Part 2 of Ransomware Focus Series
I had introduced the basic and key concepts of ransomware in the previous part of this series. For this article, I will detail different attack scenarios and explain the effective measures against this ever-evolving threat to you and your organization’s data.
A quick recap: ransomware is malicious software that encrypts your data or/and systems and asks you for a ransom to recover access. Today, ransomware varieties have increasingly developed and built advanced capabilities for spreading, evading detection, encrypting files, and pressuring users into paying ransoms.
Maze is one of the most dangerous ransomware attacks that steals the data it finds. Other ransomware families such as REvil, also known as Sodinokibi, have followed afterward continuing the trend. For example in December 2019, the Sodinokibi malware actors successfully attacked an IT vendor which serves hundreds of dentistry practices, infecting computers by exploiting a vulnerable remote access tool. In this case, the cybercriminals did not stop with encrypting the systems, they also stole some personal data in parallel. They then announced their intention to use stolen data from victims in order to persuade them to pay a ransom. Since then, we read about these attacks almost every day.
The scariest attacks are evolving into scenarios where cybercriminals destroy the data but still demand a ransom. Such wiper-ransomware can inflict enormous damage while supporting profit-driven criminal activity. They have also been the domain of government-sponsored attacks, but cyber-criminal groups are beginning to take interest in ransomware with destructive mechanisms.
When faced with such wiper-ransomware, paying the ransom won't help! Let us look at two latest attacks to understand what we can do against them.
A Ryuk ransomware attack was made on a company in the form of a series of malicious emails sent to their employees. The company's mail security flagged the emails with external sender warnings, and the malicious attachment was detected and blocked in several instances. However, due to the attackers’ adaptive measures, one employee managed to access the document and executed a malware-as-a-service loader that was first advertised for sale on underground forums in August 2019.
Loaders do not come pre-loaded in attachments; instead, they are downloaded from a separate site accessible via a link. These “fileless” malware leave no trace for antivirus software to detect and thus slip past an organization’s defenses and appear in employees’ inboxes. This type of malware runs on legitimate scripts, performing malicious behavior while the legitimate programs are executed. If your company has a large number of employees, how certain are you that not a single one of them will click on the link?
The Ryuk HTML ransom note.
In a recent Remote Access Trojan (RAT) malware attack, an organization’s defense was compromised when an employee tried to open an image file. The attacker had departed from traditional file attachments, such as Word and PDF, and used files that are not within the exclusion lists: images. This spear-phishing was carried out by a North Korean attacker targeting its southern counterpart, and the attempt was discovered to hide its malicious code inside a bitmap (.BMP) image file that would result in the installation of a RAT.
RATs offer cybercriminals full control over infected computers while remaining undetected. As you would expect, a cybercriminal can do almost anything, including a ransomware attack to a RAT-infiltrated computer — as long as their target does not detect the presence of the RAT. RATs also act like keyloggers, automating the set of keystrokes, usernames, passwords, screenshots, browser history, emails, chat rooms, and other details.
RATs have similar infection techniques to other malware. To get the RAT into a target computer, cybercriminals use specially designed email attachments, web links, download packages, or torrent files. A motivated attacker may use social engineering to trick desired targets into downloading such files and apps. As expected, RATs often evade detection by utilizing a randomized filename/path structure.
Clearly, it is insufficient to only rely on having cyber defenses in place. As the case studies above show, proper cybersecurity requires a focus on the individuals of the organization who represent the weakest links in the defense, as well as on robust detection and recovery mechanisms. Cyber defense tools in the market evolve, but so do cybercriminals with their techniques.
It is common for affected organizations to be caught off guard and respond poorly to the attack, especially with cybercriminals’ increasing sophistication of adding pressure and threats. A systematic approach involves taking several measures:
1. Understand that 100% security does not exist. An organization requires a risk resilient approach rather than a simply technical solution. Cyber risk cannot be mitigated solely relying on technical controls. They require a balance between people, process and technology.
2. Start with a self-assessment of your organization’s cybersecurity posture and controls based on the industry-recognized NIST framework using the five pillars: Identify, Protect, Detect, Respond and Recover. The assessment should include your overall environment, or attack surface. For example, if you are a manufacturer, you need to understand the security gaps of your operational technology as well and not only information technology or IT.
3. Following the self-assessment, understand your real exposures by undergoing a digital footprint analysis. You will be able to validate your assessment findings, and take a more programmatic approach to your cybersecurity strategy.
4. After understanding your gaps from self and third-party based assessments, measure your exposures to estimate your potential financial losses by reviewing the impact and likelihood of data breaches, business interruptions and other worst case scenarios, including business paralysis due to a ransomware attack. Cyber risk quantification, or ensuring financial loss visibility, helps you to focus your budget on the most effective controls depending on your exposures. Define the economic cost of your cyber risk, and prepare in alignment with your risk appetite and mitigation strategy.
5. Pragmatism is key here. In order to protect yourself from key threats in a complex environment, you need to focus on quick wins and non-negotiables first before looking at a whole cybersecurity roadmap. For example, multi-factor authentication, updating your legacy systems, network segregation, and compensating controls are non-negotiables. Various cyber-attacks described in the news could have been avoided with those non-negotiable controls. The lack of two-factor or multi-factor authentication on key accounts and maintaining outdated systems without compensating controls is exactly like leaving the door of your house open for criminals and robbers to get in. In fact, finding your systems’ vulnerabilities or attacking your employees with social engineering is no sophisticated task for a cyber-criminal.
6. Continue your cyber risk journey, with financing optimization of your insurance program. 100% prevention does not exist, and thus a balance between risk mitigation and risk transfer would be a good and viable approach to ensure coverage of first- and third-party financial losses.
7. Take a positive proactive approach to cybersecurity, collaborating with ethical hackers and security professionals to provide you with visibility on your weaknesses.
The Marsh Advisory team is able to help you with all these measures and more. Contact us to learn how.