The cyberattack against Tyler Technologies Wednesday had all the hallmarks of the ransomware strikes that have crippled massive systems integrators across the country this year, said Vitali Kremez, one of the top ethical hackers in the US.
“That’s the flavor of the day for many breaches,” Kremez told CRN Thursday. “Criminals are not pursuing single targets, they are looking for advanced networks. They want the keys to the kingdom so they can go after other victims … No one is safe.”
The attack against Tyler Technologies, No. 46 on the 2019 CRN Solution Provider 500, comes just months after vicious ransomware infections crippled three of the world’s 20 largest solution providers – Cognizant, Conduent and DXC Technology. All told, the four solution providers who succumbed to ransomware in 2020 have combined revenue of $41.93 billion and a joint market cap of $54.36 billion.
[Related: The Wipro Breach: Why Managed Service Providers Are At Risk]
A miasma of untraceable money, seemingly unimpeachable anonymity and nations willing to turn a blind eye to hacking syndicates have emboldened the brightest minds in crime to carry out ransomware attacks on the largest — and once-thought impregnable — tech Goliaths in a perpetual war for cyberspace dominance.
“It’s a glory shot for them,” said Kremez, who is chairman and CEO at Advanced Intelligence LLC. “I think they’re not really afraid anymore of burning down the profitability of the business. The ransomware is not decryptable in many cases so the only way for them to recover is to negotiate with the hackers, otherwise face a long downtime. So there’s a very good calculus being made on the actors’ side and I think they are specifically pursuing the big companies, not only ‘not avoiding’ them but hunting for them.”
As the attack on Tyler shows, the profile of the ransomware victim has moved upmarket in 2020. The victims are no longer the small MSP who runs IT for dentists and local law firms, but the well-monied technology firms that manage the data and web traffic for the top of the Fortune 500. With the resources to hire the best IT professionals and install top-notch security, they would appear impervious to the sort of lax cyber-hygiene that was often blamed for attacks on smaller MSPs.
However, as one security expert points out, bigger doesn’t always mean better. It can just mean they have a larger area to protect.
“Big system integrators’ networks are so sufficiently complex and have so broad of an attack surface, yet they haven’t prioritized their security,” said Kyle Hanslovan, whose cybersecurity business, Huntress, has grown from working with small MSPs to the larger solution providers. “I’m seeing the same security problems. I thought I would move upstream and see more maturity, but that’s not always the case.”
The consequences for solution providers falling prey to ransomware have been immense. Teaneck, N.J.-based Cognizant, No. 6 on the 2020 CRN Solution Provider 500, estimated that it could take a bottom line hit of between $50 million and $70 million in clean-up costs, and was also forced to issue public letters to employees and customers whose personal information was taken during the attack.
During a recent earnings call, Cognizant said it was bracing for legal fallout as well. Meanwhile, Tysons, Va.-based DXC, No. 3 on the 2020 SP 500, said multiple customers of its Xchanging business were hit, including Lloyd’s Market Association, which provides professional, technical support to the Lloyd’s of London underwriting community.
The emergence of publicity-hungry, extortion-seeking ransomware operators, such as the group behind Maze, has unleashed an entirely different animal on the IT services industry in 2020.
“Nobody brags about hitting the widget factory in Montana. But you say you break into Cognizant, and it’s like ‘Whoa,’” said Chester Wisniewski, principal research scientist at Sophos. “If you’re in IT, you’ve heard of Cognizant.”
Why have ransomware operators like Maze turned their sights to bigger prey when determining which solution providers to go after? Chalk it up to a new approach that puts the threat of public dissemination of private company data – rather than merely encrypting stolen files – at the center of everything ransomware actors do.
As threat analyst Brett Callow with ransomware hunters Emsisoft said when discussing the Cognizant attack, the victims are “left with no good options.”
“If they don’t pay the ransom their data will almost certainly be published. If they do pay, all they’ll get is a pinky promise from the criminals that the data won’t be used, but why would a criminal enterprise ever delete data that they may be able to monetize?”
‘The Whole World Is In Pandemic’ – Maze ransomware syndicate
The noxious ransomware variant Maze is known for being the first to create a dedicated leak site and turn extortion and the threat of leaking information into a central tenet of their business model, said Adam Meyers, senior vice president of intelligence at CrowdStrike.
Maze was first spotted in May 2019; however, it became infamous in November when it published almost 700 megabytes worth of data and files stolen from security staffing firm Allied Universal.
