James Allman-Talbot of Quorum Cyber dives into the advancements of ransomware, explores the past, present, and future of cyber threats, and discusses how to fortify defenses against evolving tactics.
Ransomware isn’t a new phenomenon. Its origins date back to the 1980s to a strain known as the ‘AIDs trojan.’ AIDs Trojan encrypted the file system of devices and demanded payment of $180 to be mailed to a post box in Panama for the decryption key to unlock encrypted data. Holding data hostage by encrypting files and selling decryption keys for ransom continued until the late 2010s when victims discovered new methods to mitigate the threat. The stages of a typical ransomware attack include:
Stage 1: The ransomware attackers gain initial entry into an organization through various methods such as phishing emails, exploiting software vulnerabilities, or using compromised credentials. After gaining access, they conduct reconnaissance within the network to escalate privileges and move laterally across devices.
Stage 2: This stage involves the threat actor unauthorizedly transferring an organization’s data to its servers before the ransomware is activated. This process, known as data exfiltration, prepares for further extortion. The attackers threaten to release the stolen data publicly if the ransom is unpaid, leveraging potential regulatory fines and reputational damage as additional pressure points to coerce payment.
Stages 3 and 4: The threat actor either conducts a DDoS (Distributed Denial of Service) attack to harm the target organization’s public reputation or attempts to extort third parties affected by the data leak. These techniques may be used separately or together to maximize pressure on the victim organization.
To prevent ransomware attacks in the mid-2000s, organizations turned to early detection and response, maintained regular data backups, and ensured their security patches were up to date. Due to these new preventative measures, ransomware operators needed to find new ways to extort ransom payments, and the era of double extortion was born.
In the double extortion tactic, cybercriminals lock sensitive user data with encryption and threaten to release it on the dark web, sell it to the highest bidder, or permanently block access unless a ransom is paid by a specified deadline. FraudWatch states, “The first reported double-extortion attack targeted Allied Universal, a security and facility services company. They were hacked in 2019 by the Maze group and had to pay 300 bitcoin – roughly USD 2.3 million – to decrypt their entire network.” The Maze group released 700MB of data via a link on a Russian forum to prove to the Allies they had control of their data. Allied did not pay the ransom of $3.8 million; subsequently, Maze released all their files.
This evolution in tactics to double extortion has remained prevalent to this day. Palo Alto’s Unit 42 Ransomware Extortion report states, “In late 2022, threat actors engaged in data theft in 70% of Unit 42 ransomware incidents on average, compared to about 40% in mid-2021.”
Cyber Attacks: A Board-level Understanding
IT departments must translate cyber risks into operational and business risks so that there is comprehension at the board level. Those who understand “1s & 0s” need to explain to those who work in “dollars & cents” that the cyber-criminal world is evolving into a multi-tiered business structure that rivals their corporate structures. Today’s cybercrime ecosystem is made up of three different types of groups:
1. Access Brokers: Access brokers focus on finding organizations with vulnerabilities, compromising networks, and probing for the easiest way into them. Once identified, they sell these prospects as a package to cybercriminal groups.
2. Developers: The developers build Ransomware-as-a-Service (RaaS) tools to hire out to other bad actors.
3. Front Men: After purchasing the access information and acquiring RaaS tools, a third group (the Front Man) will move into the network, steal or encrypt data, execute the ransomware payload, and make the ransom demand.
See More: How to Combat Rising Ransomware Attacks in the Public Sector
An Ounce Of Prevention
One of the most effective methods of knowledge transfer is to put senior-level managers through the experience of a simulated cyber incident to educate them on the corporate roles and responsibilities when an attack occurs. TabletopTable Top Incident Response exercises are an excellent way to ensure that plans, playbooks, and teams are thoroughly tested. By working closely with senior-level management, IT can help the C-suite understand each exercise and better prepare them for the eventual hack. The IT to C-suite knowledge transfer includes input from legal, finance, and other departments and external domain experts to establish a no-blame recovery game plan. This knowledge transfer is essential because many C-suite individuals don’t realize the downstream impact of a cyber attack, such as:
- IT system downtime disrupting business operations.
- Defending lawsuits from clients.
- Decline in client base.
- Financial sanctions imposed by regulatory bodies in the industry.
- If lawyers or employees leave for any of the mentioned reasons, the company will start hiring new staff.
In addition, the cyber defense issue is not solely predicated on bad actors becoming more sophisticated in their business acumen; it also involves these criminals constantly changing their tactics, techniques, and attack procedures.
Platform growth has aided cybercriminals by enabling them to leverage the skills and infrastructure of other bad actors to carry out compromised operations that they ordinarily would not be able to execute on their own. According to IBM, “The average data breach cost was $4.45 million in 2023, the highest average on record.” Microsoft notes that “the U.S. was the target of 46 percent of cyberattacks in 2020, more than double any other country.”
Mitigating Risks; Recovering Quicker
Extortion efforts from bad actors will become more aggressive in response to the announcement from the International Counter Ransomware Initiative. However, all is not doom and gloom; there are practical steps to mitigate risks and recover faster. These steps entail the implementation of:
- A Robust Cyber Security Framework
- Maintain all vendor security patches for all appliances, applications, network devices, and operating systems.
- Implement network segmentation to reduce the number of available lateral movement paths.
- Implement and maintain strong access controls, adhering to the principle of least privilege; this will reduce the available data for threat actors to steal.
- Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic and block malicious traffic.
2. Back-Up and Disaster Recovery
- Perform regular backups.
- Perform regular restoration tests of all backups taken to ensure their validity.
3. Threat Detection
- Implement security information event management (SIEM) to report suspicious activity.
- Monitor endpoint devices for suspicious or malicious behaviors using an endpoint detection and response (EDR) system, such as Microsoft Defender.
- Incident Response Planning
-
-
- Develop an incident response plan and supplementary playbooks that detail an organization’s actions in the event of a cyber incident.
- Clearly define the roles and responsibilities of the cyber incident response teams (CIRT).
- To ensure the incident response plan is fit for its purpose, it should be regularly tested, and lessons learned should be implemented.
-
-
- Security Audits and Assessments
-
-
- Conduct regular validation scanning to ensure configuration baselines and security patches are being applied appropriately.
- Engage with independent third parties to perform periodic vulnerability assessment and penetration testing exercises to identify security flaws.
-
-
- User Awareness and Training
-
- Educate users on the risks of phishing emails, social engineering, and suspicious attachments or links.
- Promote the use of multi-factor authentication throughout the organization.
-
Looking Forward
Ransomware operators will likely apply triple and quadruple extortion strategies, enabling them to apply more significant pressure against victims for payment, thereby improving their success rates. Extortion efforts will probably become more aggressive in the face of forty countries forming an alliance plan that involves signing a pledge not to pay ransoms to cybercriminals—aiming to eliminate their financial revenue stream.
Throughout 2024, ransomware operations will continue to expand in complexity as the technical capabilities of ransomware payloads continue to develop. This will allow threat actors to expand their attack surface and target additional operating system architectures, such as macOS and Linux.
In a recent survey by CyberEdge Group, 78% of ransomware victims reported having experienced multiple vectors of extortion. While victims may be able to recover from the initial ransomware event, the additional layers of extortion are designed to exert maximum pressure to ensure that the ransom payment is ultimately paid. To mitigate the risk of ransomware, the best defense against bad actors remains vigilance, preparedness, and planning.
How can your organization stay resilient in the face of evolving ransomware threats? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock