A Cybersecurity Framework Profile
Infosec books | InfoSec tools | InfoSec services
Dec 31 2022
Triple Extortion Ransomware: How to Protect Your Organization?
Ransomware strikes businesses every 11 seconds. The ransomware attack volume is already at record levels, but we’re hearing it’s only getting worse.
As some victims managed to take precautions and refused to pay the ransom, attackers began to add more layers to their attacks.
Double extortion ransomware became a common tactic in 2021. But in 2022, the attackers presented an innovation in their attacking technique called triple extortion.
What is triple extortion ransomware attack, and how to protect your business? Read on to find out.
What is Double extortion ransomware?
It is becoming increasingly common for attackers to use ransomware to extort money from businesses and individuals. This type of cybercrime is called “double extortion.”
Here the criminals encrypt the victim’s data and threaten to release it publicly if a ransom is not paid.
As soon as the attacker exfiltrates the data they wish to leverage, they launch the encryption attack. Next, the attacker threatens to expose the data, possibly selling personal data about customers.
In most cases, even organizations that have paid the ransom have found their data to be leaked.
In September 2022, SunCrypt ransomware used DDoS as an additional attack layer. Attackers threaten to overwhelm the victim’s server with traffic if the ransom is not paid.
Malicious actors like Avaddon and REvil soon started to follow the same tactic. Adding DDoS extortion attacksis expected to continue, given the increased use of IoT devices and the surge in bitcoins.
What is Triple Extortion Ransomware Attack?
In triple extortion, attackers demand payment from the company that was initially compromised and those whose information was stolen.
The first case of triple extortion was observed when Vastaamo, a Finland-based psychotherapy clinic, was breached. Even after the clinic paid the ransom, attackers threatened the therapy patients with releasing their session notes.
Another instance of triple extortion occurred last year when the attacker targeted Apple after their first victim, hardware supplier Quanta, refused to pay.
In this case, criminals proved they could compromise key suppliers if they gained leverage over the initial victim.
Remember, such an assault can cause irreparable damage to the reputation of any company, regardless of the industry.
Leading Causes of Double and Triple Extortions
The main factors that contribute to the increase in double and triple extortions include:
- The proliferation of ransomware-as-a-service (RaaS) platforms has made it easier for attackers to launch these attacks.
- Using cryptocurrency has made it more difficult for law enforcement to trace and track payments.
- The emergence of new ransomware strains specifically designed for double and triple extortions.
Who is vulnerable to Triple extortion ransomware?
Attackers targets companies with inadequate cybersecurity solutions and less mature security teams. They also prey on companies that can pay the ransom demands.
The most obvious targets for ransomware operations are companies and organizations that store client or customer data.
Whenever a corporation owns or controls important data or is connected to one, they risk triple extortion.
How to prevent triple extortion ransomware attacks?
Many ransomware attacks remain undetected and unreported until they reach the domain controller. A detection-centric approach will only warn businesses of attacks that are already underway. The most effective course of action is prevention.
Here are effective ways to prepare against triple extortion attacks:
Keep your network secure
Double extortion ransomware uses the same methods to access your network as traditional ransomware. To prevent initial access to a network, train employees on security awareness, establish password policies and implement multi-factor authentication.
Run vulnerability assessments and patch known vulnerabilities regularly to avoid compromise.
Back up Data
If an attacker infiltrates your network, an offline backup can protect you from the first part of a ransomware attack: data recovery.
Furthermore, encrypt your data to prevent a double extortion attack. It ensures that, if stolen, the ransomware group cannot read it.
Cyber Threat Intelligence
Threat Intelligence is a key pillar in the cyber security stack. Gathering information related to cyber threats provides insights into threat actors and methodologies that could impact your business.
Stay ahead of the latest threat intelligence to detect and analyze threats. Hunt for signs of compromise that lead to a ransomware attack.
Proper DDoS Protection
The DDoS attack is now on the list of services the RaaS operator offers. You should protect your company’s network and server with a DDoS security solution. It tracks the incoming traffic, identifies the malicious requests, and diverts them away from your network and server.
