The changing face of ransomware

Issue 9 2020 Editor's Choice

There is a significant decrease in the sheer number of ransomware attacks due to improved security, better backup strategies and faster data recovery measures. This has meant that the spray and pray approach is no longer effective for ransomware distribution. Although fewer ransoms are being paid, it doesn't mean less risk.

Previous approaches were exceptionally effective until business started improving their backup strategies. Attackers learned from this and pivoted their criminal enterprise with a change of strategy. Knowing that businesses are backing up, creating shadow copies and replicating to data recovery (DR) sites means that simply encrypting all the data is no longer a crisis, it is now just an irritation.

So the ransoms dried up. Although the first wave of ransomware infections has been vaccinated against and the volumes of attacks have dropped, they have certainly not disappeared. The ransomware attack strategy has merely evolved.

Many of these ransomware gangs have raced to the top of the criminal underworld rankings by simply changing their approach. These syndicates are now far more focused, they are more professional and they only work with a consolidated group of affiliates. Their targets are well researched and the rewards are far more profitable.

The most successful syndicates in the Ransomware-as-a-Service game are also extremely selective. They do not simply allow anyone to use their tools; the selection of affiliates is like a job interview and only the best candidates are selected. Affiliates must prove that they have the ability to compromise a target and the target must be worthwhile.

Another key aspect of the modern ransomware attack is patience. After initial compromise they will prod and check if they get a response. This allows the ability to probe the unprotected environment for more details.

The criminal will learn more and more over time, slowly increasing their footprint and escalating their privileges as they go. It might take a month, three months or longer. However, there is no rush because it is all about quality.

Now that the foothold is in place, the cybercriminal knows where the backups live, they know where the DR lives and how they work. With their administrative access, the cybercriminal will then delete any shadow copies and make sure that the backups are either disabled or destroyed.

During the same period, the cybercriminal will also make sure to use their heightened privilege to either place exceptions into the organisation’s antivirus or EPP solutions or remove them completely. Each one of these steps is measured and monitored to gauge the response. It is never a case that they will deploy and just hope; these attacks are targeted, measured and actively managed.

Once the basic protection is compromised and all the security processes are identified, the offensive begins. Using heightened privilege they unleash the attack. The criminal makes sure that they attack early enough to be effective. Backups are targeted and encrypted, virtual hosts are hit, data stores and connected infrastructure are all part of the attack. This means that by the time one realises what has happened, everything is already destroyed.

A unified, targeted and well-planned offensive against the system is then followed up with the dreaded ransom request. This could easily be 10% of revenue or 10% of market capitalisation, running into the millions.

According to several reports, publicly available information shows that a single ransomware gang netted over $25 million in ransom payments in the five months from March to July this year. This excludes all of those victims that have never been made public. These gangs are more successful as they tend to first steal a copy of all the data they are going to encrypt and then release the trade secrets and sensitive information online if the victim refuses to pay.

So how could one stop them from penetrating the systems? Unfortunately, one cannot stop them, it will happen or may already have happened. One can only respond once it happens and then prevent the spread.

Relying only on a layered defence is no longer sufficient; one needs total visibility as a primary defence mechanism. User account activity, endpoint protection changes, account creation, group changes and admin additions are one part of a very interconnected defence strategy.

The number of successful attacks proves that the traditional method of prevention isn't adequate. Without visibility, the chances are good that your organisation will be the next big news headline. If targeted, you will be compromised, your users will be tricked and credentials will be lost.

If you do not have visibility, if you do not have the capacity to see and review changes or anomalies, then it's really just a matter of time before your CISO, CFO and CEO are reading ransom demands. Without effective mitigation against the evolved threat, your choices will be limited to negotiating with the cyber terrorists.

Backup strategies must include multiple copies, multiple locations, versions, days, weeks and half-year versions. Your backup strategy must include replication to an external grid that is not connected and has to be isolated from the rest of the environment. Also remember that a sync is not a backup, it is merely a sync. If you sync encrypted data, all you have is multiple copies of your encrypted data.

Backup resilience must be rigorously tested because you do not want to wait for a crisis to see if the files, systems and machines have actually been backed up. Leave nothing to chance or accept the risk of total loss and ransom payments.

Organisations need the capability to identify the changes and highlight the start of these attacks as they begin, rather than having to chase down the response once the payload is already deployed. One needs to have the pre-emptive response when it starts and while it is still far away from the main house.

Realising that there are changes, additions and other activity will act like beams outside a property rather than waiting for the alarm to trigger when the intruder is already walking down the passage.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Covid-19 rarely spreads through contact with surfaces
Issue 6 2021, iPulse Systems , Editor's Choice
While the virus is capable of lingering on public surfaces, studies show that this is not a major source of infection as many believe it to be.

Elvey appointed as Technoswitch national distributor
Issue 6 2021, Elvey Security Technologies , Editor's Choice
Elvey’s appointment as a national distributor for the Technoswitch range of fire detection and suppression technology forms part of the company’s strategic plan to supplement its security offering with high-quality fire products.

Harnessing 5G for South Africa
Issue 6 2021 , Editor's Choice
As the promise of 5G begins to become a reality, the role of communication services providers will change as we address the needs of future homes and lifestyles.

Enabling SMEs to build back better
Issue 6 2021 , Editor's Choice, News, Conferences & Events
Simpli ConnectED podcast series addresses the demands placed on SMEs in the current economic climate and offers suggestions for keeping the wheels turning.

Cathexis Africa welcomes new managing director, Dene Alkema
Issue 6 2021, Cathexis Technologies , Editor's Choice
South Africa’s leading video management software company is starting a new chapter in the region with the appointment of a new managing director of Cathexis Africa, Dene Alkema.

Securex South Africa, A-OSH and Facilities Management Expo postponed to 2022
Issue 6 2021, Specialised Exhibitions , Editor's Choice
Specialised Exhibitions, a division of Montgomery Group, has made the difficult decision to postpone Securex South Africa, A-OSH Expo and Facilities Management Expo.

Leveraging intelligence for surveillance
Issue 6 2021, Leaderware , Editor's Choice, CCTV, Surveillance & Remote Monitoring
Have companies seized the opportunities to complement and enhance the capabilities of both CCTV surveillance and that of intelligence gathering to gain strategic and operational insights?