“These guys are brazen,” Meyers said. “They’ve talked to security researchers, they’ve talked to media.”
Indeed, regular, poorly-worded oftentimes misspelled updates pour out of the site, including pleas for sympathy as the hackers claim that many of their livelihoods have been hurt by the COVID-19 pandemic.
“The whole world is in pandemic and deep economy (sic) crisis. We are also in the same reality with the whole world,” the group wrote in July.
The mercy Maze operators sought for themselves came at the expense of its victims who, in that same statement, were hit with a demand that they either begin talks to pay the hackers or hundreds of gigs of files would be published to the group’s dedicated leak site.
“Negotiation means the dialog (sic) and finding the best solution for both parties. If the client is too shy, or scared or just can’t negotiate, this is exclusively the client’s problem,” Maze operators wrote.
By August, the Maze site claimed that it had published data stolen from Florham Park, N.J.-based Conduent, No. 20 on the 2020 SP 500, as well as copier giant Xerox and LG Electronics.
While the strategy of holding files hostage seemed revolutionary, it originated with the German ransomware actor Chimera in the mid-2010s, said Adam Kujawa, director of Malwarebytes Labs.
Maze was the first group to recognize that there was a way of monetizing their intrusions beyond simply deploying ransomware and blocking access to users, said Charles Carmakal, chief technology officer of FireEye’s Mandiant division. Those hackers started the push toward stealing data prior to encrypting the user’s environment, and have leaned heavily on journalists to amplify the impact and reach of their leak site.
“They want as much attention as they can possibly get to pressure the victim organization into paying,” said Sophos’ Wisniewski. “They were savvy in recognizing different ways to extort the same victim … They saw an opportunity that was being missed and found a way to monetize it.”
Since that time, REvil has followed in Maze’s footsteps and copied many of their publicity-generating tactics such as running an auction process for the stolen victim data, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. REvil continues to operate with impunity and hasn’t been constrained by Russian law enforcement despite having some fairly high-profile figures, he said.
Maze has also pushed the envelope when it comes to the amount of ransom requested and is one of the only ransomware operators to routinely demand seven-figure and eight-figure ransoms, Carmakal said. They do a good job of researching their victims, figuring out the value of the data they captured and making a ransom demand that’s commensurate with what the victim is capable of paying, he said.
“They know ways to squeeze victims into paying,” said Carmakal, noting that other operators don’t consistently demand ransoms that are so high. “They’re relentless and have better extortion skills than some of the others.”
Given the illicit nature of their activities, Proofpoint’s Kalember said ransomware groups were historically very tactful in their operations and tried to avoid creating a big splash on Twitter or engaging in chest-thumping that would shine a bright spotlight on their organization. But when it comes to engaging with the outside world, Kalember said Maze is a different beast.
“Maze is better at playing the press,” Kalember said. “They do love needling people. And the noisier they’ve been, the better they seem to do.”
‘How? … They quite literally know your network better than you do’
Rob Joyce, the former head of cybersecurity with the NSA, once told a room full of executives how the agency carries out internet attacks on its adversaries. Hanslovan, who worked for Joyce at the NSA and now runs Huntress, explained that it came down to one simple truth.
“You want to know how NSA attacks you? They quite literally know your network better than you. They know your admin tools better than you. They know your access management better than you. They know your patch status better than you. And they probably know your passwords better than you,” Hanslovan told CRN. “In 2020, I would say cybercrime groups, probably know your data as well as some of the NSA actors would know your data. They know your network. They know your tools. They know how to use it, and they know where to target. They know where to get it, and they know what data to steal first, then what data to encrypt afterwards.”
Grey hat tools like — Cobalt Strike and PowerShell — are used by both legitimate pen testers as well as cyber criminals, and hackers taken advantage of that ambiguity to break into and move around the victim’s environment without being noticed, said Sophos’ Wisniewski. Ransomware groups often turn to the remote access tools used by solution providers like Bomgar and Kaseya for much of their dirty work to better blend in, he said.
“They’re using the same tools the good guys are using,” Wisniewski said.
To get into a big solution provider, the attack likely has to be more targeted, taking into account both the organizations the solution provider is connected to as well as what sensitive data they have, according to Jason Hicks, global chief information security officer (CISO) for solution provider Kudelski Security.
