Ransomware in 2021

Following the succession?of?stories in the press over the last 12 months, business owners,?leaders,?and managers are asking themselves and their teams if they are at risk to?a?ransomware attack.??

?

Criminal gangs?are not?ones to regularly share details on their?operations?and when it comes to ransomware, due to reputational and financial reasons, most victims?are not?willing to share or publicly speak about the attacks?they have?been victim to. Because of this we?often?find there is a disconnect in the way?organisations?think cybercriminals?operate?and the way?do.??

?

The?last?seven?years?has seen a?dramatic change?in?the way cybercriminals and ransomware gangs?operate,?and?it is important leaders pay attention.?This article looks to bridge?some of?that gap, highlighting the developments with ransomware attacks and with cybercriminals.??

?

A New Dawn for Cybercrime?

?

CryptoLocker was one of the first mainstream variants of ransomware that occurred from 2013 to 2014.?It was a?trojan horse virus that?propagated?via email attachments which once?executed, encrypted?files on the operating system, the only means to recover the files that had been encrypted was to pay the ransom or recover the files from backup.?This?variant?of virus?proved the effectiveness?of?cryptography?as a means?for?computer aided extortion.?Dell?SecureWorks?estimating?that it had?infected?around?250,000 victims, netting the attackers?millions https://www.zdnet.com/article/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin/

?Since?then,?ransomware attacks have?steadily been increasing in frequency,?impact,?and complexity.??

?Money Talks?

Since 2014 cybercriminal gangs?have?aggressively?developed?the techniques, tactics and procedures they use to breach computer systems. We are also seeing developments in their day-to-day operations, with gangs utilising an affiliate model, with recruitment practises?https://krebsonsecurity.com/2021/06/how-does-one-get-hired-by-a-top-cybercrime-gang/?with?free education/training programs?which are?available on the dark web and with double extortion where they steal confidential data and threaten to leak it, if you do not pay the ransom.

?

Initially gangs?relied on?email?to?spread malware and?initiate?their?large-scale?attack?campaigns.?Many smaller businesses and organisations heavily rely on secure email gateways and endpoint anti-virus solutions, which?have, to a point been effective.??

?

However, as email and endpoint security improved,?attackers?started to use?different techniques?to breach systems.?Over the last couple of years,?we have seen?brute force?password?attacks?increase?in?popularity.?With attackers using?specialist?software and code?to launch attacks against?public?facing servers?and cloud services:?https://first-response.co.uk/ransomware-how-does-it-work-part-1/?these attacks use automation to?force entry into an administrator account.?Once admin access has been granted the attackers then?try to move laterally throughout the environment?making their way to core services and servers.?

?

As attackers?started to?gain?more?success with their hacks and made?more money, they started to understand the opportunity before them. Computer systems were becoming more complex, more systems were becoming interconnected and?interdependent, more systems where being connected to the internet, and demands of the time of IT managers were becoming more pressing.??

?

Earlier this year Infosec Magazine reported that the average ransom payment was $570K?https://www.infosecurity-magazine.com/news/ransomware-demands-surge-2021/.?

?

As computer?software?and hardware?is?developed,?it?goes?through a quality assurance process. This is where engineers, developers and?ethical hackers,?will?analyse?the code, the systems?and?supporting?computer infrastructure for?weaknesses and?vulnerabilities that can?be exploited?by a?malicious?attacker. This QA process is conducted by all major?and minor IT vendors. The problem is, it?is?a human process, mistakes are?made?and?computer systems?are constantly changing - which can often lead to further weaknesses and vulnerabilities.??

?

Perfect Storm?

?

So, attackers have?numerous?ways to gain access to a system, they can look for a vulnerability in the code or infrastructure that?has not?been?fixed (unpatched?common vulnerability and exposure), they can brute force their way into a system, or they can rely on a user clicking on a link on an email,?clicking on a link on?the web, downloading an?email?attachment or a malicious program from the internet.?They could even attack a trusted third-party supplier?https://www.theguardian.com/technology/2021/jul/06/kaseya-ransomware-attack-explained-russia-hackers?

?

For business and?organisations?working?in particular fields and industries, they will likely fall prey to carefully planned and executed social engineering techniques to trick users to revealing information, credentials and passwords:?https://www.msn.com/en-us/news/politics/hackers-posed-as-flirtatious-uk-aerobics-instructor-while-targeting-us-defense-contractors-employee/ar-AAMFkp1?ocid=uxbndlbing?credentials or passwords that are exposed can then?be used against the organisations to gain deeper access or to gain administrator access.??

?

These are only a few examples of?ways?that cybercriminals could gain access to?a system. The fact that there are now so?many ways?to breach a system?makes it exceptionally difficult for IT and security teams to keep up.?Often,?we find?they are?constantly juggling between day-to-day operation, break-fix & service desk,?legacy system?upgrades,?working with other internal departments for innovation?& transformation projects, and then on top of this managing their internal security systems,?internal teams,?vendors?and?patching?vulnerabilities.?It is little wonder things are missed?and IT teams are struggling to manage this, especially when in the first half of 2021,?over?12,500 vulnerabilities were?disclosed:?https://www.zdnet.com/article/more-than-12500-vulnerabilities-disclosed-in-first-half-of-2021-risk-based-security/?

?

The Goldrush??

?

Aside from all of this, the last few years has seen?the growing popularity of the dark web and the rapid expansion of public cloud computing. The dark web is a?part of the internet that uses specific software and configuration to allow users to remain anonymous, to hide?servers from common search engines?and to?operate?outside the purview of law enforcement agencies. Cybercriminals?have used this to their advantage and have built?criminal?networks complete with affiliate programs and recruitment processes to rapidly grow?and expand?their criminal operations. By using public cloud computing (Amazon Web Services, Azure, Google Cloud?Platform) they?can?hi-jack?otherwise legitimate web servers and host their own infrastructure to further hide their whereabouts and to expand their reach.??

?

Ransomware group site index hosted on the dark web??

?

The affiliate model adopted by ransomware gangs has seen?distinct parts?of?the ransomware kill chain?(reconnaissance, intrusion, exploitation, privilege escalation, lateral movement,?obfuscation/anti-forensics, denial of service, exfiltration)?being divided up into separate and otherwise unrelated criminal groups.?An individual?pentester?or team of?pentesters?will steal or harvest credentials,?who will sell those credentials onto another team or individual, who will then sell them onto another party. It is this final party?who will usually conduct the most severe part of the attack, which is usually data exfiltration and encryption of all core services?and servers, leaving computer systems entirely inoperable other than the ability to communicate with the attackers.??

?

Too Small to Matter?

?

A few areas?where?we see disconnect between how organisations perceive ransomware and the cybercriminal operations, is in?the?assumption that they are too small to be targeted, that their?defences?are adequate,?or?that the criminals?would not?be interested in targeting them. The problem is that unfortunately,?that?is not?how the gangs see?it.??

?

“What would they want with us? We’re only a small family business.”?that may very well be the case but if they have access to your system (or can gain it) and?you have a cash in the bank (they will check?companies house?and other public records), then you are a potential target.?We know as we?have helped others recover.?

Some?cybercriminals?do?operate?by a code of ethics where they publicly?disclose?that they will not target medicine, state?institutions or?schools.?However,?organisations that?fall outside of?these criteria?will still come under fire and be treated as collateral damage.?By the time the organisations IT system has been down for 10 days,?it’s?too late, the damage has been done. If?you are lucky and?they?provide?an?encryption key?for free, what do you do if it?does not?work?or what do you do if you?cannot?recover from your?backups,?what do you do then??Or even if the gang ceases operation, how do you then gain access to the encryption keys???

Where to From Here?

?

It is?common?to hear managers and leaders state that they have?adequately invested in security.?But??do you have a record of all of your IT assets,?are you?keeping up with your patching, have you adopted?multi-factor authentication, are you regularly reviewing your internal policies and configurations,?do you have the capability to detect a user or network based anomalies,?do you have the capability to detect a fileless attack,?have you tested your?business continuity disaster recovery?plan?in the last 12 months, how reliable are?your?backups,?what experience does your IT partner have recovering from a ransomware attack??

First Response?provides comprehensive?24/7 managed cybersecurity services?monitoring?and management by our SOC, further detail is available here?https://first-response.co.uk/managed-cyber-security-services/?

?

For others that?aren’t?ready to commit to an investment in ongoing monitoring and management, we?recommend conducting a technical review of your IT environment and architecture. This is another service we provide:?https://first-response.co.uk/secure-it-infrastructure/?even if your IT service is delivered by a third-party service provider, a technical review of your environment is something we would recommend?so?that?potential?gaps are?identified?and fixed.??

There are national cybersecurity strategies, guidance and updates?published by the National Cyber Security Centre such?as:?https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks?

And:??https://www.ncsc.gov.uk/guidance/preventing-lateral-movement?

?

The NCSC, ACSC, CISA and FBI published their Top 30 most exploited CVEs of 2021 (incl. Microsoft, Pulse secure, Atlassian, Fortinet, Citrix):??https://us-cert.cisa.gov/ncas/alerts/aa21-209a?

??

You can sign-up to our regular newsletter here:?https://first-response.co.uk/newsletter-subscription/?

?

Or contact feel free to contact me directly if you would like to discuss any of our security services:?

+44 (0) 7554366520??

[email protected]?