Blog Post / April 4 2022
Kidnapping, ransom notes, furtive communications with the kidnapper, fear of involving the authorities, secret cash payments, and tearful reunions. These ingredients make a good Hollywood thriller and now a painful story for organisations and their intellectual property.
Globally organisations are being targeted by ransomware, and data has become the new commodity. Ransomware is not new, bad actors have used it as an attack methodology since the 1980s, and despite companies employing the best mechanisms to thwart these would-be attackers, cybercriminals always find new ways to bypass security controls. Why wouldn’t they? Their reason for being centres on the belief that keeping one step ahead of security controls makes every attack a potential payday.
Ransomware has evolved significantly since what is deemed as the first attack, when Joseph Popp, an AIDS researcher, sent 20 000 5.25-inch floppy disks to researchers across 90 countries in 1989. Popp told each researcher that the disk contained a survey; when researchers opened the files, it infected their computers and encrypted filenames on startup. In 2022, cybercriminals still use similar social engineering tactics as Popp, manipulating people by weaponising ransomware.
Organisations require a mind shift
A key element to better securing your organisation is to think like an attacker and never be afraid to challenge the status quo. What is good for one organisation is not necessarily the best fit for another. Always work to your strengths and be comfortable admitting and embracing weaknesses because those weaknesses are what attackers will uncover and manipulate.
Spend the time understanding the anatomy of ransomware and associated cyber threats and do in-depth research on available technologies – but most importantly, trust your gut! Don’t just go out and buy a security technology just because everybody else is buying it. Buy a security technology because it makes sense for your organisation, again, consider your strengths and weaknesses as a company as that will be paramount to achieving the full benefit. Ensure you have the right level of analysts sitting behind it to make sense of the data being received to help you identify potential threats.
For the longest time, South Africans believed that as a third world country, we weren’t in the crosshairs of global threat actors. And oh, how wrong we were. From port operations to insurance to public sector – no vertical has been spared – and as cliché, as it may sound, it’s no longer a case of if but when. So, shift your mindset from believing that your organisation is unlikely to be a target because you are a target if you have intellectual property.
The Anatomy of Ransomware
Ransomware attacks are strategically designed to produce significant profits for cybercriminals. They can be carefully crafted to target a specific business and then strike at a critical moment of weakness. There are five phases when preparing for the detection and prevention of a ransomware attack.
Phase 1 – Research and Campaign
First, the actors research all exploitable aspects of their victim, including collecting employee names and email addresses, performing social media crawls, understanding financials through press releases and company reports, and even compiling a list of frequently contacted contractors and partners/or vendors.
Bad actors can tailor campaigns to infiltrate a business with the right background information. Methods such as phishing/whaling emails and social engineering will target employees, and if they can access a credential dump easily, they will authenticate using VPN. If they are using open-source tools, open ports and vulnerabilities may be leveraged without performing a network scan.
Phase 2 – Infiltration and Infection
Ransomware is often installed through a phishing/whaling email or exploit kit in this phase. Once the malicious code is downloaded onto an endpoint, the code executes. When threat actors shift from an external position to the internal system, it’s called a vertical movement in the ransomware attack. At this stage, the network is infected, but no data is encrypted yet for ransom.
Phase 3 – Internal Reconnaissance (Lateral Movement)
Threat actors quickly hide evidence of their entry and begin to move throughout the network by stealing credentials to elevate their access and permissions. This is called lateral movement and is a crucial tactic that allows them to avoid detection and embed themselves deep into the network. Jumping from one system to another, actors seek to compromise additional systems and user accounts along the way. In this stage, the bad guys may remain undetected for weeks or even months while they stealthily scan for access, data, and assets to steal and encrypt.
Phase 4 – File Encryption
Once the bad guys have fully completed their internal reconnaissance and taken inventory of the network, the encryption begins. They then (usually) delete any backups and perform a secure key exchange. At this point, the ransomware contacts the command-and-control server operated by the bad guys and generates keys to be used in the next phase. During this file encryption phase, it is common for attackers to corrupt local files and folders, making it harder for response teams to restore systems to their pre-infiltration state.
Phase 5 – Pay Day
Getting what they set out to gain – the payload – attackers activate the malware and launch a communication announcing the ransom. The ransom notes appear in all compromised points across the victim’s environment and detail the payment demands, often untraceable cryptocurrencies, such as Bitcoin. Upon payment, victims are given the decryption keys or instructions on how to decrypt the data.
Fight Back
The U.S. President, Joe Biden, has a key message: segment your networks. Recently, ransomware attacks have shifted from stealing data to disrupting operations. It’s important to separate your corporate business functions and manufacturing/production operations that you filter and limit internet access to operational networks, identify links between networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if the network is compromised. Regularly test contingency plans such as manual controls to maintain safety-critical functions during a cyber incident.
A security breach averages approximately 150 days between the initial compromise and detection. Most organisations cannot detect lateral movement because it’s lost in day-to-day network traffic and operations. Even platforms such as SIEMs, advanced analytics tools, anti-malware, and anti-virus solutions have proven inadequate at catching this phase in the attack lifecycle.
It’s easiest to detect threat actors in the lateral movement phase, making implementing the right tools and cybersecurity best practices critical when looking to minimise the chance of infiltration or breaches. The time to move away from the traditional thinking of detecting and responding is now; it’s time to DEFEND. In summary, it’s time to challenge the status quo, be creative, and change the way we think – because attackers are doing just that.
Speak to us today to learn how to safeguard your organisation against a ransomware attack.
Blog Post
The evolution of workplace automation
As global enterprises increasingly adopt a digital business strategy, automation technologies are playing a key role in driving the underpinning digital processes. Technologies such as IOT and robotics are being joined by cobots, virtual…
Company News
Blue Turtle protects business critical applications with VIRSEC
The need to re-think and re-engineer cyber defenses is a priority, both our technology landscapes and the sophistication of cyber-threats have changed way beyond what legacy security tools were designed to handle. ‘As…