Decipher Security Podcast

Kimberly Goody

May 18, 2021 Decipher Episode 82
Decipher Security Podcast
Kimberly Goody
Show Notes Transcript

Dennis Fisher talks with Kimberly Goody from FireEye's cybercrime analysis team about the DarkSide ransomware operation, the emergence of the ransomware-as-a-service model, and what might be next for these groups. 

Speaker 1:

[inaudible]

Speaker 2:

Welcome to the decipher podcast. My guest today is Kimberly goodie from FireEye and Kimberly, uh, works on the criminal analysis team. And so I imagine you've had a pretty busy couple of weeks. Kimberly, how are you feeling right now?

Speaker 3:

Yeah, I'm feeling pretty good. I'm definitely a little bit tired from the last week, week and a half. But other than that, I'm doing well.

Speaker 2:

Yeah, it's a, it's been a pretty wild, uh, couple of weeks here. I mean, there's been so many incidents, it's hard to kind of keep track of them all, but I wanted to talk to you specifically about kind of this emerging ransomware as a service model, which I think it's been around for a while, but I think a lot of people probably became familiar with it recently with the dark side group. And they're, you know, the, the attack on colonial pipeline, um, where, like, how did we get here? Where did ransomware as a service kind of emerged from in and you know, why has it become such a big deal recently?

Speaker 3:

Well, ransomware as a service, as I'm sure many people who have been following this space for a while, know it didn't just pop up overnight. This has been something that's been brewing over the last many years. So even going back to 2015 is really when we started seeing, uh, a spike in ransomware as a service offerings in underground communities. Um, but what we had, you know, throughout time is we had an evolution in the way the actors were deploying ransomware, which meant that ransomware itself became a more significant threat. Um, and what I mean, by the way, in which actors were deploying the ransomware was that they weren't deploying it as an initial payload anymore. They were deploying, um, something else first like a backdoor, or they were gaining access to organization systems through, um, internet facing systems or exploiting some sort of vulnerability. Um, and then moving laterally throughout the network, escalating privileges, um, and then deploying eventually deploying ransomware. Um, but instead of to just one particular machine, that initial machine that they might've impacted, um, they're able to deploy it across the network to hundreds or thousands of machines, um, depending on how big of a company they, they are, um, impacting or infecting at that time. And so what that means is that these ransomware attacks have, um, a much more significant impact on the organizations that they are, um, infecting. And because of that break, that's why you're seeing a lot of attention on ransomware on the news. So ransomware itself is not a new concept, um, but the way in which attackers have been deploying, it has evolved. Um, but in general, going back to your question, ransomware as a service and how it really works is that actors are providing the ransomware and which they are typically advertising through some sort of underground forum. Um, they also provide typically as part of that service, some sort of administration panels support, uh, in more recent cases, we see these actors also providing this public blog or the shaming website. And if you are an affiliate, you partner with that, that particular actor and you split the percentages whenever you have a successful payout. And so really the affiliates are who are in charge of actually distributing the ransomware and that allows for some specialization within this ecosystem and more efficient operations.

Speaker 2:

Yeah. That the specialization part is interesting to me, that kind of division of labor where you have, you know, people that might be, um, you know, exploiting vulnerabilities, you know, say an exchange bug or something like that, gaining the initial access into a target network. And then, you know, maybe selling that access to, you know, one of those affiliates or, or, you know, or to the, you know, dark side group or another ransomware gang, um, that then kind of doles it out. And, you know, they, a lot of these, they have this kind of like integration in this business model, which is like kind of impressive, impressive on level one level. And also like definitely terrifying that they've come to this, you know, kind of evolutionary point where they've got this all down, so, uh, down so well that they can do all of this really efficiently. Um, and it's happened in a pretty short amount of time. I mean, you mentioned 2015 is kind of the ransomware as a service, like, you know, emergence point, um, that's, I mean it's six years ago, but it's not really that long ago, you know, and now look where we are, where we've got like literally professional organizations doing this and making, you know, millions and millions of dollars.