With sophisticated techniques, attackers are dispersing their DDoS attacks. Indusface offers DDoS protection solutions, enabling you to customize mitigation thresholds to isolate and block attacks.
Conclusion
Cybercriminals continue to evolve their attack techniques; you can’t fall behind and expose your assets.
If you are at risk of a triple extortion attack, paying the ransom is not the way out. Focus on preventing and mitigating attacks as they happen.
The best solution would be to prevent the attack from happening in the first place. A comprehensive ransomware resilience plan is essential for preparation, prevention, and response.
Infosec books | InfoSec tools | InfoSec services
Aug 25 2022
This company paid a ransom demand. Hackers leaked its data anyway
It’s always recommended that ransomware victims don’t give in to ransom demands – and this real-life case demonstrates why.
A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn’t hold up their end of the deal.
The real-life incident, as detailed by cybersecurity researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data.
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.
Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place.
A few months after the incident, BlackMatter announced it was shutting down, with the recommendation that those using the ransomware-as-a-service scheme should switch to LockBit.
According to Barracuda’s report, ransomware attacks are on the rise, with more than double the number of attacks targeting key sectors, including healthcare, education and local government.
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism.
“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said.
In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline.
It’s also recommended that organisations apply security updates as quickly as possible to stop attackers targeting known vulnerabilities to gain access to accounts and networks.
https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/
The Ransomware Threat Landscape
Ransomware Protection Playbook
Aug 16 2022
Clop Ransomware Gang Breaches Water Utility, Just Not the Right One
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
https://www.darkreading.com/attacks-breaches/clop-ransomware-gang-breaches-water-utility
Ransomware Protection Playbook
May 31 2022
CISA Announces Joint Ransomware Task Force
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
“We’re very excited about it,” Easterly said during an event interview. “We think that this will actually build really nicely on the infrastructure and the scaffolding that we’ve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.”
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISA’s head of cyber and Bryan Vorndran, the assistant director of the FBI’s Cyber Division.
CIRCIA’s Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companies—ranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
“Establishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,” he said. “It should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.”
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
“We want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,” she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
“We all have to be in the room all the time, sharing information constantly so that we can create that picture together, because it’s very likely that industry is going to see a cyberattack on the homeland before we see it,” Easterly said. “So, we have to be in the same room—we have to trust each other.”
Beyond Ransomware
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
“We’ve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,” Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
“Ransomware is a systemic risk to all computing at this point, which requires a unique response from governments,” he said. “To do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.”
He explained if governments wanted to defend their and their allies’ infrastructures—commercial or not—then reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
“Governments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,” he said. “Given new legislation and interest, CISA’s JRTF has an opportunity to increase the lines of communication and improve information-sharing.”
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
“Ransomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomware—as related to critical infrastructure—continues to evolve,” he said. “Preventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJ’s initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchain—and therefore, cryptocurrencies—means every transaction is available for the world to see.
“While attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,” he said. “Government and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.”
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from them—this was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
“Ransomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,” Warner said.
Ransomware Protection Playbook
DISC InfoSec
#InfoSecTools and #InfoSectraining
Mar 21 2022
Hacker leaked a new version of Conti ransomware source code on Twitter
A Ukrainian security researcher has leaked more source code from the Conti ransomware operation to protest the gang’s position on the conflict.
Hacker leaked a new version of the Conti ransomware source code on Twitter as retaliation of the gang’s support to Russia
The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.
The attack will have a significant impact on the operation of the gang, considering also that many of Conti’s affiliates are Ukrainian groups.
Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.
In a second round, the expert leaked the old source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API. The leaked old Conti ransomware source code is dated September 15th, 2020.
The source code for the ransomware is contained in a password-protected archive, despite the researcher did not leak the password, another expert cracked it and share it.
The public availability of the source code could temporarily destroy the Conti ransomware operation because security experts could perform reverse engineering to determine how it works and develop a working decrypted.
