Enlarge / Big-time criminals have come to play in the ransomware game, taking down "big game" for big bucks. Wolfgang Kaehler / Getty Images

The FBI has issued a public service announcement entitled "High Impact Ransomware Attacks Threaten US Businesses and Organizations." While the announcement doesn't provide any details of specific attacks, the Bureau warns in the announcement:

Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 [the Internet Crime Complaint Center] and FBI case information.

This pronouncement will come as no surprise to anyone who's followed the wide-ranging ransomware attacks against cities, counties, state agencies, and school districts over the course of 2019. While some of the most publicized attacks—such as the Baltimore City "RobbinHood" attack in May—have appeared to be opportunistic, many more have been more sophisticated and targeted. And these attacks are but the most visible part of an upsurge in digital crime seen by commercial information security firms thus far in 2019. In fact, sophisticated criminal attacks have nearly fully eclipsed state actors' activity—despite there not being any reduction in state-sponsored attacks.

Data from CrowdStrike has shown a rise in what the firm refers to as "big-game hunting" over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.

"Big-game hunters are essentially targeting people within an organization for the sole purpose of identifying critical assets for the purpose of deploying their ransomware," said Jen Ayers, CrowdStrike's Vice President in charge of the Falcon OverWatch threat-hunting service in an interview with Ars. "[Hitting] one financial transaction server, you can charge a lot more for that than you could for a thousand consumers with ransomware—you're going to make a lot more money a lot faster."

While CrowdStrike saw a significant uptick in this sort of attack in the second half of 2018, Ayers explained, "we've seen quite a bit of that happening in the beginning half of the year, to the point where it's actually dominating our world right now in terms of just a lot of activity happening."

The industries targeted by these sorts of attacks have included healthcare, manufacturing, managed services, and media. But since May, attacks increasingly targeted state and local governments, library systems, and school districts. Since many government agencies are short on budget and security resources but have a strong need to stay up and running to provide services, they have naturally become an attractive target to these sorts of attacks.

Ayers acknowledged:

It has been interesting in the targeting of these what you would typically think of as small entities… But there is wide-scale impact when you look at destructive campaigns like this. I mean, everybody kind of more thinks of—forgets about the local and town government and their day-to-day operations, but that's no marriage certificate. That's no building permit. That's no vehicle-excise tax payments. That's no local, state tax payments depending on where you live.

The fact that attackers are specifically targeting these sorts of organizations speaks to them knowing how well their security is done, is pretty big. In terms of having that kind of understanding—to know to hit these entities and how to hit these entities—that is very interesting.

That understanding comes down to having done reconnaissance on organizations' key calendar dates. A series of ransomware attacks against schools last month appeared to be timed to have ransoms expire just before the first day of school—putting districts in the position of having to either delay opening or pay up.

Breaking and entering

The FBI IC3 notice cited three primary ways ransomware operators are getting into networks for these targeted attacks: email phishing campaigns, exploitation of Remote Desktop Protocol (RDP), and known vulnerabilities in software.

The phishing attacks the FBI has investigated in connection with ransomware recently "have been more targeted" than past opportunistic attacks. The phishing is often focused initially on compromising the victim's email account so that an internal email account can be used to spread malware and evade spam filtering.

Email credentials may also be used in remote desktop-based attacks. But in general, the RDP attacks—common in gaining access to hospitals and other organizations that leave RDP accessible for third-party service providers to perform product support—have generally relied on one of two things. They either use brute-force "credential stuffing" attacks against logins, or they have used credentials stolen by others that are sold on underground online marketplaces.

"Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems," the FBI warned.

Scanning for vulnerabilities was a primary means of initial compromise for attacks sRead More – Source