Speaker 3:

Yeah. The business operations are really interesting for these groups. And I think really that's like what has changed a lot is the outsourcing of specific components of the attack. So you will have somebody who is specializing in gaining that initial access to an organization, um, potentially another team who is actually deploying the ransomware and then that third party who is actually providing that ransomware for deployment. Um, and what we've seen too, you know, your point here is, you know, in recent years, um, we've seen a lot more actors seeking partnerships in underground communities. So finding somebody who can provide initial access to an organization so that they can deploy ransomware on that particular target. And you see that for ransomware, that isn't even advertised on forums as ransomware as a service. Um, so you'll often see advertisements on these forums that say, we are looking for initial access providers. And then if that actor is engaged, they might say, or explained that they want that initial access so that they can deploy X, Y, or Z ransomware on that victims network. Um, and the same thing is with like the people who are deploying, um, the ransomware or vice versa, I guess the same, um, the same can be said for those who have initial access that they might say we have access to these organizations. Um, and we also partner with this affiliate, but we don't necessarily have the skills to deploy the ransomware. And so they're looking for people with more of that pen testing skillset.

Speaker 2:

Okay. Yeah. That all makes sense. I mean, it, one of the things that strikes me about this evolution is that, you know, ransomware started out as kind of like, um, a haphazards, you know, threat that was sent out and spam emails and that kind of stuff, or, and drive by downloads. And it was, you know, for a little while, it was kind of mainly a consumer problem where, you know, people's personal laptops would get encrypted in the, in the ransom was, were super low, but you know, you're talking about like 50 or a hundred dollars back then. And then like really quickly, the ransomware groups were like, wait a second. Why don't we just start going after enterprises? That's where the money is. They can't afford, like, if I lose my Google photos, that's a problem. But if you know, a large hospital loses its, you know, access to its patient database, that's a much bigger problem. So they're more incentivized to pay than I might be. Um, and so now it's turned into not just a criminal enterprise, but one that like you just described where you have people out there, like actively soliciting, like I've got this ransomware, I need somewhere to put it kind of thing, which, you know, it's just kind of, uh, I I'm wondering where the natural, if there is one where the natural end point for this is, I wonder if we're, we're close to it where we've gotten like as deep into this as, as we can get like as bad as they can yet.

Speaker 3:

Yeah. So last year I remember doing a panel and I said, I really hope that this is the worst that it can get, but I knew that it was definitely not there because I mean, naturally right, as you do something over and over again, you get better at it. And the same thing can be said for these attackers. Um, and we had seen, um, indications of, um, some actors who were setting up things that looked a lot like mentorship programs, where they were essentially training like the next generation. Right. And so when I was seeing things like I knew this was definitely not the worst that it could get, but I was trying to be a little bit optimistic about it. Um, the thing that is interesting that has actually happened over the last couple of days, and I'm not sure if you've been following that, is that there have been several forums that have actually now said that they are no longer going to allow ransomware being advertised on their forums. And then I find that to be a really interesting development. Um, I don't think that that means that ransomware by any sense is going to go away. Um, however it, you know, not being able to say, Hey, we have this ransomware as a service may preclude, um, some actors who don't have existing partnerships from being able to, um, easily find people who have developers in somewhere that they can partner with. And so there might be some limited impact as a result of that in the near future.

Speaker 2:

Yeah. I have been following that and it's really interesting to me because as soon as the, um, the colonial pipeline attack kit, I was talking to a bunch of people and I was like, you know what? This seems like one of those things that it obviously got the attention of the white house right away. And like putting a lot of pressure on these groups seems like something that was going to happen right away from this. You know, it's one thing you start, you know, you're hitting schools and things like that. People get mad, but you know, gas prices go up. People get real mad apparently. So, um, yeah, they start in, obviously the criminal groups are following this too. So they look at this as this is putting unnecessary attention on our businesses. We don't need this kind of from you guys. We're not gonna do this anymore. Like, sorry about that. But we're not going to allow ransomware here anymore. Do you believe that? Do you anticipate that actually lasting or do you feel like this is just a temporary, like we're going to pull back until the heat is off?

