Threat actors continue to find new ways of disrupting life for their own financial gain. And sometimes their new ways are modifications of previously effective malware or ransomware, usually with an added punch. In the last year, the damaging Ryuk ransomware was reconfigured and reintroduced as Conti, an even more destructive version of one of the most widely-used and effective ransomware tools capable of extorting millions more.
WIZARD SPIDER, a group responsible for developing both malware threats, has a record of financially damaging actions across many sectors. They’ve been known to attack educational institutions, and both state and local government organizations. And while the Ryuk ransomware has long been their weapon of choice, the group’s newest tool has them in a position to attack many more public sector organizations at a time when they’re incredibly vulnerable.
Why would schools and government agencies be targeted? What makes these institutions particularly good targets for WIZARD SPIDER? We recently sat down with Jason Rivera and Josh Burgess of Crowdstrike to find out.
Here is what they had to say:
GovCyberHub (GCH): What is Conti and what group created it?
Jason Rivera: To understand Conti, you need to connect it back to the group that created it, which is called WIZARD SPIDER. WIZARD SPIDER became popular with their use of the trick block banking Trojan and the Ryuk ransomware.
Ryuk was their first version of ransomware and it was very effective. In 2019, alone, WIZARD SPIDER was able to extort approximately $100 million in Bitcoin using Ryuk. To put that into perspective, that’s more in one year than any other e-crime actor in human history. And what they have recently done is to create a newer version of the ransomware that is called Conti. Conti has a variety of different elements to it that make it superior to Ryuk.
Josh Burgess: Conti is an evolution of Ryuk. If you look back at what we’ve seen from the group that we call WIZARD SPIDER, they’ve done this a couple of times. They build out their ransomware tools in an iterative process. So, it’ll really be immature with not a lot of capabilities. And then as they go forward, they change it, they adapted it, and they improve it moving forward.
We saw this with Dire back in 2014. It was really immature malware, but they quickly made it work and made it more effective. Then Trickbot came out and they kept going through iterations that made it better. So, there’s a couple of areas that Conti really has succeeded in making it more damaging as opposed to Ryuk.
The first thing, a part of each individual string within the malware is obfuscated somewhat. This is a big deal because – if you’re doing string matching or pattern matching, or whatever else to detect this malware – it’s nearly impossible to detect at that level because anytime you look at something, it looks different with every iteration. And even when you decompile it again, it’s different.
And there’s a lot of other things that it does as well. One of the other really interesting things that Conti does is leverage ARP cache to enumerate itself on every system on a network without ever having to make a single piece of network traffic. This makes it difficult to identify its lateral movement across the network.
GCH: Why does a group like WIZARD SPIDER attack state government, local government, and education? What is their motivation?
Jason Rivera: I would say that, for those entities, it is strictly financial. Also, it’s because they’re vulnerable. These ransomware operators are looking for targets of opportunity within state government, local government, and the education community because they can be more vulnerable to cyber-attacks – whether it be due to lack of funding, a lack of dedicated cybersecurity professionals or a lack of cybersecurity tools.
GCH: Ransomware and other attack tools are constantly evolving and increasing in complexity. Is Ryuk substantially different from Conti? How is Conti more sophisticated or capable than Ryuk?
Josh Burgess: The biggest difference is the obfuscation which obfuscates every string, killing Windows processes, and ARP cache. That’s the biggest area. But when you take a step back and look at what the malware was designed to do, and how was built – why it was designed the way it was – the biggest difference between Conti and Ryuk from a larger perspective is the amount of command line parameters that the malware accepts.
The reason this is a huge deal is because – traditionally speaking – when you first saw ransomware where it came from back in 2012-2013, it was a spray and pray mentality. I’m going to send out as much as I can, as quickly as I can, and try to make money. Now it’s more targeted.
When you look at Conti, the amount of command-line arguments is reflective of somebody who’s going to be on a system dedicated to that one target. That’s a really big thing I want to emphasize. This isn’t as much of a, “Spam as much as you can, as quickly as you can,” approach. This is a dedicated individual looking to get into this state government, this local government, this education institution, this healthcare organization, this financial services company.
