Cybersecurity Ransomware threat warning for 2023
IT may be just me but there seems to be an air of hope and anticipation for this New Year in Fiji and I believe this is greatly in part due to the change in government after 16 years, with some pretty smart and experienced experts selected to look after key areas in the nation. One of these critical areas is defence and national security which includes cybersecurity and while we can plan this on a national level the reality is like most things, it starts at home. Cybersecurity has to be a part of how you manage and secure your PCs/laptops and smartphones with your families. All your internet of things (IoT) devices like WiFi routers, IP cameras, even your home and fridge if they have IP addresses! If you’re not sure, ask. This extends to your workplace, especially since most now have a balance of working from home as well. The cyberspace attacks will continue unabated this year and I predict this will in fact increase especially if they are financially beneficially to the cyber attackers like ransomware.
For example, as reported in hackernews.com, mid last year Dutch supermarkets faced a food shortage. The cause wasn’t a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organisations have been targeted by ransomware threat actors, turning ransomware into the internet’s most severe security crisis.
Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade with the advance of cryptocurrencies. Since 2015, ransomware gangs have been targeting organisations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars.
Ransomware is effective because it pressures victims in two complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicise the attack or even the data. The second threat has an indirect impact, yet it is just as serious (if not more).
Publication could trigger regulatory and compliance issues, as well as negative long-term reputation and brand effects.
In fact ransomware as a service (RaaS) has become the most widespread type of ransomware. In RaaS attacks, the ransomware infrastructure is developed by cyber criminals and then licensed out to other attackers for their use. The customer attackers can pay for the use of software or they can split the loot with the creators. Etay maor, senior director security strategy at Cato Networks commented: “There are other forms of RaaS. After receiving the ransomware payment some Ransomware groups sell all the data about the victim’s network to other gangs. This means the next attack is much simpler and can be fully automated as it does not require weeks of discovery and network analysis by the attackers.”
Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.
An organisation under attack is bound to experience frustration and confusion. One of the first recommended courses of action is to contact an incident response team. The IR team can assist with investigation, recuperation and negotiations. Then, other international agencies can also help or be made aware of the attack.
In the US to help ransomware victims and to prevent ransomware, the CISA and the FBI has set up multiple cyber task forces across their field offices. These task forces work closely with the IRS, the Department of Education, the Office of Inspector General, the Federal Protective Service and the State Police. They’re also in close contact with the Secret Service and have access to regional forensics labs. For National Security cybercrimes, the CISA has a designated squad.
Many ransomware attacks don’t have to reach the point where incident response teams are needed. Rather, they can be avoided beforehand. Ransomware is not a single-shot attack. Instead, a series of tactics and techniques all contribute to its execution. By identifying the network and security vulnerabilities in advance that enables the attack, organisations can block or limit threat actors’ ability to perform ransomware. In fact we need to rethink the concept that “the attackers need to be right just once, the defenders need to be right all the time”. A cyber-attack is a combination of multiple tactics and techniques. As such, it can only be countered with a holistic approach, with multiple converged security systems that all share context in real time. This is exactly what a SASE architecture, and no other, offers the defenders.
For example, here are all the steps in a REvil attack on a wellknown manufacturer, mapped out to the MITRE ATT&CK framework. As you can see, there are numerous phases that took place before the actual ransom and were essential to its “success”. By mitigating those risks, the attack might have been prevented.
But don’t take my word for it. Some ransomware attackers are “kind” enough to provide organisations with best practices for securing themselves from future ransomware attacks. Recommendations include: Turning off local passwords; Using secure passwords; Forcing the end of admin sessions;
•
•
•
•
•
Configuring group policies; Checking privileged users’ access;
Ensuring only necessary applications are running;
Limiting the reliance of anti-Vvvirus; Installing EDRs; 24-hour system admins; Securing vulnerable ports; Watching for misconfigured firewalls; and more
Etay Maor of Cato Networks highlights: “Nothing in what several ransomware groups say organisations need to do is new. These best practices have been discussed for years. The reason they still work is that we try to apply them using disjoint, point solutions. That didn’t work and will not work. A SASE, cloud native, architecture, where all security solutions share context and have the capability to see every networks flow and get a holistic view of the attack lifecycle can level the playing field against cyber-attacks.”
Just like brushing your teeth or exercising, security hygiene is an on-going, methodical practice. Ransomware attackers have been known to revisit the crime scene and demand a second ransom, if issues haven’t been resolved. By employing security controls that can effectively mitigate security threats and having a proper incident response plan in place, the risks can be minimised, as well as the attackers’ pay day. Computer emergency response teams (CERTs) and computer incident response teams (CSIRTs) are here to help but they are first responders like calling for an ambulance when there is a medical emergency.
As the saying goes prevention is always better than the cure. God bless and stay safe these holidays in both digital and physical worlds.
•
•
•
•
•
•
■