Speaker 3:

That's a great question. Um, we've so not just the fact that some ransomware or some forums are no longer allowing rent or ransomware to be advertised, but we've also seen some ransomware as a service offerings prior to them being taken offline state, that they were going to kind of change the way or change the approval process. Let's say for the victims that the ransomware would be deployed on. Um, and that was kind of a code of conduct or like a code of ethics that some ransomware as a service offerings already did have, for example, not targeting hospitals or government or nonprofit organizations or education, um, organizations, and, you know, presumably the reason for that is that they want to decrease the likelihood that they are going to come across law enforcement's radar. I mean, the fact of the matter is, is that if you target a hospital, um, versus some fortune 500 corporation law enforcement might care a little bit more. And so they obviously have a lot of criminal cases and actors that they have to look at. And so they do need some sort of ways to prioritize who they're focusing their efforts on as well. Um, and so I think that what we might see more of in, in the short to medium or longer term is, is just limiting the specific sectors that ransomware will be deployed up by some ransomware services. And I say some because while there are some actors who have stated we will not allow targeting of hospitals, I've also seen the opposite where I've seen a few actors who say we want to target hospitals and we are specifically looking for hospital targets. And so really you have a difference in kind of the morals or the ethics that some of these groups employee as well.

Speaker 2:

Yeah, I guess that just kind of speaks to, I mean, all criminal enterprise, there's, there's a spectrum of motivations and how far people are willing to go to accomplish their goals too, you know, and usually the goal is money, uh, you know, on some level and, you know, I, that's probably always been true in these ransomware groups, but now it's just kind of much clearer. So, you know, if you have these, uh, Francoise as service groups that are like, listen, we're not going to give you the ransomware. If you're going after schools, hospitals, critical infrastructure, government agencies, that kind of stuff, and others that are just like, yeah, we don't really care. Whereas here for that, we're just about to cash. Like you target who you want. Like we're going to go, we'll, we'll take the money. Um, I have a feeling those groups aren't gonna, they, they, that can't last long. You know, if you're going after the targets that law enforcement, as you mentioned, really, really cares about the heat's just gotta keep increasing. I mean, we've seen a few take downs in the last couple of years and you know, I've spoken to plenty of analysts that are like in general, we know who these groups are. Like, there just, isn't a way to get to them really. Um, I wonder if the international cooperation part of it will improve anytime soon. Do you have any, any hope on that front for getting any more help from some of the international law enforcement?

Speaker 3:

So I can't speak directly on like what law enforcement has in the works or in the plans. But, you know, I will say that as you know, um, there are several actors that are part of these major groups that we and other researchers have been able to identify. And it always comes back to, it is a country where we do not have an extradition treaty with, or that country has within their constitution, that they will, that something that precludes them from being to extradite their own citizens in those particular cases, on one way of working with those countries might be if the, the, the act or the crime that has occurred, if that is a legal within that country, we might be able to work with that country to have them prosecuted in their country. Um, and you know, that's not a perfect situation or probably ideal. Um, but it is at least something in, in some recourse or some action that we can take against those offenders. Um, my main concern is that when it, when it comes to a country like Russia, who typically hasn't played ball, when it comes to, um, cyber crime cases with us or Western law enforcement entities, um, what do we do there? And I think that's why you see some of these groups that do target hospitals, um, because they don't have fear and they, they don't have, um, necessarily many risks unless they decide that they leave and want to go on vacation somewhere. They feel very protected as long as they stay within the confidence of Russia.

Speaker 2:

Yeah, that's the biggest hurdle. It seems like to me, is if you have a state or States that are either ignoring this problem, or, you know, actively supporting it, then it's never going away, especially when the money is still there. If people are paying the ransoms, which they are, and, you know, the risks, as you said, are very low for those actors in some of those States, then where do we break the chain? I mean, I, I know there's lots of different ways to look at that in the ransomware task force, you know, put out that report. It has a lot of good ideas in it, I think, and breaking the payment, uh, system is one way to do it, but that seems pretty difficult. I mean, there's no real way to, you know, how do you break Bitcoin? I mean, how do you disrupt that whole thing? I mean, that part of it to me is fascinating. Um, when, so when say an incident occurs, a ransomware incident occurs and you guys are engaged, what is the typical life cycle likely? How is there, is there a typical time frame when you, when you're engaged? Is it, or is it very like, you know, is it the day that somebody discovers ransomware on their systems or sometimes is it later in the cycle where they've kind of exhausted other options that are like, ah, we don't really know what to do.