They’re focused on that exclusive target. And that’s how they’re getting in. That’s why this new Conti malware is so adaptable.
Jason Rivera: In a lot of the ways they are evolving their capabilities. Many of the changes that they are facilitating are designed to enable them to engage in a tactic called data extortion. Data extortion is an addition to the ransomware attack, itself, that involves taking data that is locked up and then extorting the victim with it, in addition to the ransomware attack.
So, for example, let’s say I attack a school and I steal the addresses and personally identifiable information (PII) for a large population of minors. I can now take that data and then post it on an auction site and use that as another extortion mechanism to get the school district to pay out more money.
GCH: With a new school year expected to start, do you anticipate that this new replacement for Ryuk could be leveraged against education institutions in the coming months?
Josh Burgess: Since everything is being done with virtual learning, academic institutions and their students are relying on having connectivity and having functioning computer systems to work. And this is what Conti and other groups are going to take advantage of.
There is no reason to believe that they would step back when they know that they have school systems where they want them. All ransomware attacks that have been perpetrated against government and educational institutions weren’t just done at a random time. They focused their attacks right before school started, or right when a major event was about to happen. They’re opportunistic.
They’re most likely going to utilize this timeframe and know that they have prime targets that would likely pay because they just need school to work. Kids have to go back to learning and they’re going to capitalize on that.
Jason Rivera: Crowdstrike just released a report talking about the increased targeting of the academic sector by big game hunting ransomware-style operators. The report indicates that we are now seeing the targeting of academic institutions and using the data extortion tactic. Crowdstrike intelligence found evidence that they’re now actually hosting a lot of that data on data leak sites as well.
GCH: What about state and local government agencies? Is there anything happening right now that could make them particularly susceptible to an attack like this?
Jason Rivera: So probably the best way to think about this is that universally across the board institutions are now more susceptible to ransomware-style attacks. And one reason for that is the COVID19 pandemic. There’s something called the attack surface, which includes all of the different ways that an actor can hold you at risk. The more Internet-enabled tools you use, the more e-mail you use, the more mobile devices you use, the more VPNs – basically the more you rely on the Internet, the larger your attack surface.
COVID19 has increased the size of the attack surface for public sector organizations across the globe. As organizations go to the cloud, increasingly rely on the Internet and collectively go online, the more you will see these types of attacks take place. And anything that really contributes to that will increase the velocity of those attacks.
GCH: How does an organization like CrowdStrike identify these new threats? How does CrowdStrike know that this new tool is being used and could be leveraged against state and local governments and education institutions?
Josh Burgess: Crowdstrike is able to track these actors to such a granular level because we collect data at the endpoint. Our customers span more than 180 different countries and those endpoint sensors that we have to help protect these customers gather more than three trillion events every single week.
These events – all of this data – goes into our graph database. And that’s how we are able to track them because, instead of sitting at the bump on the wire, or sitting as an agent or a sensor that has to have an opt-in policy, we collect and we see everything that helps customers protect themselves, but then that helps us protect everybody else.
That granularity allows us to track everything back to the origination point in a lot of cases. And that’s one thing that makes Crowdstrike really unique.
GCH: Why is it important that we identify these things early?
Jason Rivera: I have a term that I often use with my customers called campaign tracking. Campaign tracking is your ability to track threat actor behavior across space and time, and observe how the threat actor changes across their various operations. Basically, the earlier you start tracking the threat actor behavior when they come out with new stuff the better, because operations have this tendency to become increasingly complex, malware becomes more complex, TPP involves more and more complex file attacks such as living off the land attacks, or other types of advanced malware attacks.
When you can catch an actor in the beginning, and when you can watch them fumble around a little bit at the beginning and make mistakes, you can watch them evolve. And the better your ability to watch them evolve, the more predictable their behavior becomes. That’s why getting in earlier is always better
To learn more about the malicious actors and threats facing government organizations, click HERE to download a complimentary copy of the Crowdstrike 2020 Threat Hunting Report.