How Ransomware Became A Nightmare For Tyler Technologies, Other Solution Providers
Here’s a look at why ransomware operators began targeting solution providers and what caused some groups to forgo attacks against small MSPs in favor of hitting massive systems integrators like Tyler Technologies, Cognizant, Conduent and DXC Technology.
Another Day, Another Channel Ransomware Victim
Tyler Technologies, No. 46 on the 2019 CRN Solution Provider 500, became the latest solution provider to be hit with ransomware Wednesday in an attack that crippled the company’s internal corporate network and phone systems and still has Tyler’s website down two days later.
The Plano, Texas-based government service provider was hit by RansomExx ransomware (previously known as Defray777), according to BleepingComputer, which was also used in attacks this summer against the Texas Department of Transportation, Konica Minolta, and IPG Photonics. Tyler confirmed the intruder used ransomware, but said it wouldn’t provide any additional specifics around its investigation.
The attack against Tyler Technologies comes just months after vicious ransomware infections hobbled three of the world’s 20 largest solution providers – Cognizant, Conduent and DXC Technology. All told, the four solution providers that succumbed to ransomware in 2020 have combined revenue of $41.93 billion and a joint market cap of $54.36 billion.
CRN spoke with more than a dozen threat research experts about how ransomware burst onto the scene, why adversaries began targeting solution providers, what caused some ransomware operators to forgo attacks against small MSPs in favor of hitting massive systems integrators, and key similarities and differences between the two groups most likely to go after the channel: Maze and REvil. Here’s what we found.
Ransomware Originally Targeted Consumers, Not Businesses
Ransomware came into being in 2016 targeting consumers with spam messages that would encrypt their systems if they clicked, said Adam Meyers, senior vice president of intelligence at CrowdStrike. This was typically a “smash and grab” operation where the hackers would snag whatever they could, demand money, and take whatever people offered, said Adam Kujawa, director of Malwarebytes Labs.
But most consumers aren’t skilled computer users, so Meyers said the ransomware groups would end up having to spend a lot of time explaining to people what cryptocurrency is and how to use the portal to make a payment. Eventually, the ransomware actors shifted away from going after 100 consumers for $400 each and instead targeted a single business with a ransom demand in the five-to-seven figures.
“Rather than going after squirrels, they’re going after elephants,” Meyers said.
Unlike traditional garden-variety consumer ransomware, the sophisticated ransomware actors going after businesses are looking to effectively cripple organizations by preventing them from conducting or carrying out routine operations, said Raj Samani, McAfee’s chief scientist. These attacks occur less often but carry demands for five-to-seven figure ransoms since their impact on businesses is profound.
Solution Providers Concentrate Risk Of Many Customers In One Place
Solution providers are a particularly attractive target since they concentrate the risk of many organizations all in a single place, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. Many threat actors rely on phishing attacks to infiltrate an organization, and given the number of people MSPs typically employ, Kalember said it’s hard for them to ensure that no one is clicking on malicious links.
“Service providers are a huge target. They are broad, they have a lot of infrastructure and they’re constantly interacting with the outside world,” Kalember said. “MSPs have to be on their security game because they’re going to be highly desirable targets for any ransomware actor.”
When selecting a target, hackers are looking for someone that has valuable information and is willing and able to pay, according to Jason Hicks, global chief information security officer (CISO) for solution provider Kudelski Security. Big solution providers tend to have valuable information that can be leveraged to exploit other companies, meaning that the adversary could ultimately infiltrate 50 organizations just by breaching the IT service provider they all have in common, according to Hicks.
“You want to go after a victim that ransomware is going to be effective against,” said Malwarebytes’ Kujawa. “The best companies to go after are the ones that would be devastated if you release their data to the world.”
When Client Data Is Stolen, Solution Providers Must Pay Ransom
Exfiltrating MSP data around their clients, operations, financials and data processes makes it much more likely the solution provider will pay the ransom, according to Loucif Kharouni, senior manager of global threat intelligence at solution provider Deloitte.
If the hacker collects information about the MSPs’ clients, the likelihood of the solution provider paying increases dramatically versus a small business owner who can start from scratch, Kharouni said. Such an attack also puts the MSP in a bad position from a brand reputation standpoint, according to Kharouni.
If an MSP ends up exposing client data to hackers, it’s no longer the solution provider’s decision to pay, especially if the client is subject to stringent regulatory and industry controls, according to Mat Newfield, CISO at Unisys, No. 23 on the 2020 CRN Solution Provider 500. At that point, the solution provider may be left with no choice but to pay the ransom.
“A lot of times, the data that’s exfiltrated is not your data,” Newfield said. “It exposes you in a different way.”
Acquisitions Create Security Risks For Solution Providers
A lot of risk is also introduced into large solution providers through acquisitions since the acquiring company is called upon to quickly integrate the systems, processes and infrastructure of another entity into their own, according to Unisys’ Newfield. The July 2020 ransomware attack against DXC Technology came in through insurance managed services subsidiary Xchanging, which DXC had bought in May 2016.
Companies are under a massive amount of pressure to quickly integrate acquisitions but typically don’t have the funding or budget to put security controls in place, Newfield said. Companies are accustomed to adding or removing systems on a smaller basis, but when a business needs to add 100,000 systems, they’re often connecting everything and hoping the firewalls and packet-based systems catch issues.
The post-acquisition integration project needs to be a long-term endeavor with risk assessment at the network, program and application level to ensure micro-segmentation is put in place and systems from both entities can speak with one another when required, Newfield said. The process should include testing the systems of the acquired asset to see how susceptible they are to phishing attacks, he said.
Ransomware Groups Publicize, Exaggerated Stolen Data Claims
On their dedicated leak site, Maze advertises the companies they’ve hit as well as who’s not paying them, said Kudelski Security’s Hicks. Businesses with locked down and inaccessible data really don’t want the ransomware attack covered in a public way before they’ve come up with a communications plan, Hicks said.
“These are traditionally activities people want to handle outside the limelight,” Hicks said. “It makes it hard when there are folks who are promoting that they’ve attacked you.”
Maze will publish subsets of the data they’ve stolen to their dedicated leak site and tell victims they have more data that’s materially sensitive to the organization, said Charles Carmakal, chief technology officer of FireEye’s Mandiant division. The group will embellish the type and volume of victim data they have, Carmakal said, and issue press releases that call out specific organizations that have chosen not to pay the ransom.
“If they steal 5GB of data, something they’ll say they have 10GB or 20GB of data,” Carmakal said.
Affiliate Models Popular Among Ransomware Actors
REvil’s claim to fame is democratizing access to its tools through an affiliate or Ransomware as a Service model, providing groups around the world with access to its technology to carry out a broader footprint of ransomware attacks, according to Proofpoint’s Kalember. Unlike REvil, it’s still unclear whether Maze operates an affiliate model or not, and Meyers said more time and observation is required.
When Mandiant first learned about Maze, Carmakal thought he was dealing with just a single group. But after investigating multiple Maze intrusions, Carmakal said the tooling and infrastructure looked so different from one another that he’s come to believe there are multiple operators working under the Maze umbrella.
“Other than being illegal and illicit, it follows a lot of traditional business principles,” Meyers said.
One REvil Affiliate Is Dedicated To Going After MSPs
Each REvil affiliate tends to have a different specialization, with one conducting widespread phishing campaigns while another seeks to exploits vulnerabilities in products like Pulse Secure VPNs. One affiliate of REvil is dedicated to going after MSPs, and they flew under the radar for a while since they were initially targeting Indian MSPs that specialize in serving Indian companies.
But once that REvil affiliate went after the Texas MSP servicing town and county governments, they attracted a whole lot more press attention, according to Allan Liska, senior security architect at Recorded Future. That REvil affiliate often focuses on MSPs with a highly specialized focus such as ones serving nursing homes or providing patient record backup services to dentist offices, Liska said, which is very different than their counterparts at Maze.
“Maze is not going to spend a bunch of time and effort compromising a dentist office and making a bunch of noise about it on Twitter,” said Proofpoint’s Kalember. “But REvil affiliates have done that and made some noise around it.”
Some REvil affiliates have gone after financial institutions, but they tend to bypass major banks with robust endpoint and email defenses and instead target smaller banks where they are more likely to get open-source tools like Cobalt Strike and PowerShell onto their networks, Kalember said. Big banks also tend to have better backups, meaning they’re less likely to pay a ransom, according to Kalember.
Ransomware Groups Began Leaking Data As Backups Made Encryption Moot
The ransomware of the past was focused on encrypting machines, but as people wised up, Unisys’ Newfield said they began either air gapping their recovery systems or doing offline backups. As companies began ensuring both data at rest and in transit were properly stored, Newfield said it became much more difficult for ransomware actors to successfully exfiltrate their data.
Ransomware actors have long taken a carrot and stick approach toward their victims, offering to return a victim’s data if they pay the ransom but threatening to exfiltrate it if they don’t, CrowdStrike’s Meyers said. But as organizations increasingly became capable of restoring the data from backups, Meyers said the number of companies paying to get the ransom key dwindled.
In response, Meyers said ransomware actors have strengthened the stick by threatening to leak an organization’s data if they don’t pay the ransom. This means that even if a victim organization doesn’t pay since they’re able to restore from backup, the ransomware group can still post whatever victim data they’ve stolen on the public-facing internet, potentially leading to a massive data breach, Newfield said.
Extorting Ransomware Victims Via Leaks, Auction Is New Normal
RobinHood in May 2019 was the first ransomware actor to up the ante on organizations not paying the ransom by threatening extortion, CrowdStrike’s Meyers said, and Maze and REvil following in RobinHood’s footsteps in November 2019 and December 2019, respectively. From then, the turn toward extortion via data leaks accelerated rapidly, and Meyers said seven or eight different ransomware groups are doing so today.
Ransomware actors have turned not only to public leak sites like the one maintained by Maze but also auction sites, where a company’s data will be sold to the highest bidder, said McAfee’s Samani. REvil in July 2020 began auctioning off files it stole from celebrity law firm Grubman Shire Meiselas & Sacks, putting documents related to Nicki Minaj, Mariah Carey and LeBron James up for bid at $600,000 each.
“Their ability to put a tighter chokehold on victims is driving an increase in ransom payments,” Samani said. “They’re adapting and innovating at a rapid pace.”
Maze Passes Over Small Targets In Favor Of Well-Known Ones
Many of the MSPs servicing local governments were likely targeted initially on a purely opportunistic basis from adversaries operating websites with exploit kits, according to Proofpoint’s Kalember. These actors tend to use techniques like RDP scanning to turn up poor configurations, which tend not to be found at large, global systems integrators (SIs) with vastly more financial resources, Kalember said.
But the new generation of ransomware actors like Maze are passing over soft targets and instead going after bigger, more interesting targets who can pay larger ransoms, Kalember said.
In general, Malwarebytes’ Kujawa said the smaller organizations don’t have the time, resources or budget to secure everything as well as larger organizations with more resources. While the possible avenues of exploit may be greater for larger organizations, Kujawa said the likelihood of breaching a large organization would be less due to the resources at their disposal.
Larger, sophisticated solution providers have spent money on the tooling and people needed to prevent targeted attacks, while smaller channel partners don’t necessarily have the resources on hand to build a multi-level prevention strategy, said Kudelski Security’s Hicks. It’s often significantly more challenging to get into global SIs since many are publicly traded and have compliance and regulatory requirements.
“Large SIs likely have the funding necessary to put up a serious defense against something like this happening,” Hicks said. “It’s not inexpensive to do this in a way where you feel secure.”
Maze Is Laser-Focused On Likelihood Of Ransom Payment
A 10-person organization likely doesn’t have the ability to pay a large ransom, meaning the owner would likely just shut the business down and use the concept they developed to start a new company, Deloitte’s Kharouni said. Maze is laser-focused on the likelihood of the victim organization to pay the ransom, which is determined by the size of the company and the amount of sensitive data they have.
Large SIs are appealing due to the size of targets presented via compromise since Fortune 500 firms are typically serviced by a global SI rather than a local or regional partner, said Kudelski Security’s Hicks. Big solution providers tend to support customers with sensitive, commercially viable data, meaning the ransomware actor can diversify their revenue stream even if the victim doesn’t need a decryption key.
Maze also considers the vulnerability present in an organization as well as any desire for payback when determining which companies to target, according to Malwarebytes’ Kujawa.
“Maze is not bothering with the small stuff. They could probably hit the small stuff like everybody else, but they’re not interested,” said Chester Wisniewski, principal research scientist at Sophos. “It’s all about brand recognition. It’s names that we know. It’s not little anonymous manufacturing companies.”
Maze Wants Victims Who Can Be Humiliated Into Paying
Maze tends to execute broad-based ransomware campaigns with a well-crafted social engineering element, according to Proofpoint’s Kalember. An early example took place in October 2019, when Maze impersonated the Italian Revenue Agency and emailed manufacturing companies and directed them to open and read the attachment VERDI.doc in order to avoid further tax assessment and penalties.
The lure was very well-structured for the market, Kalember said, since the Italian tax system is notorious for being super complicated. Not every ransomware actor would go to the extreme of impersonating a government agency since that tends to attract the attention of the government in question, according to Kalember.
“They have not shied away from bold moves,” Kalember said.
Since then, Maze has targeted a lot of state and local governments, focusing heavily on school districts until the COVID-19 outbreak in March 2020 shut schools down for the year, according to Recorded Future’s Liska. Maze tends to forgo massive, indiscriminate phishing campaigns and instead focus their efforts on a specific industry or sector, Liska said.
“Maze always wants to go after the biggest target possible. They are definitely pushing toward going after bigger and bigger targets, because bigger targets can pay a bigger ransom,” Liska said. “Maze wants organizations that can be humiliated into paying the ransom and won’t just shut the business down.”
Ransomware Groups Target Unpatched Vulnerabilities, Open RDP Servers
A lot of ransomware actors get their start scanning for open or vulnerable Remote Desktop Protocol (RDP) servers since there’s no upfront cost associated with that attack vector, according to Recorded Future’s Liska. Once the first victim pays a ransom, Liska said the ransomware actor will often use the proceeds to buy a phishing exploit kit.
