[By James Allman-Talbot, Head of Incident Response and Threat Intelligence at Quorum Cyber]
According to IBM, the global average cost of a data breach in 2023 was 4.45 million, which was a 15% increase over three years. Microsoft notes that “the U.S. was the target of 46 percent of cyberattacks in 2020, more than double any other country.” Cyberattacks present an additional challenge for IT departments; they must translate cyber risks into operational and business risks so that there is an understanding at the board level. Those who understand “1s & 0s”need to explain to those who work in “dollars & cents” that the cyber-criminal world is evolving into a multi-tiered business structure that rivals their corporate structures with a sophisticated org-chart consisting of:
-
Access Brokers focused on finding organizations with vulnerabilities, compromising networks, and probing for the easiest way into them. Once identified, they sell these prospects as a package to cybercriminal groups.
-
Developers that build Ransomware-as-a-Service (RaaS) tools to hire out to other bad actors.
-
Front Men that purchase the access information and acquire RaaS tools, a third group (the Front Man) will move into the network, steal or encrypt data, execute the ransomware payload, and demand the ransom.
In a recent survey by CyberEdge Group, 78% of ransomware victims reported having experienced multiple vectors of extortion. These well-structured cyber-criminal organizations can launch ransomware extortion in four typical stages:
Stage 1: The ransomware attackers commonly gain access through phishing emails, software vulnerabilities, or compromised credentials. Once breached, a complete, ordered listing of all the system’s items begins. Lateral movements are made to other devices until an endpoint has been reached – having infected as many devices as possible. At this point, malware is implemented, resulting in data encryption or being blocked from accessing files. Demands are then placed on the organization as a ransom to be paid so that a decryption key can be provided.
Stage 2: Before a demand for payment can be made, a copy of the victimized organization’s data is transported to the attacker’s servers. A threat is then leveled. Ransom must be paid, or the hostage company’s data will be released to the public. If release happens, fines could be levied by regulatory agencies.
Stages 3 & 4: The threat actor often bullies the victimized organization by scaring them with a promise to release third-party data or implement a distributed denial-of-service (DDoS) attack. This attack is designed to disrupt the server by overwhelming it or its surrounding infrastructure with a torrent of internet traffic meant to overwhelm the system.
However, a fifth extortion element is now added—the social media attack.
Social Media: Many, if not all, organizations have a social media component. Attackers now request ransoms that include payments to avoid posting damaging content on social media and ransoms to have access to your accounts returned. Damages via social media can be significant. Your brand reputation could take a hit due to posting false or offensive content. You risk legal ramifications if information such as customer data is released. Platform administrators could suspend or remove your accounts. Social media attacks could also launch further malware or phishing attempts, infecting your organization’s followers and customers. All of this potential damage necessitates a rebuilding of trust and recovery costs.
Practical Steps To Recover From A Ransomware Hit
Extortion efforts from bad actors will become more aggressive in response to the announcement from the International Counter Ransomware Initiative. However, all is not doom and gloom; there are practical steps to mitigate risks and recover faster. These steps entail the implementation of:
1. A Robust Cyber Security Framework
-
Maintain all vendor security patches for all appliances, applications, network devices, and operating systems.
-
Implement network segmentation to reduce the number of available lateral movement paths.
-
Implement and maintain strong access controls, adhering to the principle of least privilege; this will reduce the available data for threat actors to steal.
-
Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic and block malicious traffic.
2. Backup and Disaster Recovery
-
Perform regular backups.
-
Perform regular restoration tests of all backups taken to ensure their validity.
3. Threat Detection
-
Implement security information event management (SIEM) to report suspicious activity.
-
Monitor endpoint devices for suspicious or malicious behaviors using an endpoint detection and response (EDR) system, such as Microsoft Defender.
4. Incident Response Planning
-
Develop an incident response plan and supplementary playbooks that detail an organization’s actions in the event of a cyber incident.
-
Clearly define the roles and responsibilities of the cyber incident response teams (CIRT).
-
To ensure the incident response plan is fit for its purpose, it should be regularly tested, and lessons learned should be implemented.
5. Security Audits and Assessments
-
Conduct regular validation scanning to ensure configuration baselines and security patches are being applied appropriately.
-
Engage with independent third parties to perform periodic vulnerability assessment and penetration testing exercises to identify security flaws.
6. User Awareness and Training
-
Educate users on the risks of phishing emails, social engineering, and suspicious attachments or links.
-
Promote the use of multi-factor authentication throughout the organization.
Effective Methods Of Senior-Level Communication
One of the most effective methods of knowledge transfer is to put senior-level managers through the experience of a simulated cyber incident to educate them on the corporate roles and responsibilities when an attack occurs. Tabletop Incident Response exercises are an excellent way to ensure that plans, playbooks, and teams are thoroughly tested. By working closely with senior-level management, IT can help the C-suite understand each exercise and better prepare them for the eventual hack. The IT to C-suite knowledge transfer includes input from legal, finance, and other departments and external domain experts to establish a no-blame recovery game plan. This knowledge transfer is essential because many C-suite individuals don’t realize the downstream impact of a cyber attack, such as:
-
Business disruption due to any IT systems being out of action.
-
Getting technology up and running again (which could take days or weeks).
-
Defending lawsuits from clients.
-
Loss of clients.
-
Financial penalties from industry regulators.
-
Recruiting new personnel in the event of lawyers or other employees leaving due to any or all of the above.
In addition, the cyber defense issue is not solely predicated on bad actors becoming more sophisticated in their business acumen; it also involves these criminals constantly changing their tactics, techniques, and attack procedures.
Platform growth has aided cybercriminals by enabling them to leverage the skills and infrastructure of other bad actors to carry out compromised operations that they would ordinarily be unable to execute on their own.
Navigating the Future Landscape of Ransomware
Ransomware operators will likely apply triple and quadruple extortion strategies, enabling them to use more significant pressure against victims for payment, thereby improving their success rates. Extortion efforts will become more aggressive in the face of forty countries forming an alliance plan that involves signing a pledge not to pay ransoms to cybercriminals, aiming to eliminate their financial revenue stream.
Throughout 2024, ransomware operations will continue to expand in complexity as the technical capabilities of ransomware payloads continue to develop. This will allow threat actors to expand their attack surface and target additional operating system architectures, such as macOS and Linux.
While victims may be able to recover from the initial ransomware event, the additional layers of extortion are designed to exert maximum pressure to ensure that the ransom payment is ultimately paid. To mitigate the risk of ransomware, the best defense against bad actors remains vigilance, preparedness, and planning.
###
James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in various industries including aerospace and defense, law enforcement, and professional services. Over the years, he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations and has worked closely with board-level executives during incidents to advise on recovery and cyber risk management.
