The Anatomy Of A Sophisticated, Large-Scale Ransomware Attack

leadership team img1

By Michelle Drolet

Founder & CEO

Ms. Drolet is responsible for all aspects of business for Towerwall. She has more than 24 years of,

Read More

One of the biggest challenges about working in cybersecurity is that you’re facing an enemy who learns and adapts. Cybercriminals can be very organized, they cooperate, and they’re constantly working to develop new techniques and strategies that will breach your defenses. They’re also growing increasingly adept at sniffing out the best opportunities to extract maximum profit, and ransomware is an essential weapon in their arsenal that has seen a recent spike in usage.
According to Malwarebytes (via Dark Reading), ransomware attacks on businesses increased 195% in the first quarter of 2019 and detections are up by 500%. That latter statistic brings the 2018 decline into question. Hackers are now choosing targets more carefully, biding their time and allowing infections to spread, and then striking on as large a scale as possible.

Multi-Stage Attacks

There’s a thriving trade in malware. Criminals can buy all kinds of different tools, complete with customer support, off the shelf and then employ them to infect different targets. There are even resources nowadays to purchase access to an infected group of machines. It’s no longer necessary for one group to target a company and carry out a complete attack — different groups of criminals can coordinate and complete stages separately.
The first stage in a modern, large-scale ransomware attack could begin with a hacker infecting a network using a Trojan-like Emotet and then waiting patiently for that infection to spread. Emotet was originally designed as a banking Trojan to steal credit card details, but it is increasingly being pressed into service to spread other strains of malware — particularly ransomware.
The hacker then sells the infected network to another criminal. Because the potential profit grows with the infection, this new player waits weeks, months or possibly even years for that infection to spread. The wider it spreads, the more difficult it will be to trace the infection site later and the harder it will be to defend against the pending ransomware attack.
When they’re satisfied that the infection has a stronghold on the victim’s network, the criminal will wait for a quiet period — say, a weekend during the holiday season — and they’ll start to inject a ransomware strain that may have been tailormade for the target. Before the victim knows what’s happening, their entire system is frozen, and the only way out is to pay the ransom.

Choosing Targets Carefully

Cybercriminals always target the low-hanging fruit. Large organizations with lots to lose and subpar defenses are obviously desirable prey, and that’s why many state and local governments are being attacked. One recent study was able to identify 169 ransomware incidents affecting state and local governments since 2013. Given that these kinds of incidents often go unreported, we can only guess at the true scale of this problem.
Local governments are attractive targets because they hold a lot of potentially valuable data, they’re increasingly moving systems online, they’re often slow to update and patch systems, and they don’t spend enough on robust security. Because these ransomware attackers are patient, there’s a real risk that more organizations and networks are already suffering from undetected infections that will eventually become full-blown ransomware attacks.

Defending Against Ransomware

All these incidents, from the biggest ransomware attacks to the smallest ones that sometimes go unnoticed, begin in much the same way — with an infection that goes undetected and spreads. Even though relatively new strains of ransomware like Ryuk are more targeted — hitting organizations like newspapers, which can’t tolerate downtime or striking during the holidays when staff are away — they typically gain access in the same way as any other piece of malware.
Most likely, a ransomware attack will start with a phishing email or a smishing or vishing scam. We’ve looked at tips to help you prevent ransomware before, and that advice is still solid. Part of the issue here is that the initial infection, which will eventually play host to a ransomware attack, may have already happened. That’s why setting up security awareness training now may not be enough. You also need to look into endpoint detection and ensure that you have built a really strong security posture.
Another tactic to consider is to generously share cyberattack information. Traditionally, victims of large-scale ransomware attacks, whether private companies scared of reputational damage or local governments worried about the next round of political elections, have not been truly transparent. But by sharing details of attacks and strategies to combat ransomware, we increase our chances of beating it.
Ultimately, there’s no fail-safe way of preventing a ransomware attack, especially for a large organization that has a lot of employees and a wide potential attack surface. That’s why you need to draw up a robust incident response plan and work out how to respond to a ransomware attack should the worst happen.

This article was originally posted on Forbes.com. View here >
Image credit Getty