Bandits of Bytes: An Examination of Ransomware Attacks
Horror story headlines
There has been a notable increase in the number of news stories covering high-profile cyber incidents, most notably ransomware attacks, over the past few years. This is linked to an even more disturbing trend: an increase in the number of ransomware attacks themselves.
Some may argue there are simply more voices drawing attention to this topic, that more news agencies, governments, and even so-called “regular folk” are increasingly reporting on and discussing ransomware attacks, causing a sort of frequency bias.
These aren’t just snappy headlines mean to reel in the largest possible audience base, however. These are real incidents impacting real people—and they’re getting real common.
The rise of ransomware
The term ransomware is much more ingrained in the public consciousness now than it was even 10 years ago. Ask anybody who knows little to nothing about cybersecurity or information technology in general and they’ll have likely heard the term at least once in their life. They may even be able to define it.
For those who don’t quite feel like the above paragraph describes them, ransomware refers to a form of malicious software that infiltrates files or computer systems, preventing users from accessing them. Once infected, all files, and sometimes even entire devices, become encrypted and are held hostage until the victim pays a ransom in exchange for a decryption key. This key enables the user to regain access to the encrypted files or systems.
Ransomware must first gain access to the assets that attackers will lock down. This access can happen through many different attack vectors. Some of the most common vectors include:
Phishing is a type of social engineering, wherein threat actors manipulate people into doing things they normally wouldn’t want to do. This can range from downloading software or attachments they wouldn’t want to download, sharing information they would normally keep private, or sending money to people who, frankly, don’t deserve it.
This attack vector may look a little like this: a cyber criminal sends an email with a normal looking document that tricks the user into enabling macros, the macros contain code that downloads ransomware software, which then begins to spread across the network encrypting valuable data.
Credential reuse/stuffing attacks occur when threat actors get their hands on legitimate login info for a particular service someone uses. They may not be the exact credentials the attacker is looking for, but thanks to the prevalence of people reusing passwords, the attacker may be able to apply these credentials to a number of applications and services until they gain access to the ones they want.
This attack vector’s execution is considerably different from the previous one, but it results in the same outcome: an attacker gains unauthorized access to a user account, escalates privilege as necessary, and can then plant ransomware on the network.
While less common than the two previously discussed attack vectors, the third vector can be equally devastating and has the possibility to affect many organizations at the same time. The third vector involves cyber criminals exploiting known vulnerabilities found within publicly exposed systems. Many of these exploits belong to a list of Known Exploited Vulnerabilities, a list that inadvertently helps both sides. While organizations can view these lists and prioritize their own efforts to patch these vulnerabilities, threat actors can exploit these very vulnerabilities that have yet to be remediated.
There are also cases where ransomware groups have been able to exploit previously unknown vulnerabilities, known as a zero-day exploit. Cyber criminals have grown more sophisticated over the years, meaning organizations need to stay ever vigilant if they hope to stand a chance at protecting their assets, information, employees, and clients.
The Cyber History Channel presents…
There has been no shortage of high-profile ransomware attacks. On the most positive note possible, these attacks have provided numerous learning opportunities for anyone who chooses to hear their tale. Below are two well-known attacks where threat actors used a variety of methods to achieve their end goal: locking down systems and demanding the company pay before they wreak even more havoc.
MGM Resorts
It was nearly impossible to avoid this story last year. Nearly everyone who knew how to read, listen to the radio, or watch television learned about the ransomware attack that had a huge impact on MGM Resorts in Las Vegas. On September 11, 2023, MGM first reported that a “cybersecurity issue” was affecting some of their systems, which they then had to shut down to protect their systems and data.
What ensued was chaos.
Reports said nearly every digital system was affected. Hotel room digital keys, slot machines, and even websites were no longer working for several days, forcing MGM to go into manual mode to preserve their operations as much as possible. Hotel room check-in was now done with pen and paper, elevators had to be operated by employees with walkie-talkies, and casino winnings were either handwritten on paper receipts or given out by executives wearing fanny packs filled with cash.
Behind the scenes, things weren’t any better. The gang behind the hack had demanded more than $30 million for the cryptographic keys that would allow MGM to get their systems back up and running. MGM didn’t reply.
While the hackers were kicked out of the system days later and MGM eventually returned to business as usual, a lot of damage had been done, mostly of the financial variety: the ransomware attack reportedly cost the company about $100 million in lost hotel and casino revenues, with nearly $10 million more going to tech consulting and legal fees. The $30 million ransom now looks like a far better alternative to the cost of rebuilding thousands of servers from scratch and installing clean versions of the operating system and other software, though even this would come with its own risk—what assurance does a company have that a criminal will honour their word and provide decryption keys?
In addition to disrupting operations and costing MGM millions, the hackers also got their hands on the names and contact information for an unspecified number of customers before March 2019. While no credit card information was stolen, MGM said it informed customers whose data was stolen and offered them free identity protection and credit monitoring.
领英推荐
So, what started all this? How did these hackers first gain access to MGM’s network and temporarily bring part of this hotel and casino empire to its knees? Vishing.
