Ransomware: The rise of a digital virus within the pandemic
By Chris Pogue, Head of Strategic Alliances, NUIX
What is Ransomware?
Ransomware is a reasonably simple family of malware. A malicious actor will deploy the malware inside the target organisation and, depending on its sophistication, it is either manually directed at a storage repository or made to appear dormant while it gathers information about the nature and location of critical value data. Once the determination has been made, the malware executes and encrypts the targeted data using a private key that only the attacker has access to or a complex encryption algorithm. Once the data is encrypted, it becomes mathematically infeasible to use “brute force attack” for the decryption of locked data (meaning that it would take an inordinate amount of time to force decryption). The victim organisation can either restore their data with uninfected and up-to-date backups or pay the attackers demands (typically in bitcoin). Once the ransom has been paid, the private key is provided to the victims and the file can be decrypted.
In simpler terms, think of it like this:
It is the same as if an intruder broke into your house, put all of your belongings into big wooden crates and wrapped it up with heavy chains and a huge, unbreakable padlock. When you arrive home from work you find all of your belongings stored and unharmed, in the wooden crates and the intruder leaning against the boxes and dangling the key to the lock (probably the one with your remote, TV and wine inside). He tells you that for a bargain of just £25,000 he will give you the key and you can unlock all of your stuff, but if your refuse, your things will remain sealed up and useless to you inside the crates. Which do you want more: the £25,000 or your stuff back?
Why is Ransomware on the increase? Especially within the context of the COVID-19 pandemic
American bank robber Willie Sutton is famously quoted as saying (and incorrectly I might add), that he robbed banks, “Because that’s where the money is”. So, the simple answer to the question of, “Why is Ransomware on the rise”? is (thank you Mr. Sutton) because “that’s where the money is”.
During the continued COVID-19 pandemic, the world was propelled into the realm of cyberspace as businesses shifted from on-premise to a fully remote workforce. Businesses that typically didn’t believe they could remain profitable without a physical office found that was not the case. The world became increasingly able to support a massive exodus into remote teleworking. While this shift didn’t necessarily lead to more data, it did require remote access to data that was previously only accessible from office-based systems. This created an opportunity that attackers were poised and ready to take advantage of. Even though VPN can provide some level of security when accessing virtual private networks, many employees were unfamiliar with the additional security protocols that are needed to ensure proper use. Meanwhile, some IT staff were unaccustomed to their entire workforce operating on a remote basis, leading to cracks in the IT infrastructure that left them vulnerable to external attackers.
Businesses were focused on, “Can we survive” and “How do we do our jobs 100% remotely”, not “How do we do this in a secure manner? Or “How can we work remotely while educating our employees on security best practices”? Like so many other instances, the survivability of the business trumped security – it always has and always will. So, with remote workers unfamiliar with security concepts and controls, overwhelmed IT staff, business leaders focusing on the sustainability and quarterly results, and teleworkers using the same – often unsecured – networks as their kids, you have a perfect storm of opportunity, means and motive. Hence, the spike in Ransomware attacks.
What does this mean specifically for financial services companies and how can they protect themselves?
The financial service industry will always be among those most targeted by attackers – after all, “it’s where the money is”. However, their security controls and detection mechanisms have also been among the most diligent and technically advanced. Even though attackers have their work cut out for them, the payoff remains an attractive incentive compared to low effort attacks on targets such as a payment terminal at a small restaurant. Greater effort means a greater pay-out. It also means that financial services targets will gain attention from the most capable hackers from the most successful crew. These hackers are the most determined, most motivated and most highly skilled adversaries on the planet.
To effectively defend against this threat, financial services organisations need to treat their defensive posture with the same level of rigour and determination as that of their adversaries. Failure to do so will result in compromising their business, and the subsequent theft and monetisation of critical value data.
Security should be a top priority at board-level, making sure that they make plans for technology, training, and threat exercises like red teaming and purple teaming. This sort of training is inspired by military categorisations of combat readiness. It is a derivative of references to a combination of tactics by the red team (the bad guys) and the blue team (the good guys). Red teaming is when a group is employed to act like the enemy, while purple teaming is when the efforts of the Red Team and the Blue Team are more closely aligned for the purpose of enhancing the skills of the Red Team – by having Red Team members acting in the role of teacher as well as the adversary. These types of training exercises are among those most impactful for defenders and investigators.
It should also include active threat hunting to seek out attackers that have found their way past the perimeter (which they invariably will) and are trying to establish persistence. Organisations will pay for security – either now without interest or later with interest. That interest will manifest itself in the loss of customer confidence, loss of market share, regulatory fines, and potentially class action or shareholder derivative lawsuits. Businesses need to pay now to take advantage of a significant return on investment, or pay the consequences plus interest.
In the Army, we had a saying, “Train as you fight”. This should be the mantra of the security teams within financial services institutions – they should be training non-stop in realistic scenarios that closely mimic the actual attacker tactics, techniques and procedures (TTPs).
Who do they target at these companies and what methods are they using?
In movies like John Wick and James Bond, despite state-of-the-art security, overwhelming odds and hordes of nameless security guards, our heroes still find a way in. It’s the vent in the Death Star that some engineer forgot about that brings the whole of the Empire crashing down.
In modern times, attackers are not going to strike the systems being monitored (the front door), they are going to find the unlocked window. This could be the non-administrative network segment that has a path to the domain controller. In my experience of investigating more than 2,000 data breaches, very few were the result of a frontal assault. The vast majority were exploitations of seemingly innocuous oversights; missing patches, misconfigurations, forgotten systems and open ports – using a back door or finding an open window.
Business email compromise (BEC) also continues to be one of the easiest and most effective attacks used around the world. It is an old, but effective tactic where the attackers will create an email address with the name of a company executive with a non-company extension (for example, [email protected] instead of [email protected]), and send out an blast email to everyone in the company asking them to perform some activity – granting access to files, shares or transferring funds are popular requests – waiting to see if anyone bites. While the success rate may be low, it only takes one mistake for the attacker to gain access. No organisation that I have worked with in the past, who knew the attack was coming, ever registered a 100% deflection rate.