Business

Hackers Targeting Business

Cybercriminals worldwide aggressively target any organization that they view as capable of paying a ransom in order to recover their data or avoid public disclosure of sensitive information. Attackers create their own malware to launch ransomware attacks, or purchase or license it from a variety of sources on the dark web. Ransomware is a for-profit business…that targets other businesses.

What tools are Available on the Malware Markets?

Malware is sold and licensed just like legitimate software products and services, with licensing models that mirror legal markets. According to the New America Foundation, the markets for malware offer everything from simple software programs for cracking passwords to companies offering governments a one stop shop for surveillance and espionage. Some of these products are highly valuable; one company, Zerodium, advertises a $1.5 million payout to anyone willing to sell zero day vulnerabilities in Apple’s iOS operating system. NSO Group, an Israeli company that was caught having sold surveillance malware to the UAE to monitor human rights activists, has been valued at more than $1 billion. Alongside this big business are groups that lease access to ransomware and rent time on botnets for hundreds to thousands of dollars a week. This dichotomy in prices and offerings has helped create a two-tiered market, with online marketplaces that target lower value opportunities, and smaller markets that work through social networks and encrypted communications that target high value opportunities.

Since markets encourage specialization, criminal organizations build entire businesses around developing, maintaining, and selling different kinds of malware and services.Customers get up to date access to a massive number of potential targets. Imagine an attacker who stumbles upon the leaked source code for a piece of malware like Zeus or a sample of ransomware and rents time on a ready-made exploit kit or botnet to distribute it? Without ever writing a line of code, a new criminal enterprise is launched.

Business Models – Ransomware as a Service (RaaS)

First discovered in 2018, the PINCHY SPIDER group pioneered Ransomware as a Service (RaaS) as a model of operations, in which the developer receives a share of the profits that affiliates collect from successful ransomware infections. Beginning in February 2019, this adversary advertised its intention to partner with individuals skilled in RDP/VNC networks and with spammers who have experience in corporate networking.

A Growing Threat

According to a February, 2020 Gartner Report on Trends in Security and Risk Management:

The velocity and creativity of attacks continue to grow. Attackers will continue to exploit a variety of tools, tactics and techniques against an ever-increasing diversity of targets to achieve a growing range of goals. All of this further reduces the ability to anticipate and prevent security failure. Business disruption and data loss will continue to be primary motivators. Attackers will increasingly exploit legitimate software to achieve their ends.The security skills gap will grow, abetted by the accumulating complexity in IT systems and the rapid pace of change in security tools to protect this rapidly shifting infrastructure.

The security skills gap will grow, abetted by the accumulating complexity in IT systems and the rapid pace of change in security tools to protect this rapidly shifting infrastructure.

Application delivery scale and complexity will continue to grow as a result of component containerization and native cloud delivery.

Device and endpoint diversity will continue to grow due to the emergence of cyber-physical systems underpinning the Internet of Things (IoT), industrial IoT (IoT), smart cities, Industry 4.0¹ and mobile accelerators.

Regulatory data protection and privacy challenges will continue to grow in response to digital business’s insatiable appetite for personal data.

Recommendations

Security and Risk Management (SRM) leaders seeking to capitalize on these trends should:

Seek security solution providers that can enable an Extended Detection and Response (XDR) capability that improves detection accuracy and security operations efficiency.
Break down functional security silos with organizational alignment and governance models.
Invest in people, process and organizational change to address the expanding role of security into privacy, digital trust and safety that arise from the digitalization of business.
Rethink network and server security priorities and invest in solutions that are truly designed for cloud first and zero trust.
Ensure that digital business Machine Language (ML) projects are protected from malicious tampering and biases, and continue to invest in security solutions with an ML focus on measurable improvements in effectiveness and security operations efficiency.

Typical Attack Vectors

The top two methodologies for introducing ransomware are RDP (Remote Desktop Protocol) services and social engineering.

RDP Services

According to a recent research report, the number one initial attack vector in 2019 (occurring in 50% of ransomware events) was through Remote Desktop Protocol (RDP) services. When enabled, RDP allows users to remotely connect to other Windows-based devices or networks; it is commonly used by IT service providers or remote workers. Implementing RDP without adequate controls can leave systems vulnerable to attack. Weak passwords, unrestricted internet access, unlimited authentication attempts, and using outdated RDP protocols can enable attackers to gain access to systems. With the global pandemic, the rise of remote workers has made this approach even more attractive.

Social Engineering (Phishing)

Phishing was the second leading attack vector for all organizations in 2019 (43%). Social engineering exploits human behavior when an attacker manipulates the victim into taking some action that enables the attacker to access an organization’s network or data. This most often occurs by inducing the victim to provide their password into a malicious web form — a method known as “credential harvesting.” These emails may contain a link to an infected website or include an attachment such as a Word document that contains macros. Once a link is clicked or a document is opened, the malware is downloaded and infects the machine quickly: estimates vary from seconds to minutes. Since phishing is a significant tactic for ransomware, educating employees on security is critical.