Vishing, a portmanteau of “voice” and “phishing”, is a form of social engineering that generally uses voice to trick people into divulging sensitive information. In this case, one of the hackers used LinkedIn to identify an active MGM Resorts employee, impersonated them, and called the MGM IT help desk requesting assistance accessing their accounts. The phone call lasted all of 10 minutes and the attackers gained administrator privileges, allowing them to carry out their ransomware attack.
Colonial Pipeline
Roughly two-and-a-half years before a ransomware attack impacted MGM Resorts, a different group targeted Colonial Pipeline, one of the largest and most vital oil pipelines in the United States. Attackers used an entirely different attack vector in May of 2021 to wreak a similar level of havoc on the pipeline: credential reuse.
Attackers got into the network through an exposed password for a VPN account. This password was likely used on another website that was compromised prior to this attack. A lack of multifactor authentication meant these credentials were all that was needed to get in.
Unlike the MGM Resorts attack, there was no social engineering involved, no phishing or vishing or manipulation of others to obtain access. This was simply a case of an employee using the same password across multiple websites and applications. All it took was one instance of that password to leak for attackers to eventually use it to cause some real damage.
Once attackers gained access to the Colonial Pipeline IT network, they stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers then infected the IT network with ransomware that affected many computer systems, including billing and accounting.
It was at this point that Colonial Pipeline decided to shut down the pipeline to reduce risk of exposure to the operational network. Although the attackers targeted the business side rather than operational systems, the increased reliance on computers instead of people controlling devices meant the pipeline itself was vulnerable to malicious attacks.
Much like the MGM Resorts attack, the hackers demanded a ransom. The ask: 75 bitcoin—approximately $4.4 million USD at the time—for the decryption key that would allegedly put an end to this nightmare. Colonial Pipeline paid the ransom and operations resumed after a six-day shutdown.
This shutdown led to much more than lost revenue for the pipeline company. Colonial Pipeline provides roughly half of the United States’ East Coast fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. Fear of a gas shortage caused panic-buying and long lines at gas stations in many states, which led to actual shortages in certain areas as people bought more gasoline than usual, going so far as to fill plastic bags to ensure they had enough. As well, several airlines experienced jet fuel shortages and had to make changes to flight schedules to accommodate.
There may be a bright side to all this: U.S President Joe Biden signed an executive order directing U.S government agencies to take a series of proactive steps to bolster cybersecurity, including improving software supply chain security, establishing a cybersecurity review board, and enhancing incident detection and response, among other requirements.
Unstoppable juggernaut?
These two stories of relatively recent ransomware attacks aren’t the first and they certainly haven’t been the last. There’s a multitude of stories to learn from. Some organizations paid the ransom, some did not. Some were able to minimize the ensuing damages, while others paid a very hefty price. What can we do to prevent ransomware attacks and protect ourselves from becoming another story for others to learn from?
Bad news first: there’s no surefire way to prevent becoming a victim of such an attack. But there are methods of minimizing the risk and the time to recover. Many experts suggest building a defense-in-depth security program; firewalls, endpoint detection and response, cloud access security brokers, and intrusion detection and prevention systems are among the top technology suggestions.? Multifactor authentication, zero-trust network access, and protecting ports from exploitation are common suggested practices to further lower risk.
The prevalence of social engineering like phishing—or vishing, in MGM Resorts’ case—means organizations should provide cybersecurity awareness training on a regular basis to all employees, partners, and stakeholders. Limiting user permissions to those absolutely required and separating administrative accounts from daily tasks may also help on this front.
Following a patch management program, frequently backing up critical data, and testing those backups and recovery procedures can also help minimize risk. While backups are important, it’s recommended not to depend solely on them due to the everchanging nature of ransomware attacks. Many attackers will threaten to leak any exfiltrated data if their demands aren’t met, meaning restoring from backup can resume operations but may not put an end to financial troubles.
All these suggestions combined won’t necessarily guarantee protection from a ransomware attack. Establishing a ransomware recovery plan is absolutely critical in ensuring the least amount of damage will be done while allowing a swift return to business as usual.
A ransomware recovery plan should include how the organization prepares for attacks, how to handle an in-progress attack, and what to do in the aftermath. Preparing for an attack includes all the previously mentioned methods, such as backing up data and training employees. During an attack, the most critical step is to contain and mitigate the ransomware using cybersecurity systems and processes.
It’s not all for naught
As with all things cybersecurity, individuals and organizations can follow these recommendations and still become a victim of a ransomware attack. Threat actors are growing increasingly cunning, their methods and technologies more aggressive in infiltrating systems and networks.
Organizations, however, must still do their due diligence and dedicate time and resources to creating the best possible defence. Employees should be trained on how to recognize social engineering attempts. Security teams must ensure they have the right technologies and tools at their disposal. All key stakeholders should have a plan in place should they ever find themselves in the middle of such an incident.
And above all else, do not pay the ransom. Attackers may offer a decryption key or promise not to leak data, but offering the requested payment sends a message that these kinds of attacks are successful, that organizations are potentially willing to bend to their will. This will only lead to more attacks of a similar nature.
It’s time to change headlines. Give news agencies something positive to report on. Learn from recent history by taking the best practices and avoiding the pitfalls of others who have been in this position. Take the necessary steps to educate the people, develop the processes, and avoid the payment.
It’s time to see more headlines that look like this: “Byte bandits thwarted! Company protects everyone’s data and avoids paying ransom”.