By now, it’s clear that paying the ransom won’t necessarily help ransomware victims to recover their data. Paying up also doesn’t guarantee that victims will be safe from secondary attacks. According to our ransomware report, 80% of organizations that opted to pay a ransom demand ended up suffering another attack. Nearly half (46%) of those victims said they believed that the same attackers had infected them again, while 34% felt that it might have been someone else.

The last finding reflects how ransomware actors are working together to maximize their profits. But that raises some questions: What does collaboration between ransomware groups look like? Are there multiple avenues of collaboration open to ransomware attackers?

Crypto-Malware Cartels

Sometimes, this collaboration involves ransomware attackers who decide to form cartels with other attack groups. One ransomware cartel took shape back in June 2020, as an example. At the time, Bleeping Computer reported that the Maze ransomware gang had published the information and files for an international architectural firm on its data leaks site. The data did not stem from one of Maze’s attacks, however. Rather, it originated from an incident involving the LockBit group.

Bleeping Computer contacted the Maze operators to find out more about what was going on. In response, the Maze gang said that it was working with LockBit to share its data leaks website along with its attack experience. It also indicated that it was working to bring other ransomware attack groups into its cartel.

Sure enough, a week after its original report, Bleeping Computer wrote that Maze’s data leaks site had published the information for a victim claimed by the Ragnar Locker operation.

Multiple Layers of Infection

It’s also possible for multiple ransomware strains to come together around a single attack. Such is the potential behind a new technique called “double encryption.” As reported by Wired, this tactic can involve two separate gangs who compromise a victim at the same time or a single actor who deploys multiple ransomware strains against the victim.

Within those scenarios, double encryption can take on one of two forms. The first variety, known as “layered” encryption, is an infection where attackers use one ransomware strain to encrypt a victim’s data before using another crypto-malware payload to encrypt it again. The second form uses “side-by-side” encryption where attackers leverage one strain to encrypt some of a victim’s data and the other strain to encrypt the remaining information.

Why Ransomware Collaboration Concerns the Security Community

Ransomware gangs are bad enough when they’re operating by themselves. Put them together, and they’re even worse, as they can feed off each other. That’s what happened in the case of Maze’s cartel. Per Bleeping Computer’s reporting in September 2020, LockBit ultimately decided to launch its own data leaks site after serving in Maze’s cartel. No doubt that experience helped to inform the gang’s double extortion efforts going forward.

As for double encryption, recovery becomes so much more difficult when multiple ransomware strains are involved. In the case of side-by-side encryption, victims need to know which systems suffered an infection by which ransomware so that they can deploy the necessary decrypter. They won’t be able to successfully recover their data otherwise. Layered encryption carries a similar challenge, only this time, organizations need to know which decrypter to deploy first.

Ransomware Prevention Capabilities are Key

The best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. Organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages.

Cybereason delivers industry leading ransomware protection via multi-layered prevention, detection and response, including:

• Anti-Ransomware Prevention and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
• Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
• NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
• Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.
  

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere – including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team