Masquerading

Masquerading occurs when the name or location of an executable, whether legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. 2019 saw a significant increase in the use of masquerading.

Additional attack methodologies

The remaining techniques mirror those observed in previous years, with heavy reliance on hands-on-keyboard techniques (command-line interface, PowerShell) as well as theft of credentials (credential dumping, valid accounts, account discovery) and defense evasion (hidden files and directories, process injection). These techniques are used in many sophisticated attacks, where a human adversary is engaged in the intrusion and is actively working toward an objective.

Money and talent gaps combined with high stakes

The attention and focus on cybersecurity varies significantly from organization to organization. While the private sector has been investing in cybersecurity for a long time and their skills and methods continue to mature, neither the amount of investment nor expertise is uniform.

When the Exploit Succeeds

Once the hacker gains access to the target systems, the attacker demands payment of a ransom and will also claim to provide a method to the victim to regain access to their data once the ransom is paid. There is no guarantee that a victim of an attack will recover their data or access to systems. Without adequate disaster recovery and backup plans, many organizations are forced to pay the ransom.

Businesses often pay the ransom, and many don’t talk about it

Reputation is a key factor in many organizations decisions to keep a ransomware attack secret. Companies that are attacked often suffer brand and reputation damage that can be difficult to undo.

Defensive Strategies

Breakout Time

Breakout Time is a cybersecurity metric that measures the speed from an adversary’s initial intrusion into an environment, to when they achieve lateral movement across the victim’s network toward their ultimate objective. Breakout Time is important for defenders, as it sets up the parameters of the continuous race between attackers and defenders.

Response Time

It is critical that defenders respond within the Breakout Time window, which is measured in hours, so that defenders are able to minimize the cost incurred and damage done by attackers.

An example of a target metric for security teams is the 1-10-60 rule:

Detecting threats within one minute
Understanding threats within ten minutes
Responding within 60 minutes

According to recent research, the average breakout time for all observed intrusions rose from an average of 4 hours 37 minutes in 2018 to 9 hours in 2019. This increase reflects the dramatic rise in observed e-Crime attacks, which tend to have significantly longer breakout times.

Protecting your ORGANIZATION

The impact and costs of Ransomware are escalating quickly. The velocity and creativity of attacks continue to grow. Attackers exploit a variety of tools, tactics and techniques against an ever-increasing diversity of targets, which further reduces the ability of Security and Risk Management (SRM) leaders to anticipate and prevent security failures.

Stopping the attack before it starts

We have discussed mitigation strategies for how to limit losses and how some organizations have felt compelled to pay ransom once they are hit. A more effective solution is to adopt technologies that stop an attack at the very beginning, before malware can damage or encrypt systems, and before ransomware can spread through a targeted network.

Antivirus is only a part of the strategy

Many organizations rely on antivirus tools to help protect against ransomware, without understanding that ransomware is a completely different problem and that antivirus tools are not equipped to solve. Most antivirus tools only check against known lists of malware. The rapidly changing nature of ransomware means that the newest threats quickly change the names of their files to mirror what the tool thinks are acceptable. Then the antivirus software simply allows the attacking file without understanding what has happened.

Zero Day Threats

Many traditional vendors try to build and update tools to prevent any access to systems from bad actors. We believe that while defenses keep improving, hackers will always find new exploits to access devices and networks. This plays out every day as successful attacks are reported in the news media. It is particularly difficult for traditional vendors to detect Zero Day attacks where the malware uses new or unrecognized methods. Traditional antivirus systems miss these attacks precisely because they are new.

A Different Approach

At Hackerstrike, we understand that regardless of the defenses that are in place, hackers eventually gain access to a network. We are focused on what happens next. While other vendors look for known malware, Ransomstrike utilizes advanced Machine Learning (ML) as part of our extended detection and response (XDR) solution to recognize and halt anomalous behavior. Ransomstrike recognizes behavioral changes of systems. We then stop the processes on the device from damaging infected systems or propagating to other devices over a network. This approach also helps reduce the incidence of false positives that plague SRM leaders.

Ransomstrike

Organizations of all sizes need tools that work with but go well beyond the function of traditional antivirus solutions. Ransomstrike is a full-protection platform designed from the ground up to provide real-time detection and protection of all of your systems using A.I.-based continuous learning technology. By examining metadata obtained from the Operating System, our ransomware detection and prevention solution can understand, identify and detect ransomware behavior and stop it, even if traditional antivirus tools can’t find the issues.

Applying Ransomstrike to standard defensive metrics

The continuous learning Machine Learning (ML) engine in Ransomstrike is constantly scanning devices and the network for any anomalies that fall outside of normal operating behavior. When an attack is launched after an employee or contractor clicks on a link in a spear phishing email (for example), Ransomstrike immediately detects the behavior of the malware, alerts administrators and takes the appropriate steps based on the device and user under attack. This can include actions such as quarantining the device from network access for example, to prevent the malicious code from replicating to other devices on the network.