Sophisticated ransomware actors do research to learn more about the solution provider’s environment, pursue partner credentials through data dumps or targeted phishing attacks and then hang out in the victim’s environment to figure out what’s vulnerable, Hicks said. These actors will devise an attack scenario that’s relevant; in other words, they will not send Windows-based malware to a company that uses Apple, he said.
And once a skilled ransomware syndicate successfully breaches a victim, Hicks there’s an actual human doing the work, remoting into tools, poking around, figuring out what’s there and ensuring the ransomware operator got all the sensitive data they can to squeeze a payout.
Maze has generally relied on phishing, exploit kits and RDP to go after victims, while REvil has predominantly used spam and exploit kits, though CrowdStrike’s Meyers said there’s some variation among REvil affiliates.
There are many technical similarities between REvil and Maze. Both are hand-crafted ransomware with manual elements that require a human to push the buttons, according to Allan Liska, senior security architect at Recorded Future. Both invested in purchasing the tools and capabilities to move around networks undetected, Liska said.
Each ransomware provider typically employs a phishing campaign or includes a Microsoft Office document with macros that executes once the attachment is clicked on, according to Liska. Some will even be brazen enough to straight up attach a PowerShell script, Liska said.
‘Extort them’ ‘Threaten them’ ‘Keep them on a short leash’
Ransomware burst into the public eye in 2017, when the North Korean-directed WannaCry ransomware attack in May of that year hit more than 200,000 computers across 150 countries. Then a month later, the Russian-backed NotPetya ransomware campaign took advantage of the leaked EternalBlue exploit to go after infrastructure, energy, utility and logistics companies in Ukraine.
Unlike the spray and pray operations targeting consumers where the ransomware actor presses a button and a bot spews messages out, Sophos’ Wisniewski said ransomware attacks against businesses tend to be more targeted, with the threat actor spending days or possibly even weeks dwelling inside the victim’s systems to increase the likelihood of payment.
The 10 threat research experts who spoke with CRN for this story called out two ransomware operators for targeting solution providers the most frequently: Maze and REvil, which is also known as Sodinokibi.
REvil was spotted in April 2019, and CrowdStrike’s Meyers said a technical analysis tied it back to the operators of GandCrab since both GandCrab and REvil have monetized their business in nearly identical ways. Both GandCrab and REvil also refuse to target machines located in Russia or the former Soviet republics, according to Meyers.
Kremez of Advanced Intelligence said some authoritarian governments tolerate cybercriminal groups operating in their borders because of the ancillary perks.
“They can provide access to so many networks,” he said. “It’s the talent and the skill level of those folks. They can also extort them and threaten them and keep them on a very short leash … Russia pursues, more than anything, political muscle. China pursues more economical and intellectual property, and North Korea pursues financial crimes, literally money to sponsor the regime.”
Hackers are stealing terabytes worth of data from corporate and government sites in the west and hording it for sale out of the reach of law enforcement in the victim’s country, according to Kremez.
“They are looking for classified data sets, or information that can only be found on federal contracts,” Kremez said. “That’s the data that you would need to run an espionage group. That’s the kind of data that hackers can provide and access. To run this from the government side is costly. Like many governments in the world, they don’t have the talent. The private side holds all the talent and skills.”
Solution providers were first known to be in the crosshairs of hackers with the December 2018 indictment of Chinese nationals Zhu Hua and Zhang Shilong for the Operation Cloud Hopper attack aimed at 45 U.S. technology companies and U.S. government agencies, as well as several MSPs.
Victims of the attack included NTT Data, NTT Data subsidiary Dimension Data, Tata Consulting, Fujitsu, and DXC Technologies as well as the managed services businesses of Hewlett Packard Enterprise and IBM, Reuters reported in 2019. U.S. officials said the hacks were carried out by advanced persistent threat actor APT10, which has ties to China’s Ministry of State Security.
The Dark Channel…
The botnet once ruled cybercrime, and ransomware was eschewed because the drive wipe that inevitably happened following a ransomware attack killed any bots on the system.
However, Ransomware as a Service changed that. A dark channel of sorts has emerged on the web in recent years with financing, customer support and contests with cash prizes for the best hacking techniques, all enticing would-be crooks to turn bad.
“Ransomware is currently the most profitable line of business in terms of any type of malware attack,” Kremez said. “What’s happened with ransomware, they lowered the barriers of entry. So if you want to be a hacker, you can join those groups without any skills and learn on the job … Many times whenever they recruit, if you can supply them with the large corporate network, so government network, they are very interested, very incentivized by that.”