Speaker 3:

Yeah. Typically I think it's going to be when people discover that they have been ransomed, usually they, they would be calling, um, pretty immediately following that. Um, we also have had cases where we've actually been able to proactively warn organizations that we believe that they were about to, um, have ransomware deployed on their networks or that we believe that they had been compromised by an actor who was known to provide access to other actors that deploy ransomware. And so sometimes in those cases, we might be engaged earlier on the same thing too, for, for organizations who might identify some sort of evidence of like, let's say a banking, um, Cision, they've identified on their network. Well, we know today that there have been numerous cases where access that was initially obtained through some sort of banking, malware has ultimately resulted in the deployment of ransomware. And so, you know, it's great when we can be engaged earlier to prevent ransomware. Um, that's ultimately our goal right, is to stop as many ransomware attacks as we can. Um, but when that didn't occur or when that wasn't an option, um, typically we're going to be engaged once the ransomware has already been deployed. Yeah.

Speaker 2:

Did being able to warn them is, uh, pretty fascinating is that you mentioned, you know, you might notice that they've been compromised by an actor that's known to deploy ransomware. Um, are there other indicators as well? Like if you see, uh, you know, activity on a forum where a company has mentioned or something along those lines.

Speaker 3:

Yup. So exactly if we see something on a forum or at posts that that might be interesting. Um, they're often not going to share that victim's name, like right away, like on, like on the advertisement, right. Because they don't necessarily want to shout that from the rooftops, but sometimes through other sources, um, we're able to obtain the name of that organization and then do a proactive notification. And so if it's an actor that we know has, um, sold access and has a reputable history and in that, that access is likely legitimate. Um, then that is something that we would take upon our us, ourselves to go and proactively warn that organization.

Speaker 2:

That's gotta be a bad phone call to get on the other end of that.

Speaker 3:

And I think one of the downsides rate of doing these notifications is that a lot of organizations don't necessarily take it seriously. There have been organizations that we've said, we think that you might soon have a ransomware problem and they, they don't necessarily believe us or take it seriously. And then later they have a ransomware problem. There are also other cases where they think that you're the attacker like, well, how would you know this information, which is a valid question, but then, you know, then you have to like work around, um, that as well. And so, you know, it kind of depends on who's the other on the other line, when you call, if it's an organization, you have an existing relationship with that's usually when it leads to the best outcome.

Speaker 2:

Yeah. I was going to ask you that exact question, like don't people ask you, how do you know this? You know? Yeah. That would be my first question would be like, wait a second. Why do you know that in who are you in? Yeah. But the existing relationships, I'm sure in the business that you're in, especially your specialty, that, that the relationships all matter. Right. Like that's gotta be a huge part of it.

Speaker 3:

Yeah. Of course. Or, or finding somebody that like at the organization that, you know, um, has a role that deals with security so that you're not just like calling some random person who's answering a highlight. Yeah,

Speaker 2:

Exactly. Um, I don't know how much of this happens to you guys, but I I've had conversations with other, um, you know, IRR folks and people that had similar, similar roles that they get asked all the time. Do we pay, or do we not pay, do you guys get involved in that? Do you give advice or do you just kind of say, look, here are the facts you're ransoms. We, you don't know where your backups are, you know, do they, do you get asset or do you give advice if someone asks?

Speaker 3:

