Rapid change has been a perpetual constant, even when it comes to the threat landscape. The High stakes ransomware game is not like it used to be. These are no longer indiscriminate ransomware attacks. This new generation of threat actors are more sophisticated and organized and they execute their attack as a part of a well-planned and executed campaign to make money. Unfortunately, for the victims of these high stakes ransomware attacks, they have more to worry about than just getting their data and systems back to an operational state. In such a scenario, early detection becomes imperative.
Small-time criminals go for the quick way to earn some money, neither do they have the time nor the skill required to pull off a large scale enterprise attack and at the same time, hide their digital footprints. Unlike these small-time cyber crooks, the high stakes ransomware groups have the time, skill, motivation, and dedication to plan and execute their attacks. That simply means, they’ll gain access to the networks, figure out what matters, and when they have maximized their returns, they will incinerate everything.
Different Strokes of Ransomware
As compared to the campaigns of today, early ransomware campaigns like Locky were indiscriminate and unsophisticated in nature. Often in large scale phishing attacks, the attackers would simply spread the ransomware to anyone they could target. Recipients who are unaware would click on the malicious links and get infected. They would end up with their sensitive data being encrypted on their workstations and for corporate users, in their data centers. All thanks to cryptocurrency, it became easier for the threat actors to collect their ransom anonymously.
There were no fancy exploits; all they needed to do was to get users to click on a malicious link. From then on, the ransomware would spread and do its job. This was usually enough to collect a healthy amount of ransom from the victim, with very little effort being put into it. There was no stealthy reconnaissance, no high-level access, or data theft. These infections were usually traceable to a handful of users who clicked on the link and yet there was little evidence to suggest that it was anything but a smash and grab job.
The next resurgence in the ransomware industry came with the Wannacry attack. This wave of attack used a sophisticated exploit but was still propagated indiscriminately. Spread across peer to peer and across company boundaries, Wannacry and NotPetya took over unpatched systems and held both systems along with the data for ransom. These attacks were devastating in nature even though the attackers didn’t monetize their efforts.
Future expectation from the High stakes ransomware
Like someone slowly and steadily siphoning funds from a bank account or stealthily spying on the corporate communications departments, Ransomware still isn’t subtle. Ransomware invokes fear and asks the victims to act for the benefit of the threat actors.
Older versions of ransomware aren’t stealthy, however, the high stakes ransomware infects the victim’s systems and their networks quietly, it remains silent before commencing to its final destructive phases.
A new strain of ransomware was analyzed, called “Save the Queen” that distributes ransomware from the victim’s Active Directory Servers since domain controllers hold the key to the digital landscape. Because of the importance it holds, manipulating the Active Directory services requires a high level of access and that is exactly what the threat actors had.
For attackers with access, getting past the network perimeter is just another chore that makes it scarier. Like attackers responsible for Save The Queen, they can gain access to high-level applications or administrative accounts, using their own infrastructure against the organizations themselves.
The million-dollar question is if these high stake ransomware operators have all the access they required they grab financial information or intellectual property? Trade on insider information?
It would be naive to think that they won’t do this or they haven’t thought about this. Some attackers might not want to scour through data when they just want to do a smash and grab job. However, as these groups get more sophisticated and efficient at monetizing digital assets, it’s more likely that they won’t leave any money for their victims in the near future.
You can see how economics plays its part when you look at Monero, a newer cryptocurrency. Attackers would command systems to mine Monero for as long as they could when the price of Monero was high. With Monero being pricy it was sensible to shear the sheep than to slaughter it. When the price of Monero fell, they got nervous.
4 Ways to protect organizations
- Know where the intellectual property, financial information, personal data, and sensitive emails are stored. Only share access to these, to the employees and personnel who need it to reduce the attack surface. This is a precautionary step before the attackers look to steal.
- It will be good to have a security plan to compensate for the network downtime, rather than having to improvise under pressure, especially if it happens before or during the organization’s busiest week.
- Backups are highly essential and a lot of strategies to mitigate a ransomware attack heavily rely on backups. The harder task is to determine on what backups one needs to recover when it comes to files. Always have a record of the file system activity, in case the network gets infected, the security team would know what the infected users were up to.
- Enlist automation to work on behalf of the organization. Automation can detect and even stop potential attacks before they spread, with the right activity logs and analysis. Logging and analyzing critical datasets and systems like large, important data stores along with Active directory should be prioritized.
Given remote workers are now easy conduits to corporate resources, most organizations find themselves in a situation they have not been prepared for when it comes to spotting unusual activity. The goal should be to detect attackers who are planning to take advantage of these remote resources.
To read more, please check eScan Blog
