by Paul Ducklin
It’s like the movie Independence Day, but with the malware part of the story back-to-front.
In the 1996 Jeff Goldblum classic, the bespectacled, academic antihero finally quashes the alien invaders by connecting to their mothership with his Mac laptop and uploading a computer virus that even the telepathic aliens didn’t see coming.
In the movie, what’s left of the earth is saved.
Fast forward to 2021, and we’re witnessing an Independence Day malware attack of another sort.
In this attack, the REvil ransomware gang broke into the mothership of a popular software management tool from the company Kaseya.
The cybercriminals uploaded a computer virus to the mothership (more precisely, for the pedants amongst us, they uploaded a ransomware Trojan Horse) that Kaseya then automatically delivered via dozens of different service providers onto hundreds of its customers’ networks.
As Sophos CISO Ross McKerchar put it:
This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the UK and other regions.
As you probably know, this sort of leveraged onslaught is known as a supply chain attack, for obvious reasons.
Instead of attacking thousands or millions computers individually, you attack the company that supplies software to all of those computers, or worse still – as in this case – you attack the company that supplies software to the companies that supply software to all of those computers.
We won’t go into the technical details of the Kaseya attack here – if you would like to know how it worked, SophosLabs has published a full analysis describing the chain of execution all the way from Kaseya’s compromised management servers to the scrambled computers on the victims’ networks.
This article is highly recommended:
We’ve also published IoCs (indicators of compromise) on our GitHub page if you want to use threat-hunting tools to look for evidence of an attack on your own network, as well as the names Sophos products will report in logfiles when detecting and blocking the various components used in this attack.
The burning question now, of course, is, “What do the crooks do next?”
The world’s first-ever ransomware attack, the AIDS Information Trojan of 1989, failed for two fortunate reasons.
It wasn’t until about 2013 that contemporary cybercriminals “solved” these ransomware payment-and-recovery problems.
Cryptocurrency made pseudoanonymous international payments possible, so the crooks could collect their blackmail demands entirely online, without involving traditional financial institutions who could freeze or reverse illegal transactions.
And public-key cryptography, where you use one key (the public key) to lock up data, but need a different key (the private key) to unlock it again, made it possible to have a unique decryption key for each network, or each computer, or even for each file.
This is the same principle that’s used for good when you visit an HTTPS website. Public-key cryptography allows your browser and the web server at the other end to agree on a one-time data scrambling key, used with traditional symmetric encryption (where the same key both locks and unlocks the data) to protect the current session. Even if you intercept all the network traffic at the start of the HTTPS connection, public-key cryptography means that you can’t extract the so-called session key needed to decrypt the rest of the HTTPS connection either.
If you get attacked and pay the extortion money, there’s no point in sharing your unlocking key with anyone else, even if they’ve been hit by exactly the same ransomware, because each decryption key is unique.
Programming blunders by some ransomware cybercrooks have occasionally made it possible to recover without paying in some attacks, but gangs like REvil, the criminal gang behind the Kaseya attack, generally get the coding correct.
If you don’t have a backup then paying the blackmail money for the decryption key is about your only chance of recovering your scrambled data.
Even though many modern ransomware Trojans use a different session key for every file they scramble, let alone for every computer, contemporary ransomware is geared towards bulk payments.
The idea is that instead of hitting as many comuters as they can on your network and asking for a few hundred dollars to decrypt each one, the crooks offer to sell each victim a “bulk decryptor” that can unscramble some, many or all of the computers on their network.
This is the same sort of technique that legitimate encryption software uses to provide a controlled way for specially appointed staff to recover data off employees’ computers if they forget their password, or leave the company in a huff with their data still locked up.
