ransomware evolved, a few years ago it was a side hustle," he said. "What it shows is that threat actors realize they were squandering opportunities with one-off attacks, now they've figured out how to make the most of these activities."
Some criminals use their ransomware payments to finance attacks on additional governments and businesses, while others offer ransomware-as-a-service, taking a share of profits collected by affiliates. In 2019, enterprise-scale ransomware operations had the biggest payoff for attackers who demanded ransoms reaching into the millions, the report said.
Additionally, CrowdStrike said it is looking into possible collaboration between “sophisticated e-Crime adversaries and state-sponsored targeted intrusions, with initial evidence suggesting some tool overlaps and/or cooperation with intelligence services in DPRK and Russia.”
State-sponsored cyber intrusions were primarily motivated by intelligence gathering and espionage, according to CrowdStrike, which found that Advanced Persistent Threat groups heavily targeting governments, military sectors as well as their defense industrial base of contractors.
Chinese-aligned groups focused on the telecommunications sector in particular, which CrowdStrike said it believes could support both signals intelligence and upstream surveillance activities. Hacking groups tied to China tended to use open source tools and tactics in an effort to mask and cover their tracks.
Attackers with ties to Iran spent much of their time targeting the defense and government sectors in the U.S. and elsewhere, and the firm said it tracked a noticeable shift in emphasis to the United States around the same time as the 2019 Gulf of Oman incident, when three oil tankers and a bunkering ship were damaged with explosives, with U.S. officials blaming Iran.
Defense contractors also came into the crosshairs of groups tied to Tehran that created spoofed job postings to catch individuals who might hold sensitive military secrets.
"What we've observed is them actively targeting defense industrial base, members of the military who are moving into civilian jobs, and using that transitional point to target individuals, get access to individuals and pivot into their networks," Meyers said.
Agencies like CISA have expressed concern about the potential for ransomware and other attacks to target voter registration systems or jam up the IT systems of local governments ahead of Election Day. However, Meyers said his firm has yet to observe activity or evidence to indicate these concerns are anything more than hypothetical at this point. Instead, he said he believes the easiest way to undermine a U.S. election is through disinformation.
"I've been saying since 2016 is that the most effective way to attack an election is to make people question the results," Meyers said. "We're seeing a lot more tension there, and a threat actor can effectively leverage that … with an influence operation to cause them to question the process. That's the most concerning thing for me."
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.