The light from the computer screen replaces the candle-lit pumpkin and from a virtual darkened room, the IT equivalent of ‘Trick or Treat’ dynamically tests a website, ensuring they cannot ignore the doorbell or the knock from the penetration testing expert who robustly examines the infrastructure security against potential hacks.
The white hat hacker is armed with their hacking skills and toolsets which includes published security threats, web security vulnerabilities, social engineering, SQL injection, digital forensics cryptography, Wireshark, and DoS attack.
Red teams assume the role of attackers, trying to compromise the network and outwit the internal security operatives on the blue team, whose job is to keep the business’ systems safe.
Ethical hackers have reportedly received millions for disclosing security issues in Bug Bounty programmes, used by companies like Apple, Google and Microsoft. The UK’s Ministry of Defence (MoD) encourage hackers to discreetly report flaws instead of exploiting them without fear of prosecution. Offering sweets to detect vulnerabilities like the children at the door of the householder is one solution.
Like the ‘trick or treaters’ holding the terrified to ransom on their doorstep, the virtual hacker deploys ransomware, a deployed malware that encrypts databases or applications so that they cannot access files, imposing a bitcoin ransom against the victim’s (user’s/organisation’s) critical data.
Once paid, the blackmailer provides the key to regain access. This year, the world has incurred record-setting ransomware attacks on critical infrastructures, schools, and healthcare networks.
“Today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.”
Ransomware-as-a-service allows malware developers to earn money for their creations without the need to distribute their threats. Non-technical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. Some instances of ransomware-as-a-service use subscriptions while others require registration to gain access to the ransomware.
Organisations hit with a ransomware attack must act quickly to minimise damage and quickly return to business as usual. Key areas which must be enacted include:
Ensure devices can be isolated quickly.
Stop the spread. Reaction time is key; it’s essential that you disconnect the affected device from the network, internet, and other devices as quickly as possible. The sooner you do so, the less likely it is that other devices will be infected.
Monitor to assess and minimise the damages.
Determine which devices have been infected, continuously checking for recently encrypted files with strange file extension names and look for reports of users having trouble opening files. Visually inspect encrypted shares to determine if one device has a much higher number of open files than usual, you may have just found your ‘Patient Zero’.
Identify Patient Zero
As with any endemic, tracking the infection becomes considerably easier once you’ve identified the source: Patient Zero.
Most ransomware enters networks through phishing attacks such as malicious email links and attachments, which require an end user action, social engineering, asking people about their activities (such as opening emails with poor spelling or incorrect domains, redirection links or buttons), which commonly demands attention to detail from the recipient.
Modern ransomware is increasingly sophisticated and resilient.
Especially when an organisation’s resilient or contingent solution for Disaster Recovery is restoring from full and iterative backups. Some ransomware can corrupt or encrypt backups, rendering them completely useless for organisations or even spreading the infection if the organisation fails to tightly control its environment.
No More Ransom has a suite of tools to help free data, including the Crypto Sheriff tool: Just upload one of your encrypted files and it will scan to identify the ransomware and find a match. The information included in the ransom note usually spells out the ransomware variant directly, alternatively a search engine query of the email address or the note itself helps. Once you’ve identified the ransomware, research its behaviour, and alert all unaffected employees as soon as possible so they’ll know how to spot the signs that they’ve become infected.
Happy Halloween from DeeperThanBlue Unify!
Ransomware Examples in 2021
| Kaseya ‘Ransomware Apocalypse’ | Kaseya’s VSA software was used to spread malware to dozens of the company’s customers
Customer were managed service providers working with small businesses and government agencies with outsourced IT tasks. The malware infected the MSPs’ customers, too, resulting in hundreds of businesses being affected. The cybercriminal gang, ReVil demanded $70 million for a “universal decryptor” that would unlock all the frozen files. By mid-July, however, the group disappeared after making a mess of truly global proportions.
|
| SolarWinds Megabreach
|
This attack gathered untold amounts of intelligence on the U.S. government and private sector by actors worming their way into the networks via compromised software.
The hack involved SolarWinds, Microsoft, and VMWare, according to the Cybersecurity and Infrastructure Security Agency (CISA) together with 12 federal agencies—including the Department of Defence, the Department of Homeland Security, the Federal Aviation Administration, the judiciary, and NASA, among others. The hackers also allegedly wormed their way into the networks of major Fortune 500 companies.
|
| Microsoft Exchange Hackathon
|
The discovery in March of a smattering of security flaws set off a global epidemic of cyberattacks. At the time, Bloomberg reported that the vulnerabilities in Exchange had possibly led to “at least 60,000 known victims globally,” around 30,000 of which were inside the U.S.
Many of the attacks were blamed on a group dubbed “HAFNIUM,” potentially located in China. However, the vulnerabilities set in motion close to a dozen different cybercrime groups reportedly pillaging vulnerable servers and implanting backdoors.
|