Security news that informs and inspires

Q&A: Kimberly Goody

_The DarkSide ransomware attack on the Colonial Pipeline focused quite a bit of attention on that group and the ransomware-as-a-service model in general. The model isn't new, but it has become a dominant force in the cybercrime underground. Dennis Fisher spoke with Kimberly Goody of FireEye's cyber crime analysis team, on a podcast this week about the RaaS model and what can be done to disrupt it. _

Dennis Fisher: Where did ransomware as a service emerge from and why has it become such a big deal recently?

Kimberly Goody: Well, ransomware as a service, as I'm sure many people who have been following this space for a while, know it didn't just pop up overnight. This has been something that's been brewing over the last many years. So even going back to 2015 is really when we started seeing a spike in ransomware as a service offerings in underground communities. But what we had throughout time is we had an evolution in the way the actors were deploying ransomware, which meant that ransomware itself became a more significant threat. And what I mean, by the way, in which actors were deploying the ransomware was that they weren't deploying it as an initial payload anymore. They were deploying something else first like a backdoor, or they were gaining access to organization systems through internet facing systems or exploiting some sort of vulnerability. And then moving laterally throughout the network, escalating privileges and then eventually deploying ransomware.

But in general, ransomware as a service and how it really works is that actors are providing the ransomware and which they are typically advertising through some sort of underground forum. They also provide typically as part of that service, some sort of administration panel support. In more recent cases, we see these actors also providing this public blog or the shaming website. And if you are an affiliate, you partner with that particular actor and you split the percentages whenever you have a successful payout. And so really the affiliates are who are in charge of actually distributing the ransomware and that allows for some specialization within this ecosystem and more efficient operations.

Dennis Fisher: That specialization part is interesting to me, and it's happened in a pretty short amount of time. You mentioned 2015 is kind of the ransomware as a service emergence point. That's six years ago, but it's not really that long ago and now look where we are, where we've got literally professional organizations doing this and making millions and millions of dollars.

Kimberly Goody: The business operations are really interesting for these groups. And I think really that's like what has changed a lot is the outsourcing of specific components of the attack. So you will have somebody who is specializing in gaining that initial access to an organization, potentially another team who is actually deploying the ransomware and then that third party who is actually providing that ransomware for deployment. And what we've seen to your point here is in recent years we've seen a lot more actors seeking partnerships in underground communities. So finding somebody who can provide initial access to an organization so that they can deploy ransomware on that particular target. And you see that for ransomware that isn't even advertised on forums as ransomware as a service. So you'll often see advertisements on these forums that say, we are looking for initial access providers.

And then if that actor is engaged, they might say, or explain that they want that initial access so that they can deploy X, Y, or Z ransomware on that victim's network. And the same thing with the people who are deploying the ransomware or vice versa, I guess the same can be said for those who have initial access that they might say we have access to these organizations. And we also partner with this affiliate, but we don't necessarily have the skills to deploy the ransomware. And so they're looking for people with more of that pen testing skill set.

Dennis Fisher: One of the things that strikes me about this evolution is that ransomware started out as kind of like a haphazard threat that was sent out in spam emails. And then really quickly, the ransomware groups were like, wait a second. Why don't we just start going after enterprises? That's where the money is. I'm wondering where the natural end point for this is.

"there are several actors that are part of these major groups that we and other researchers have been able to identify."

Kimberly Goody: So last year I remember doing a panel and I said, I really hope that this is the worst that it can get, but I knew that it was definitely not there because naturally, as you do something over and over again, you get better at it. And the same thing can be said for these attackers. And we had seen indications of some actors who were setting up things that looked a lot like mentorship programs, where they were essentially training the next generation. And so when I was seeing things I knew this was definitely not the worst that it could get, but I was trying to be a little bit optimistic about it. The thing that is interesting that has actually happened over the last couple of days, is that there have been several forums that have actually now said that they are no longer going to allow ransomware being advertised on their forums. And I find that to be a really interesting development. I don't think that that means that ransomware by any sense is going to go away. However, not being able to say, Hey, we have this ransomware as a service may preclude some actors who don't have existing partnerships from being able to easily find people who have developers somewhere that they can partner with. And so there might be some limited impact as a result of that in the near future.