So we don't typically, um, prescribe what an organization should or should not do? Uh, what we will do is explain the pros and cons. There are obviously a lot of cons to paying. So, you know, some of the things that we always touch on are the fact that, well, if you're paying for your data, not to be released online, because that is, you know, a very common tactic also employed, uh, alongside ransomware deployments, the UCS is the theft of data. If you're paying for that information, not to be released. So you don't have a guarantee that the attacker is going to delete that data, that they aren't going to come back to you later and re re store you. Um, the, the same thing with like targeting of, uh, victims. Like I have seen actors say, we are going to retarget this organization that they had already previously targeted with a ransomware attack. Why are they doing that? Presumably, because that organization has paid them in the past. And so, you know, by paying you are not only incentivizing them to continue ransomware operations more broadly, but you are potentially incentivizing them to reinfect your organization at a later date, maybe with a different ransomware. So it doesn't look as obvious that it's the same attackers, but, you know, they, it's not like they are going to forget that you paid them. Um, and so, you know, from my perspective, my personal take is I don't advocate for paying ransoms. Um, but there's obviously certain situations where organizations might not have another option available to them, or they might be providing some sort of critical service that they, they need to, to be able to, um, get back online. So for example, like nine 11 call centers, that's obviously a different, um, you know, calculus then if it's just some mom and pop grocery store, for example.

Speaker 2:

Yeah. That's the interesting parts of me, obviously how much the ransom is certainly matters too. You know, if you're a small business and the ransom is outside of your ability to pay, then you know, what do you do? You know, you just burn all your systems down and hope that you have backups. And, you know, if you're a small business, they, that may not be the case. And even in large enterprise, it's not, it's not always the case. Um, I'm sure you've seen those too. I mean, I've heard some pretty ugly horror stories. Like you just described with people getting reinfected, you know, two weeks after they remediate, did one ransomware attack and paid, and then they get reinfected again. And, you know, it's, it kind of reminds me of like a blackmail scheme where like, okay, well you have this information, you're blackmailing somebody for it. If they pay you, what's to stop you from just, you know, going back for more money, you know, the threat is still there. You know, if, if, if I paid you once, why wouldn't I pay you again?

Speaker 3:

Yeah, exactly. Um, regarding the like ransomware prices and in particular, one of the other interesting things that we didn't touch on earlier was, you know, that their threat actors do recognize that organizations that make more money can obviously pay more money. And so one of the things that they will typically do is do like a little research on the organization that they've compromised to figure out what their annual revenues will are. Um, and also what industry and in geographies they are in. And we've actually seen, I think it was last year, some point maybe in the fall that we saw an actor who had created a tool for that purpose to, to do like automated lookups of company's revenues to help kind of make that determination. Um, and another thing that you'll see is like with, um, these groups too, is whenever they're selling access, they'll often cite like the annual revenues that would be available through a site like zoom info. I believe that's the right one. Um, and so looking at the revenues plus the industry, so it's an industry that's known to typically pay, um, like for example, like the medical center or medical centers or hospitals, um, then that can help them prioritize because they often have a lot of victims and they can't deploy ransomware at every single simultaneously. And so they're going to make choices based upon, you know, what they know about that organization and what their past experiences have been with organizations that are similar to theirs.

Speaker 2:

Yeah. How often does it happen that, um, you know, uh, an organization agrees to pay and they just don't get the decryptor or it doesn't work or, you know, they get no results from their payment. Is that, I mean, I've certainly heard about it, but I don't know. I wonder how common it is.

Speaker 3:

I wouldn't say that that's very common at all. I think one of the aspects that you have to really think about from these actors perspective is that if you are choosing to do that, if you, if an organization pays you and you're not providing the decryptor, then that is also something that can work, um, to disadvantage you in the future. Because if that comes out, then what is the incentive for anybody to pay you down the line? And so, from my perspective, that's not something that we typically see. I could see that in a scenario maybe where you were using somebody else's ransomware and like, you didn't really have a stake in the game right. In that particular brand. Um, although in that case, I would expect probably that the owners of that particular service to file some sort of complaint against you within underground communities as well.

Speaker 2:

I I'd love to see what the dispute resolution process looks like for, you know, ransomware affiliate and ransomware as a service operator. Like who's mediating these, these disputes.

Speaker 3:

Well, yeah, I mean, if they're, if they're on a forum, right, these, these forums have moderators and they have administrators and, and those are typically the folks that are making those decisions. They hear out the case, they hear from both sides and, and they make a decision or give the party who is being accused a certain timeframe in which they have to respond. And, um, after that we'll make a decision and, and typically that's adhered by, or else they get banned from that particular underground community. Right. So, um, they do have ways to kind of enforce rules and, and hold each other accountable, um, within the forums as well.

