0

The Evolution of Ransomware Tactics and Defense | #ransomware | #cybercrime


James Allman-Talbot of Quorum Cyber dives into the advancements of ransomware, explores the past, present, and future of cyber threats, and discusses how to fortify defenses against evolving tactics.

Ransomware isn’t a new phenomenon. Its origins date back to the 1980s to a strain known as the ‘AIDs trojan.’ AIDs Trojan encrypted the file system of devices and demanded payment of $180 to be mailed to a post box in Panama for the decryption key to unlock encrypted data. Holding data hostage by encrypting files and selling decryption keys for ransom continued until the late 2010s when victims discovered new methods to mitigate the threat. The stages of a typical ransomware attack include:

Stage 1: The ransomware attackers gain initial entry into an organization through various methods such as phishing emails, exploiting software vulnerabilities, or using compromised credentials. After gaining access, they conduct reconnaissance within the network to escalate privileges and move laterally across devices. 

Stage 2: This stage involves the threat actor unauthorizedly transferring an organization’s data to its servers before the ransomware is activated. This process, known as data exfiltration, prepares for further extortion. The attackers threaten to release the stolen data publicly if the ransom is unpaid, leveraging potential regulatory fines and reputational damage as additional pressure points to coerce payment. 

Stages 3 and 4: The threat actor either conducts a DDoS (Distributed Denial of Service) attack to harm the target organization’s public reputation or attempts to extort third parties affected by the data leak. These techniques may be used separately or together to maximize pressure on the victim organization.

To prevent ransomware attacks in the mid-2000s, organizations turned to early detection and response, maintained regular data backups, and ensured their security patches were up to date. Due to these new preventative measures, ransomware operators needed to find new ways to extort ransom payments, and the era of double extortion was born. 

In the double extortion tactic, cybercriminals lock sensitive user data with encryption and threaten to release it on the dark web, sell it to the highest bidder, or permanently block access unless a ransom is paid by a specified deadline. FraudWatch states, “The first reported double-extortion attack targeted Allied Universal, a security and facility services company. They were hacked in 2019 by the Maze group and had to pay 300 bitcoin – roughly USD 2.3 million – to decrypt their entire network.” The Maze group released 700MB of data via a link on a Russian forum to prove to the Allies they had control of their data. Allied did not pay the ransom of $3.8 million; subsequently, Maze released all their files.

This evolution in tactics to double extortion has remained prevalent to this day. Palo Alto’s Unit 42 Ransomware Extortion report states, “In late 2022, threat actors engaged in data theft in 70% of Unit 42 ransomware incidents on average, compared to about 40% in mid-2021.”

Cyber Attacks: A Board-level Understanding

IT departments must translate cyber risks into operational and business risks so that there is comprehension at the board level. Those who understand “1s & 0s” need to explain to those who work in “dollars & cents” that the cyber-criminal world is evolving into a multi-tiered business structure that rivals their corporate structures. Today’s cybercrime ecosystem is made up of three different types of groups:

1. Access Brokers: Access brokers focus on finding organizations with vulnerabilities, compromising networks, and probing for the easiest way into them. Once identified, they sell these prospects as a package to cybercriminal groups.
2. Developers: The developers build Ransomware-as-a-Service (RaaS) tools to hire out to other bad actors.
3. Front Men: After purchasing the access information and acquiring RaaS tools, a third group (the Front Man) will move into the network, steal or encrypt data, execute the ransomware payload, and make the ransom demand.

See More: How to Combat Rising Ransomware Attacks in the Public Sector

An Ounce Of Prevention

One of the most effective methods of knowledge transfer is to put senior-level managers through the experience of a simulated cyber incident to educate them on the corporate roles and responsibilities when an attack occurs. TabletopTable Top Incident Response exercises are an excellent way to ensure that plans, playbooks, and teams are thoroughly tested. By working closely with senior-level management, IT can help the C-suite understand each exercise and better prepare them for the eventual hack. The IT to C-suite knowledge transfer includes input from legal, finance, and other departments and external domain experts to establish a no-blame recovery game plan. This knowledge transfer is essential because many C-suite individuals don’t realize the downstream impact of a cyber attack, such as:

  • IT system downtime disrupting business operations.
  • Defending lawsuits from clients.
  • Decline in client base.
  • Financial sanctions imposed by regulatory bodies in the industry.
  • If lawyers or employees leave for any of the mentioned reasons, the company will start hiring new staff.

In addition, the cyber defense issue is not solely predicated on bad actors becoming more sophisticated in their business acumen; it also involves these criminals constantly changing their tactics, techniques, and attack procedures.  

Platform growth has aided cybercriminals by enabling them to leverage the skills and infrastructure of other bad actors to carry out compromised operations that they ordinarily would not be able to execute on their own. According to IBMOpens a new window