REvil’s claim to fame has been democratizing access to its tools through an affiliate or Ransomware as a Service model, providing groups around the world with access to its technology to carry out a broader footprint of ransomware attacks, according to Proofpoint’s Kalember.
REvil picked up the Ransomware as a Service mantle from GandCrab and went and hired GandCrab’s top affiliates to create an all-star team, said Raj Samani, McAfee’s chief scientist. They have gone after affiliates with some capability around network intrusion, and having more skilled and capable actors under the REvil umbrella has allowed the group to dramatically increase the scale of its attacks, Samani said.
However, Samani said the affiliate model potentially introduces more risk by roping more people into the group’s operations and forces the ransomware actor to share profits. The affiliate carrying out the ransomware attack gets roughly 70 percent of the proceeds from the victim’s ransom payment, meaning the central organization isn’t likely to make as much money from each infection, he said.
Ransomware as a Service operators require prospective affiliates to go through an interview process to ensure the actor is a serious player that isn’t going to mess around and waste people’s time, according to CrowdStrike’s Meyers. Groups like REvil have a select number of slots that affiliates can occupy, and he said they don’t just let anyone from the internet come in and gain access to their exploits.
Ransomware as a Service follows the SaaS (Software as a Service) model of taking on the back end a percentage of the proceeds earned on each transaction, Meyers said. Also like SaaS, Meyers said ransomware platforms like REvil are initially purpose-built for a particular exploit but are designed to allow other campaigns to be built and launched from the same platform in the future.
One of the more sophisticated ransomware groups, LockBit, supports its hacker affiliates the same way an OEM or ISV would support a channel partner.
“I would argue that the experience and customer support at some of these Ransomware as a Service groups is on par if not better than some service providers I‘ve worked with,” Hanslovan said.
LockBit is a relatively new strain which claims to have been in development since September 2019. Using modern web designs and employing professional graphic illustrators, LockBit has chat portals, trial decryption buttons and a familiar user interface. Affiliates and victims feel at ease navigating LockBit’s site since its nearly indistinguishable from the web portals small ISVs offer to partners and customers.
“They’re sharing their story. So they‘re saying, ‘Look, this is our tool we’re advertising. It’ll encrypt things very fast. It’ll give you everything you need,’” Hanslovan said. “This is the same group that hosted a $15,000 competition looking for new hacking articles and new hacking techniques. So they’re literally monetizing people and monetizing a writing competition to learn new hacking techniques.”
…Vs. The Channel
Since Homeland Security released a memo in October 2018 warning MSPs that they are targets, the solution provider community has been vocal about the threat of ransomware. The theme from vendors seems to be to take as few chances with protecting customer data as possible.
When a lack of multi-factor authentication on remote access tools was found to be responsible for an uptick in attacks in 2019, many vendors began mandating it across their systems, removing the customer’s choice to be less secure from the equation.
Software vendors have also encouraged cloud sales of their products over the on-premises version so that they can keep the tool up to date themselves rather than having to rely on a technician in the field to do it.
In addition, the solution provider community has historically been without an ISAC (Information Sharing and Analysis Center), meaning that there’s no widely adopted way of sharing intelligence data and indicators of compromise in the industry when something bad is happening, said Kudelski Security’s Hicks. Given the shared risk exposure, Hicks said the industry would benefit greatly from sharing more knowledge.
Many large solution providers have similar tooling in place, but Hicks said the channel has been much less proactive about sharing daily threat data across the industry on a human, digestible level. Other verticals have newsletters and detailed trend reporting as part of their sector’s ISAC, Hicks said, but the fierce competition among solution providers around security has made collaboration a challenge.
In place of a formal organization, numerous ad hoc groups had appeared. There are Facebook communities, Reddit forums, Slack channels and Twitter accounts all with a focus on MSP cybersecurity.
Plus industry leaders are starting to step up to the plate. ConnectWise in August 2019 established the Information Sharing and Analysis Organization (ISAO) to provide the channel with threat intelligence that’s relevant specifically to them. The ISAO’s management and operations were transferred to CompTIA in March 2020 to take advantage of its vendor-neutral position and facilitate more collaboration across the entire channel.
But with thousands of MSPs across the country separated by geography, specialty, vendor loyalties, as well as business rivalries, experts said the responsibility for security ultimately rest on the shoulders of individual solution providers.
“Service providers are a huge target. They are broad, they have a lot of infrastructure and they’re constantly interacting with the outside world,” Kalember said. “MSPs have to be on their security game.”