Speaker 2:

Yeah. I guess they'd have to, I mean, the, the reputation part of it that you mentioned for these brands, if you want to call them that like dark side, um, matters, right. I mean, if they're known to, you know, provide the decrypter in a timely manner and it works and all that, and they're known to not go after the things they say they won't go after then, you know, that reputation matters in the underground.

Speaker 3:

Yeah. I was just going to say too, like if you, if you do have some sort of negative reputation, then other actors aren't going to work with you or want to work with you, or they're going to want, like, require that they work through, um, like escrow, for example, so that there is somebody holding payment that can be released or withheld from that person, if they don't uphold their end of the bargain.

Speaker 2:

Yeah. Um, I'm also kind of interested in, in that whole, the payment infrastructure part of it. I don't know how much of that you, you deal with, but like the idea of the firms that specialize in, you know, working as the go-between between the victim and the actor, you know, holding the Bitcoin, paying the ransom, making sure it all works. Um, it's just such a like weirdly specialized thing that sprung up just because of this, you know, ransomware followups.

Speaker 3:

So my team in particular doesn't do a lot in terms of tracking like actual payments. Um, typically we would rely on organizations like chain analysis to, to do that kind of analysis, um, which I honestly find very fascinating. Um, I don't know if you've ever like, looked at the chain analysis interface, but it's really cool, but it can also be a spider web of things if you don't know what you're looking at, right. Because you can just like click forever and ever. Um, and so I think definitely requires some sort of level of expertise to, um, look at those transactions and into make some sense of them. Um, I can say that in cases that we've looked at, um, typically actors are using certain methods to kind of out to Kate where the funds are going or the original source of those funds. So we'll see, see them using things like mixers, um, in cases where we've been able to track back to where those, um, you know, back to like a particular exchanger, um, you know, in a, in a recent case that we were looking at, it ended up going, um, to what seemed to be a multiple different Russian exchangers or exchangers that, that appeared to be based in Russia. So for a lot of those cases, when they're, when they're using, um, different layers of observation, it can be hard to track back who specifically was actually cashing out those funds.

Speaker 2:

Yeah. The, you know, the cryptocurrency part of it is definitely seems like something that the administration is very focused on dealing with on some level, if you look at the executive order and some of the other statements that they've made, I'm not sure how possible that is given just the nature of cryptocurrencies. I don't know. I don't know enough about it to know whether they there's anything that can be done about it. Um, that cat seems to out of the bag.

Speaker 3:

I'm not really sure, but, um, yeah, at first I thought you were talking about my cat because it's like wandering around the house and jumping around and I thought that you like saw my cat behind me jumping. Um, but yeah, I mean, I think that there is almost certainly more that can be done there. Um, there's obviously financial institutions have to adhere to strict know your customer policies. And, um, that's something that, you know, maybe not all exchangers are adhering to equally, um, especially depending on where they are based. And so, um, I think again, that that's going to require some sort of cooperation on an international level beyond just the U S um, to get better policies around that. Um, but yeah, I think that, you know, if we go back to the idea that attackers are conducting these operations, because they want to make money, if you were able to prevent them from accessing those funds, then that's obviously a disincentive to continue conducting these operations. And so, um, there is some analogy that somebody gave me back when I was in grad school about the drug trafficking organizations in particular saying that, you know, when we seized, like all of their drugs, they didn't really seem to bat an eye, but if we seize their money, then they were up in arms. And so I think, you know, that kind of analogy could be true here as well. Yeah, I think you're right. That the financial incentive part of it, if that's taken away, as you mentioned that, you know, they move on to other things, um, there's other ways to make money. So, um, all right, well, Kimberly, thank you so much for doing this. This is, I really enjoyed it. It's super informative. I find this whole ecosystem fascinating in a very morbid kind of way. I guess it doesn't seem like it's going away anytime soon, unfortunately. So, um, I'm sure you'll be plenty busy for the foreseeable future he has for the rest of my life. There will be no shortage of work. Good. Well, thank you again, Kimberly. I really enjoyed it. All right. Have a great rest of your day. Bye

Speaker 1:

[inaudible].