Ransomware groups also like exploiting well-known vulnerabilities that haven’t been patched in everything from Citrix to Pulse Secure to Microsoft SharePoint, Liska said. The process of scanning for and gaining access using these vulnerabilities can be easily automated, according to Liska.
REvil has exploited vulnerabilities in Citrix through Remote Desktop Protocol (RDP), a process that has been simplified by the nearly 40,000 RDP credentials for sale on the dark web, according to McAfee’s Samani. The accessibility and availability of credentials makes RDP a low-hanging fruit for ransomware actors, Samani said.
“Somebody is able to acquire credentials and identify a weak link somewhere,” Samani said. “Good cyber hygiene is the first step in being able to prevent these kinds of attacks.”
Maze’s Operations Have Gotten More Sophisticated
From a technical standpoint, Maze started off fairly basic, leveraging email, exploit kits on websites and RDP attacks to go after MSPs, said Proofpoint’s Kalember. Maze relied heavily on email campaigns in 2019, impersonating everyone from AT&T to Canada Post. But most recently, Maze’s operations have gotten more sophisticated and focused on lateral movement in networks with tools like Cobalt Strike.
“They’re not necessarily spamming the world at this point,” Kalember said.
There are several different Russian-speaking actors behind Maze, Kalember said, and the actors sell off access as a commodity and collaborate on the broad chain of events spanning from targeting to payoff. Different actors are involved with different aspects of the exploitation, with some people focused more on the pre-compromise phase of operations while others focus more on post-compromise, he said.
Conversely, Liska said Maze has a set of IP address that they almost always reach out to during their operations, meaning that organizations can save themselves a good deal of pain and suffering by blocking access to those IP addresses. There’s more consistency in the attributes of Maze’s operations including how they use taskkill, PsExec and Windows Management Interface Command (WMIC), he said.
REvil Provides Good Customer Service To Affiliates, Victims
As for REvil, the core developers are more advanced from a development process standpoint when it comes to the maturity of their coding and their ability to fix mistakes quickly, said Recorded Future’s Liska. Most ransomware has trouble with files that are more than 4GB due to Windows limits, but when REvil encountered the issue, they promptly issued a patch so paying victims could unencrypt their files.
“They’re more mature from a programming standpoint, but are still definitely bastards,” Liska said.
Similarly, Liska said REvil is known for being responsive when affiliates using their program need advice or are looking for assistance. Maze is more haphazard from a responsiveness standpoint, Liska said, and will address technical issues when they get around to it but operate at a slower cadence than REvil.
REvil attacks tend not to have too many trademark characteristics since they have so many affiliates, meaning a broad range of activities can be found as part of a REvil operation, Liska said. This can make classifying and attributing their attacks a little more challenging, according to Liska.
Maze Switches Up Their Tactics More Than REvil
From what Malwarebytes’ Kujawa has seen, Maze relies more heavily on manual operations and employs a greater variety of tactics than their counterparts at REvil, giving Maze better post-breach insight into their targets. REvil likes to utilize TrickBot for automated third-party compromise, Kujawa said, while Maze manually launches attacks on vulnerable RDP ports to give themselves more control.
Maze regularly runs scanners on the entire internet looking for misconfigurations or vulnerable ports, and typically goes after technological flaws rather than the humans controlling the systems, Kujawa said. This requires more intent, focus and reconnaissance work than what REvil does, Kujawa said. He likened REvil’s approach to catching a fish, while Maze’s process is more intense and akin to hunting a deer.
“Sodinokibi [REvil] is on autopilot, and Maze ransomware isn’t,” Kujawa said.
Maze Maximizes Value Of Attack By Manually Controlling It
Less focused actors will use automated malware that follows a set of commands in terms of what to do after it infects one system, meaning the attack can run in the background, Kujawa said. But Maze uses a manual control system, meaning the attacker is sitting behind the computer looking at the malware that breached the system and determining which information would be most valuable to obtain, he said.
This approach is more akin to state-sponsored actors, and often allows a group like Maze to increase their dwell time by forgoing an attack against a system that would cause them to get noticed, Kujawa said. By operating manually, Kujawa said actors like Maze can often disable anti-malware software and modify their operations in ways that will decrease suspicion after breaching a misconfigured RDP.
The manual approach employed by Maze requires more work and the payoff isn’t guaranteed, Kujawa said. Plus big organizations are continuously improving their defenses from a technical standpoint, meaning that they may become largely impenetrable unless some degree of social engineering and deception is involved, according to Kujawa.
But for now, the personal touch honed by groups like Maze means that it’s no longer just mom-and-pop MSPs falling prey to ransomware. The biggest solution providers in the world have good reason to be scared.