This isn’t the same as an encryption backdoor that could let anyone with insider knowledge about the algorithm decrypt the data. Usually, the data isn’t encrypted directly with the user’s password. Instead, a random “master encryption key” is generated to secure the data, and that key is re-enrcypted multiple times, using different passwords or public keys. This means that there may be multiple decryption keys that can decrypt the master key that in turn decrypts the actual data. These decryption keys may be split up between more than one person, for example so that an individual computer can be unscrambled either by the user acting alone in day-to-day use, or by the IT manager and HR manager acting together in an emergency. This provides additional privacy control that helps to protect both the user and the company.
Early ransomware attacks typically relied on squeezing hundreds of thousands of people to pay about $300 each to buy back the decryption keys for their own (but no one else’s) computer.
Make no mistake, crooks such as the CryptoLocker gang raked in millions of dollars, maybe even hundreds of millions of dollars, this way:
If you had 10 computers on your network all scrambled at the same time, that was just bad luck: to recover them all meant paying 10 separate $300 blackmail demands.
But later attackers took a hybrid approach.
The SamSam crew, for example, notoriously hit one network at a time, and callously offered “deals” on decryption.
The price shot up to $8000 per computer, so if you felt that you could recover your business by decrypting just two or three of your most critical laptops or servers, you didn’t have to pay for all of them, but you couldn’t get away with just $300 each, either.
But for a one-off fee that usually came out at $50,000, the SamSam crooks would give you a universal decryptor (universal to your network, at least) that was pitched as a sort of “all you can eat buffet.”
In fact, in a fit of “goodwill”, they’d even let you try paying the $8000 fee for individual computers, to see if you could recover enough of your business to get away without paying $50,000 in total.
Sadly, many victims found that the one-by-one approach just didn’t work out for them, at which point the SamSam crooks would “graciously” allow them to top up their payments to the $50,000 mark.
Once the crooks had received the all-you-can-eat fee of $50,000, they’d give you a “software upgrade” to the universal decryptor that would work on all of your computers, not just specific ones you had chosen in advance:
More recently, most mainstream ransomware crooks have discontinued the “individual decryptor” option and will only negotiate to sell universal decryptors – and as we all know, they aren’t asking for $50,000 any more.
Extortion demands often reach several million dollars, with recent victims Colonial Pipeline allegedly coughing up $4.4 million (ironically for a decryptor that was so slow as to be worthless), and meat packing company JBS supposedly paying out a mammoth $11 million in blackmail money.
You can see where this is going.
The REvil gang have apparently now decided that they are going to offer what you might call a universal universal decryptor that will not only unscramble all the computers on your network, but also all the computers on the networks of everyone else affected by what we shall probably be calling the Independence Day attack for many years to come.
This time, the ueberuniversal decryptor isn’t $50,000, or $4,400,000, or even $11,000,000.
The crooks are calmly demanding $70,000,000:
On Friday (02.07.2021) we launched an attack on [Managed Service Providers]. More than a million systems were infected. If anyone want to negotiate about universal decryptor – our price is [$70 million in Bitcoin] and we will publish publicly decrypto that decrypts all files of all victims, so everyone will be able to recover from attack in less that an hour. If you are interested in such deal – contact is using victims “readme” file instructions.
This audacious demand raises many difficult questions.
Many governments and most law enforcement experts vigorously encourage victims not to pay up.
Some governments are even seriously considering making ransomware payments illegal as way of breaking the cycle of attacks.
But if someone else were to cough up the $70,000,000, perhaps from a country with a government with more conciliatory attitudes towards negotiating with criminals, would that make it OK to run the decryptor, even in a country where paying up would have been unlawful?
Is this the shape of ransomware attacks to come?
Will regulatory intervention to criminalise ransomware payments make matters better, or worse?
Let us know what you think in the comments below! (You may remain anonymous.)
PS. Don’t forget that even if you get hold of a ransomware decryptor after an attack, whether by paying yourself or through someone’s else’s largesse, that’s not the end of your worries. Check our recent State of Ransomware surveyto find out why paying the crooks is not the end of your troubles, and how much you can expect the incident to cost, whether you end up with a decryptor or not: