Ransomware has significantly evolved over the years. There have been many high-profile cases that have been reported in the news recently but also there are many that are not well known. A plethora of small businesses have fallen victim to ransomware attacks as well as industrial companies that rely on SCADA (software and hardware for industrial companies) networks.
Whatever the case may be, ransomware attacks have changed in activity level.
It does not take much technical expertise to get started in the ransomware “business”. Although the easiest and most likely ways to attack companies is with phishing emails, there are other ways as well. Kurtis Minder from GroupSense is all too familiar with these threat actors. His company handles ransomware negotiations on behalf of victims. They also keep track of prolific ransomware groups, malware components that are successfully used and the amounts that are asked for and/or paid to the threat actors. These attackers can work together in groups. This is known as Ransomware as a service. These groups license ransomware capability platforms and communication mechanisms from third parties so you have no idea who you’re negotiating with when it comes to these attacks. It is similar to a business franchise, where they can help threat actors get setup for their ransomware “business”. Initial access brokers go and find open holes (vulnerabilities) in company networks. These people sell the access back to someone who wants to license the ransomware capabilities to threat actors. With a small amount of money, they can buy the entire capability stack of deploying ransomware without any expertise at all.
Threat actors that target very specific organizations are looking for a big payout, so they invest more time and buy stronger ransomware capabilities, but 99% of attacks are pretty much the same. The difference is in the negotiations of ransoms. Most lone threat attackers are not worried about their brand, unlike REvil or Conti, which are more concerned about honoring the ransom so that future victims pay the ransoms. Smaller operators are less likely to honor the ransom. They will encrypt data with multiple keys but only give one when the negotiation calls for more. They will charge for the other keys separately, called “tag-alongs”. This has been happening more and more often.
Ransomware victims use groups called “crypto-brokers” to manage the crypto payments. They take currency (US Dollars for example) and convert it into cryptocurrency. Ransomware victims use these groups for their ransom payments, so they are not easily tracked back to the victims’ bank accounts. These are used as security measures to not allow threat actors the ability to reverse trace the transaction. Beware, crypto-brokers could also be working with threat actors.
There are ways to combat ransomware. Firstly, start with strong technical defenses. This is where defense in depth comes in play. Starting with the outside of your network being protected by a firewall along with intrusion detection and prevention systems (IDS/IPS). Inside of the network is where endpoint protection helps. Having a strong anti-virus and anti-malware system in place can detect and prevent ransomware files from being installed on your computer devices. Then there’s backups, backups, backups. Backing up data is strongly recommended. If your data gets encrypted, you should be able to use these backups to gain back all or most of your data. Be sure to test these backups frequently to ensure they are useable, otherwise they can be as useless as the encrypted data from ransomware. Security awareness training is another way to prevent ransomware attacks. Making sure your employees have sufficient training in recognizing phishing emails that contain malicious attachments. Have Incident Response plans in place that address ransomware incidents specifically. These scenarios are different than other breaches and require different processes and decision makers. Ransomware preparedness is key to when and if you fall victim to these attacks.
Kurtis’s advice to ransomware victims is to not engage threat actors on your own. Find a professional as early as you can, but don’t just Google a ransomware professional. There are many scammers that claim they can decrypt data for you but don’t follow through once paid. These scamming operations are just a waste of money. Instead, Kurtis urges companies to call external legal counsel that specialize in breach response, an Incident Response firm or have cyber insurance in place. When you engage on your own and then seek outside help it can be difficult to unwind the negotiations that have already taken place.
At Vala Secure, we can review your network’s security measures though our IT audits, test security awareness training of employees through social engineering testing, and review Incident Response plans to make sure you are well prepared in case of an attack on your company. We also specialize in internal and external vulnerability assessments to bring awareness to any weaknesses in the network. Contact us at www.valasecure.com to learn more about how we can help protect your company.