Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

How It Evolved And How Organizations Can Prepare For Today’s Attacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Sriram Tarikere is a Cybersecurity Executive Leader with Alvarez & Marsal, New York, with more than a decade of experience in the field.

Ransomware has been a known threat in the cybersecurity world for a long time. It emerged in the late 1980s when a medical researcher tried to extort other researchers through malware delivered on floppy disks. Known as the AIDS Trojan, it is considered the first case of ransomware.

Ransomware gained prominence in the mid-2000s when cybercriminals started demanding ransom from victims by locking access to their services and systems. In the early 2010s, cyberattackers practiced the “fire and forget” approach, an automated phishing campaign deployed to a single or multiple hosts within the organization. Since there was a lack of control, these campaigns were often unsuccessful, and the ransom demand was relatively small compared to today.

In 2015, a new kind of ransomware appeared: post-intrusion ransomware. The GOLD LOWELL group was the first known user of this type of attack when they deployed the infamous SamSam ransomware. The main characteristic of this attack was a hands-on keyboard activity that maximized the malware’s capability. With this, operators got more control, which led to the successful extortion of large ransoms. Other ransomware attacks that used the same method were Ryuk, BitPaymer and Defray. Since then, there have been numerous cases of ransomware attacks worldwide.

In 2017, however, something extraordinary shook the IT world: More than 200,000 machines in 150 countries were infected by WannaCry. The scale of this particular attack changed the cyber threat landscape, marking the beginning of the use of fifth-generation cyberattacks. After WannaCry, the next large-scale attack was the NotPetya attack, an allegedly state-sponsored ransomware attack that led the way to global-scale, multivector cyberattacks powered by state-sponsored entities and tools.

The Rise Of Double Extortion And Triple Extortion

In 2019, a new threat lurked around the cyber world: double extortion, or the name-and-shame approach. In double extortion, a multi-stage attack targets infiltrating the victim’s network, exfiltrates the sensitive data, deletes backups and any other restore mechanisms and encrypts sensitive data before demanding ransom to provide a decryption key to restore the systems and associated business applications and underlying data.

If the company doesn’t agree to pay the ransom, it threatens to publish that data, or it auctions the data on the underground website to recover the money. The Maze was the first group that popularized this method and attracted other groups like REvil, DarkSide and Conti to monetize from such techniques.

The ransomware-as-a-service (RaaS) model is widely used in the name-and-shame operations, and operators, affiliates and initial access brokers (IABs) work together to execute this type of attack.

• Operators: These are the threat groups who build and maintain the ransomware and the associated tools. They usually negotiate while outsourcing actions like gaining access to victims’ networks or deploying the ransom to other third parties. The GOLD SOUTHFIELD threat group created the REvil RaaS, for example.

• Affiliates: Affiliates are individuals or small teams who work with operators. They help the operators in gaining access to the victims’ systems and networks.

• Initial Access Brokers (IABs): Ransomware operators or affiliates sometimes buy access from IABs. IABs identify vulnerabilities and loopholes in victims’ systems and networks. They then sell those access to the highest bidder, whether it is the operator or affiliates.

Double extortion is still widely used by most threat actors, but the triple extortion method has brought more sophistication to the process as companies continue to secure their systems with different layers of protection. In February 2021, REvil executed a triple extortion attack, which started with the group exfiltrating and encrypting the data as usual. They then launched a distributed denial of service (DDoS) against the victim’s critical infrastructure for ransom.

Prevention Against Ransomware Attacks

Ransomware has evolved significantly from sending out malware randomly to extorting ransom to organized crime syndicates. Today, ransomware is a significant threat to organizations of all sizes. However, the good news is there are several ways organizations may be able to secure their systems and recover without paying the ransom, such as:

• Employee Security Awareness Training: It is often said that the weakest link in an organization is its employees. Continuously train and test employees for their security awareness and to detect phishing and vishing attacks. If the employee has privileged access or is an executive, then provide additional and focused training for them.

• Phishing Protection: The first layer of protection that every organization should mandate is blocking the phishing attempt. Different AI-based security solutions can help prevent phishing attacks in real time.

• Multifactor Authentication: Organizations should have multifactor authentication with a zero-trust configuration to prevent lateral movement.

• Segmented/Isolated Backups: Ensure your organization’s critical business data and information is securely backed up and potentially segmented/isolated from the regular network or production environment. This will ensure that in the event of an attack, the malicious threat actors will not be able to move into the backup segment laterally.

• Layered Defense And Breach-Kill-Chain: When feasible, incorporate a layered defense approach and consider implementing a breach-kill-chain, which can allow you to disconnect the rest of the organization network from the infected network. This could be an office, region or platform/application stack.

As ransomware attacks continue to increase in number and sophistication, organizations are left with no other option but to raise their guards, invest in cybersecurity and mature their security programs. Cybersecurity should no longer be an afterthought, and organizations should continuously evaluate their risk posture against the ever-evolving threat landscape and implement necessary security controls to mitigate such risks.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


——————————————————–


Click Here For The Original Source.

National Cyber Security

FREE
VIEW