On the other side, other threat actors could perform reverse engineering to develop their own version of the threat, a circumstance that opens to worrisome scenarios.
Now the Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation, the code is dated January 25th, 2021.
The code appears to be more recent than the previous leak, according to Bleeping Computer Conti Leaks uploaded the source code for Conti version 3 to VirusTotal and shared a link on Twitter.
“The source code compiles without error and can be easily modified by other threat actors to use their own public keys or add new functionality.” reported BleepingComputer. “BleepingComputer compiled the source code without any issues, creating the cryptor.exe, cryptor_dll.dll, and decryptor.exe executables.”
Ransomware Protection Playbook
Feb 24 2022
Iranian Broadcaster IRIB hit by wiper malware
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.
An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.
Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.
According to the experts, the effects of the attack were more serious than officially reported.
Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.
During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.”
“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.
“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.
“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.
The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.
The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.
The report details the use of four backdoors in the attack:
- WinScreeny, used to make screenshots of the victim’s computer;
- HttpCallbackService, a Remote Administration Tool (RAT);
- HttpService, another backdoor that listens on a specified port;
- ServerLaunch, a C++ dropper.
Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.
The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.
“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.
Ransomware Protection Playbook
Feb 11 2022
Spyware, ransomware and Nation-state hacking: Q&A from a recent interview
I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoy”
How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?
In the last decade, we have observed a progressive weaponization of cyberspace. NATO recognized cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.
Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.
Is the Pegasus spyware as a game-changer?
Pegasus is probably the most popular surveillance software on the market, it has been developed by the Israeli NSO Group. Anyway, it is not the only one. Many other surveillance firms develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. The surveillance business is growing in the dark and is becoming very dangerous.
Which are devices of cyber warfare and cyber espionage?
Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance and misinformation purposes.
Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?
Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite the numerous operations of law enforcement on a global scale. The number of ransomware attacks spiked in the last couple of years due to the implementation of the Ransomware-as-a-Service model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.
Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?
When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.
For example, China-linked nation-state actors are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conduct disinformation campaigns. North Korea-linked threat actors carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.
What about the resilience of countries’ infrastructure to face such kind of war?
We need norms of state behavior in the cyber space and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.
Is making the internet a safe place technically possible?
Let me use the title of a famous book, “No place to hide”. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.
Jan 28 2022
Deadbolt ransomware hits more than 3,600 QNAP NAS devices
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victims’ files.
For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.
In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.
https://therecord.media/deadbolt-ransomware-hits-more-than-3600-qnap-nas-devices/
Ransomware Protection Playbook
Dec 24 2021
Anti-Ransomware Checklist
Ransomware Protection Playbook
https://www.facebook.com/DISCInfoSec/shop/
https://www.amazon.com/shop/discinfosec
Dec 09 2021
ALPHV BlackCat – This year’s most sophisticated ransomware
Ransomware Protection Playbook
Nov 03 2021
A ransomware reality check for CISOs
The dilemmas organizations must deal with are dizzying:
- To pay a ransom or not?
- Will cyber insurance provide adequate shelter?
- What’s the role of government?
- Are new mandates and penalties on the horizon?
- How are adversaries evolving their tactics?
To make sense of it all, let’s first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.
They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance – financially and logically.
Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.
Let’s start with what we shouldn’t do
Ransomware Protection Playbook
Sep 29 2021
How to Mitigate the Top 4 Ransomware Vectors
The ransomware economy is booming. Ransomware gangs are so successful that if cybercriminals were companies, some would be considered “unicorns.” Organized crime syndicates have taken over this highly lucrative extortion racket and are now running the ransomware economy at an industrial scale. The U.S. is reportedly hit by seven ransomware attacks every hour, with ransomware demands expected to hit $20 billion this year and $265 billion in ten years.
Top Infection Vectors of a Ransomware Attack
Cybercriminals need a delivery system that drops the ransomware payload on the target machine. Once this malware infiltrates your network, it takes over and can perform several damaging actions such as file encryption, credential hijacking, data exfiltration and even deletion or corruption of your backups. Recognizing and fortifying defenses against such infection vectors is key for a proactive ransomware defense. Cybercriminals continue to evolve their vectors in line to changes in internet and technology however, here are the top four infection vectors:
How to Mitigate the Top 4 Ransomware Vectors
Ransomware Protection Playbook
Aug 24 2021
Three reasons why ransomware recovery requires packet data
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery that’s often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
How far back should we restore from?
Ransomware Protection Playbook
Jun 28 2021
Navigating the complexity of ransomware negotiations
Ransom negotiation protocol checklist
First and foremost, before communications can begin, you need to determine if legal engagement with the threat actor is possible. How? An OFAC (Office of Foreign Assets Control) check must be run to see whether any data (i.e., IP addresses, language, system access, etc.) or metadata is associated with an entity that has been put on the U.S. Sanctions list. If the answer is yes, communication with and ransom payments to the attacker is prohibited.
It’s relatively rare for data from an attack to match an entity on the list because threat actors are using tools to mask their identities (i.e., VPNs, proxy connections, language translation, etc.). If you know where to dig, it’s not impossible to discover pieces of information to help unmask threat actors. For example, if a threat actor’s IP address says they are in the Netherlands, but upon reviewing the executable files they dropped on compromised systems you see they are written in Russian, this could reveal the attacker’s true location.
Once you’ve confirmed that legal engagement with the threat actor can proceed, you must weigh your answers to the following questions:
- Is my data backed up and accessible on the network?
- If not, can I rebuild the data from scratch?
- If the stolen data is shared publicly, how will this impact the company?
- Will my business survive if I don’t pay?
Source: Navigating the complexity of ransomware negotiations
Ransomware Protection Playbook
No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.
In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.
No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.
Jun 22 2021
Ransomware: What REALLY happens if you pay the crooks?
Governments and law enforcement hate it when ransomware victims pay the blackmail demands that almost always follow a ransomware attack, and you can understand why, given that today’s payments fund tomorrow’s cybercriminality.
Of course, no one needs to be told that.
Paying up hurts in any number of ways, whether you feel that hurt in your head, in your heart or even just in the pit of your stomach.
“I was happy to pay up for a job well done,” said no ransomware victim ever.
However, it’s easy for people who aren’t looking down the wrong end of the cybercrime barrel to say, “You should never, ever pay. You should let your entire business implode, and let everyone in the company lose their job, because that’s just the price of failure.”
So, if your back’s against the wall and you DO pay up in the hope that you’ll be able to restart a business that has ground to a total halt…
…how well will it all go?
Guess what? You can find out by tuning into a fun but informative talk that we’re giving twice this week.
Catch us online on Wednesday 23 June 2021 at the SC Annual Digital Congress, at 14:15 UK time (UTC+1), or on Thursday 24 June 2021 at the Sophos Break a Hacker’s Heart online event, at 11:00 UK time (UTC+1).
You need to register, but both events are free to join. (They’re both 100% virtual, given that the UK is still in coronavirus lockdown, so feel free to attend from anywhere.)
We’ll give you a clue by sharing a key slide from the talk:
As you can see, paying up often doesn’t work out very well anyway, even if you have no ethical qualms about doing so, and enough money burning a hole in your pocket to pay without flinching.
And remember that if you lose 1/3 of your data, like 1/2 of our respondents said they did, you don’t get to choose which computers will decrypt OK and which will fail.
Murphy’s law warns you that the laptops you could have reimaged easily enough will probably decrypt just fine, while those servers you really meant to backup but didn’t… probably won’t.
We’re going to try to make the talk amusing (as amusing as we dare be when talking about such a treacherous subject), but with a serious yet not-too-technical side.
We’ll be giving some tips you can use both at work and at home to reduce the risk of getting ransomed in the first place.
Ransomware Protection Playbook
No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.
In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.
No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.