Dennis Fisher: I have been following that and it's really interesting to me because as soon as the Colonial Pipeline attack hit, it obviously got the attention of the White House right away. Obviously the criminal groups are following this too. So they look at this as putting unnecessary attention on our businesses. We don't need this. Do you believe that? Do you anticipate that actually lasting or do you feel like this is just temporary?

Kimberly Goody: That's a great question. We've seen not just the fact that some ransomware or some forums are no longer allowing ransomware to be advertised, but we've also seen some ransomware as a service offerings prior to them being taken offline, state that they were going to kind of change the approval process for the victims that the ransomware would be deployed on. And that was kind of a code of conduct or like a code of ethics that some ransomware as a service offerings already did have, for example, not targeting hospitals or government or nonprofit organizations or education organizations, and presumably the reason for that is that they want to decrease the likelihood that they are going to come across law enforcement's radar. I mean, the fact of the matter is, if you target a hospital versus some Fortune 500 corporation, law enforcement might care a little bit more.

And so they obviously have a lot of criminal cases and actors that they have to look at. And so they do need some sort of ways to prioritize who they're focusing their efforts on as well. And so I think that what we might see more of, in the short to medium or longer term is, is just limiting the specific sectors that ransomware will be deployed on by some ransomware services. And I say some because while there are some actors who have stated we will not allow targeting of hospitals, I've also seen the opposite where I've seen a few actors who say we want to target hospitals and we are specifically looking for hospital targets. And so really you have a difference in kind of the morals or the ethics that some of these groups employ as well.

Dennis Fisher: I've spoken to plenty of analysts that are like in general, we know who these groups are. There just isn't a way to get to them really. I wonder if the international cooperation part of it will improve anytime soon. Do you have any hope on that front for getting any more help from some of the international law enforcement?

Kimberly Goody: I will say that there are several actors that are part of these major groups that we and other researchers have been able to identify. And it always comes back to, it is a country where we do not have an extradition treaty with, or that country has within their constitution something that precludes them from being able to extradite their own citizens in those particular cases, on one way of working with those countries might be if the act or the crime that has occurred, if that is illegal within that country, we might be able to work with that country to have them prosecuted in their country. And that's not a perfect situation or probably ideal. But it is at least some recourse or some action that we can take against those offenders. My main concern is that when it comes to a country like Russia, who typically hasn't played ball, when it comes to cyber crime cases with us or Western law enforcement entities, what do we do there? And I think that's why you see some of these groups that do target hospitals because they don't have fear and they don't necessarily have many risks unless they decide that they leave and want to go on vacation somewhere. They feel very protected as long as they stay within the confines of Russia.

Dennis Fisher: I've had conversations with other IR folks and people that get asked all the time, Do we pay, or do we not pay? Do you guys get involved in that? Do you give advice or do you just kind of say, look, here are the facts.

Kimberly Goody: So we don't typically prescribe what an organization should or should not do. What we will do is explain the pros and cons. There are obviously a lot of cons to paying. So some of the things that we always touch on are the fact that, well, if you're paying for your data, not to be released online, because that is a very common tactic also employed alongside ransomware deployments, is the theft of data. If you're paying for that information, not to be released. So you don't have a guarantee that the attacker is going to delete that data, that they aren't going to come back to you later and re-extort you. The same thing with targeting of victims. I have seen actors say, we are going to retarget this organization that they had already previously targeted with a ransomware attack. Why are they doing that? Presumably, because that organization has paid them in the past. And so, by paying you are not only incentivizing them to continue ransomware operations more broadly, but you are potentially incentivizing them to reinfect your organization at a later date, maybe with a different ransomware. It's not like they are going to forget that you paid them. And so, from my perspective, my personal take is I don't advocate for paying ransoms. But there's obviously certain situations where organizations might not have another option available to them, or they might be providing some sort of critical service that they need to be able to get back online.