Just recently, the Colonial Pipeline Company was the top news story for all the wrong reasons. Colonial operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500 mile path from Texas to New Jersey and released a statement confirming reports that ransomware hackers had hit its network. In response, Colonial Pipeline shut down parts of the pipeline’s operation in an attempt to contain the threat. The incident represents one of the largest disruptions of American critical infrastructure by hackers in history. It also provides yet another demonstration of how severe the global epidemic of ransomware has become.

The Colonial Pipeline shutdown comes amidst a growing number of cyber attacks. Hackers, like those who targeted Colonial, have also hit Hospitals, law enforcement databases and crippled municipal systems in Baltimore and Atlanta.

These Human Operated Ransomware (HumOR) attacks are likely to (painfully) drive the business case to address longstanding security hygiene and maintenance issues.

While ransomware existed in small pockets before, the business model didn’t take off at scale until the introduction of CryptoLocker in 2013, which kicked off a surge in this opportunistic, single device way of monetizing cybercrime.

The most recent phase in ransomware evolution can be traced to WannaCry and (Not)Petya that fused large scale compromise techniques with an encryption payload that demanded a ransom payment in exchange for the decryption key.

This fusion inspired this new generation of human operated ransomware that started popping up around June 2019. This vastly expanded the ransomware business model into an enterprise scale operation blending targeted attack techniques and the extortion business model (threatening disclosure of data and/or encryption in exchange for payment).

Human Operated Ransomware: High Impact & Growing

Much like COVID-19 shifted longstanding industry perceptions on BYOD and remote work, human operated ransomware will likely trigger fundamental shifts in the cybersecurity industry

Organizations face the very real prospect of performing mass restores of system and data to get business operations back up, particularly if they believe that:

• They won’t get hit with this kind of attack.
• Attackers won’t find unpatched VPNs and operating systems, so maintenance can be deferred again.
• A password is good enough for admins, so MFA can be deferred.
• A BC/DR for the worst-case scenario isn’t critical, so the difficult business leadership conversations can be deferred.
• The SOC can manually write every alert and respond using only a SIEM and a firewall block, so modernization with high-quality XDR detections and SOAR can be deferred.

What’s Different Today?

Previous attacker models exploited weaknesses in organizations security, but generally had limited business immediate impact or could be managed with limited security improvements:

• Commodity attacks – Minor business impact that could be managed through marginally better hygiene, existing security tools, and investment into security operations.
• Targeted data theft – Leveraged similar techniques, but often had longer term or indirect impacts on the business (e.g. stronger competitor products) that weren’t immediately stopping business operations. Mitigation with improved security operations can help bring this risk down (but not eliminate).
• Commodity ransomware – Actively disrupted access to data and systems using extortion techniques.

Human operated ransomware builds on all of the above to grow the extortion payments to be much larger.

For extortion to work, the attackers must have control over something the victim will be willing to pay to get back, in this case the ability to operate their business. Human operated ransomware combines two existing techniques into a highly damaging combination:

• Gain enterprise control with credential theft – Pioneered in targeted data theft attacks.
• Deny access to data – Established with commodity ransomware.

This frequently allows attack operators to stop all business operations until payment is rendered (and sometimes not even then.

As you may imagine, this is a profitable, though immoral, endeavor for the attackers. The profits from past attacks fuel confidents in future attack profits and the funding required to conduct them, creating the ingredients for a significant growth trajectory of these attacks.

We actively discourage paying the ransomware. While we understand that desperate measures are sometimes attractive, there is no guarantee that the payment will result in a decryption key, in a key that decrypts all data/systems (vs. a fraction of them), or even that the attackers won’t sell data on the dark markets anyway. Additionally, paying groups may put the organization at risk for future attacks.

Additionally, there is a lot of room for these attacks to grow because of the way enterprises have balanced operational and security requirements over the past decades.

Most enterprise organizations have consistently chosen to prioritize business functionality and operational speed over security considerations. While this made businesses more efficient because security threats were limited to an acceptable level, these choices also accumulated a massive backlog of technical debt in the form of security hygiene issues that attackers could potentially exploit.

While these maintenance hygiene issues were silent and invisible for a long time (even when exploited to for intellectual property theft by advanced attackers), these issues will not stay silent and invisible any longer.

We Cannot Emphasize This Enough!

The secret of “we never got around to doing that security thing” is out to attackers who can profit from it at scale using business-disrupting extortion techniques (and are getting better at it with each attack).

We don’t expect to see this trend slow, stop, or reverse until something significant changes in attacker deterrence (attacker arrests, extradition laws removing safe harbor countries, etc.) or defender resilience (widespread executive support for security, close cultural coordination between IT and security teams, etc.).

Human Operated Ransomware Pattern

---

If you’d like to have a conversation around this topic, please leave us a message below and an Oakwood Team member will be in touch.