Ransomware: Are you correctly equipped to go fishing?
Increasingly we are seeing businesses falling victim to ransomware-style attacks, yet we can appreciate that many of these organizations will not have ignored the need for appropriate levels of security and will have invested lots of time, effort, and resources to keep their businesses safe and secure. After all, data has become the life-blood of their business so keeping this resource healthy and available make common sense, right?
Just what is Ransomware?
Now, this is where you can start to feel sympathy with these businesses and especially for those employed in IT Operations.
The term Ransomware is an 'Umbrella' term that incorporates numerous different strains of malware, which all act slightly differently, but which have one thing in common:
They are designed to make your data unavailable to you unless you pay the attacker's ransom to have that data unlocked.
phoenixNAP describes ransomware as being:
"Ransomware is a type of software that blocks access to a system or files until the victim pays a ransom. Most attacks make data inaccessible through encryption, but some programs prevent users from booting up their devices.
Ransomware typically infects a system in one of the following ways:
A malicious attachment or link in a phishing email.
A drive-by download from an infected website.
An infected piece of hardware.
A worm that exploits a system vulnerability.
Here is how an average ransomware attack works:
A user receives a phishing email and makes the mistake of clicking on a malicious link.
Ransomware silently installs on the system and locates the target data.
The program encrypts data in the background.
Once encryption is complete, the victim gets a message from attackers demanding a ransom in exchange for the decryption key.
Hackers typically demand payments in Bitcoins or similar cryptocurrencies. The ransom always has a deadline. If the victim decides to break the deadline, attackers either increase the price or delete the decryption key.
Giving money to attackers is not always the end of a ransomware attack. Some programs also infect other devices on the network, enabling further attacks. Other examples of ransomware also infect victims with malware, such as Trojans that steal login credentials".
It might be that as part of the attack, the criminals have already done some reconnaissance and exploration to help them understand how much of a ransom your business should be required to pay.
Ransomware, Data and the Human Perspective
Given that your business data operations will likely have a substantial reliance on human interactions and with people being susceptible to malicious communications, it is easy to understand how they are often the primary target for the delivery of malicious software and so many of the ransomware attacks will start with an end-user succumbing to a social engineering attack.
However, do not get complacent into thinking that all ransomware attacks solely rely upon social engineering tactics to enable the delivery of malicious payloads, as the attackers will seek to exploit poorly maintained systems, as well.
The criminals have become very clever and will adapt the methods in which they are able to deliver their malicious payloads. Take, for instance, the SamSam ransomware which leverages the vulnerabilities or weak passwords to the internet-facing systems, which allows the attackers to gain the initial foothold.
By looking at the tactics that are used with different types of ransomware attacks, you can start to appreciate how your defenses need to be adapted to measure the effectiveness to identify and defend against the differing ransomware types, e.g.
These attacks happen when hackers exploit an insecure website to set a ransomware trap. The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.
In order to truly understand the risks to your business from ransomware, it is extremely important that you understand the various tactics and techniques that are associated with these different variants. Only then can you start to appreciate which of your vulnerabilities may be susceptible to a ransomware attack and which, therefore, should be prioritized for remediation.
Let's take a deep dive look into a known active ransomware threat (Ryuk). We know that this starts with a spear-phishing email and a geo-based download function and that this is employed by the Wizard Spider and FIN6 Advanced Persistent Threat (APT) groups.
These are a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals, and whose tactics are mapped as follows: a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals, and whose tactics are mapped as follows:
These are a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors and whose tactics have been mapped as follows:
By being better informed about these particular threats, you can be better placed to understand the risks, the attack indicators to be looking out for and to start to forge improved defensive capabilities.
Is financially motivated.
Has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.
Has used spear-phishing with malicious links and attachments.
Has used macros to execute PowerShell scripts to download malware on victim's machines.
Has run cmd.exe to execute commands on a victim's machine.
Has used scheduled tasks to persistence.
Focused on the retail and hospitality sector's PoS systems.
To move laterally on a victim's network, they have used stolen credentials from various systems on which they have gathered usernames and hashed passwords.
Has targeted victims with spear-phishing emails, containing malicious attachments or fake job adverts sent via Linkedin.
Have used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.
Has created Windows services to execute encoded Powershell commands.
Has used malicious documents to lure victims into allowing execution of Powershell scripts.
Has used Windows Management Instrumentation (WMI) to automate the remote execution of Powershell scripts.
As you can see, suddenly, by carrying out a more detailed analysis of the differing attack groups, the different types of ransomware, and how they are used, you can start to better refine your defensive strategies and to put the focus into those areas that cause a greater risk to the business.
When looking to carry out an effective risk assessment against the Ransomware threat, many organizations tend to be too generic in their risk assessments. As a result, their risk assessments fail to accurately identify the specific modus operandi and cannot provide an accurate evaluation as to the mitigation controls that need to be effective to adequately mitigate the types of ransomware threats for their business.
Imagine you were thinking of taking up fishing. You walk into a fishing tackle shop and the store person asks:
"So, what type of fishing will this be (Coarse, Fly, Sea, etc.)?"
"I don't know - just fishing!"
The store person then asks:
"Okay, what type of fish are you hoping to catch?"
"I don't know - just fish!"
Based upon this generic description, what are the chances that the store person will be able to provide you with the best advice to achieve your objectives?
The same applies to defending your organisation from a ransomware attack. The more detail you have, the better equipped and prepared your organization can be for your ransomware threats.