There has been a jump in ransomware since the pandemic began and many businesses have either suffered from an attack themselves or know someone in their supply chain who has become a ransomware victim. Ransomware-as-a-Service is also a fast-emerging threat so we spoke to Sean Tickle, Head of CyberGuard Technologies, to learn whether companies should pay the demand to end ransomware attacks or not, and what the cost of paying the demand could truly be.
How has ransomware grown in the last few years?
Sean Tickle: One of the most worrying trends of 2020 has been the increased level of ransomware attacks against the healthcare sector. In 2020 alone, more than 750 healthcare providers were impacted with collective recovery costs nearing $4 billion.
How often is ransomware due to human error, social engineering and password hacking?
Sean Tickle: Approximately 90% of malware attacks are down to human error, however surprisingly the vast majority of successful ransomware attacks are due to perimeter-based vulnerabilities (Firewalls/VPN’s etc) that are leveraged to then grant legitimate access to the network and begin their attack.
How long could hackers be dwelling before they are detected?
Sean Tickle: The amount of time a threat actor spends within the network before triggering the ransomware encryption stage is primarily based upon what their objectives are. Are they looking to extort the victim and carrying out a “Smash and Grab” so to make a quick payday, or are they going to be more methodical and delete/encrypt backup’s, encrypt Virtual Machines at the datastore level and exfiltrate large quantities of sensitive data.
You tend to find that the more of a total compromise of systems within the network is achieved the greater the ransom demanded, an example being a short ransomware attack that lasted 4-6 hours demanded £20,000, whereas an attack that lasted 24-48 hours exfiltrated approximately 50gb of sensitive data and demanded £200,000 for its decryption and an assurance that it would not be publicly disclosed upon their leak site.
What are the biggest business ransomware attacks in recent history?
Sean Tickle: The biggest (and latest) ransomware attacks relate to the Conti HSE attack that resulted in a significant loss of service for the Irish Health Service and the Darkside Colonial Pipeline, with the colonial pipeline attack resulting in a $4.4 million payout.
How these attacks are achieved are generally kept under lock and key when it comes to their points of initial access, however the threat actors TTP’s (Tactics, Techniques and Procedures) remain similar in their attacks over multiple of victims. For example the use of a Cobalt Strike beacon within the attack is well known and as such detection and response rules based on these TTP’s would already be in place. These TTP’s do change within threat actor groups however as long as the attacks are evaluated regularly and emerging threats are investigated properly then the “how” is generally known and can be managed.
What is the level of sophistication of ransomware attacks nowadays?
There are instances where threat actors are very noisy in their approach once initial access through leveraging vulnerabilities has been achieved and they would trigger multiple anti-virus alerts or security events on critical servers. The issue here however as lack of visibility of these events and without active monitoring the victim is not aware of these alerts until after the fact.
The “Smash and Grab” approach of leveraging a vulnerability, pivoting through systems attempting to drop malicious payloads and trigger manually, realising it is getting blocked by Traditional AV and simply killing that process and triggering the ransomware again and stealing data through the use of a cloud-based storage account of FTP service.
Whereas you also see sophisticated attacked where a VPN vulnerability would be leveraged and the threat actors would take a more systematic and methodical approach. They would perform reconnaissance through LDAP requests and scope the countermeasures already in place (Anti-Virus, On-Site Backup’s etc) and how to effectively neutralise these countermeasures without raising too many alarms, they would then exfiltrate the data using the networks own systems and once prepared they would execute the ransomware payload across multiple systems through the use of an executable such as PSExec.
How much of a threat is ransomware-as-a-service?
RaaS came up in the last 3 years and has significantly ramped up in the last year where the threat actor groups have started affiliate programs, where they would provide the malware code and other resources in exchange for a percentage of a successful ransom. This has proved to be widely successful and has also contributed widely to the significant rise in ransomware attacks over the last year and moving into 2021.
How damaging is it when businesses don’t pay their ransom?
Sean Tickle: The damage that is generally most significant for a victim is not the possible fines that can be issued by the ICO but reputational damage when their sensitive data is publicly disclosed on the internet, which threat actors leverage to the point that there are sections in the threat actor’s data leak sites where users can sign up to a mailing list to keep aware of the latest leaks made public.
Also, the loss of service can cost organisations thousands of pounds per minute and if the network needs to be rebuilt without the use of back-ups could actually cause the business to close permanently.
How can businesses limit the chances of a ransomware attack?
Sean Tickle: To limit your chances of being the recipient of a ransomware attack, it is essential that as a business you ensure that all endpoints have the appropriate defences in order to detect and respond to potential malware. This can be in the form of a Endpoint Detection and Response solution which will not only detect threats but in some cases can quarantine the selected File or the entire device in order to allow your IT/Security team to investigate and respond without allowing the Malware to pivot around your system. Furthermore, another less technical approach would be to deliver training based on the user, showing them how to tell the difference between a legitimate Email and a Phishing email as this is a common form of delivery which Ransomware groups will send an email that contains a malicious file in order to perform malicious activities.
What steps need to be taken if you are attacked?
Sean Tickle: The first step would be to not interact with the PC as soon as you are aware that it has been infected. Trying to delete files and interact with the operating system can potentially cause more data loss and could give the attacker further functionality on the machine. At this stage, you should be informing your IT/ security team urgently.
The second step should be followed alongside the initial step which would be to unplug the device from the network or disconnect the entire network from the internet. This will halt any exfiltration of data and will stop any further movement from the attackers. Furthermore, it is essential that you obtain the scope of the breach as more devices may be infected. NOTE: do not turn the device off. Doing this can cause the encryption mechanism to kick in if it has not already done so. Doing this also risks the loss of logs which can severely disrupt an investigation.
This is where we would initiate an Incident Response Triage, whereby we would investigate the following questions:
- Time of incident
- How the incident occurred
- Which if any, user accounts were compromised.
- Check for any unusual logins from an unusual location as this can be useful to understand where the attacks came from
- Collecting evidence from Logs
Once all the information needed has been gathered, it is essential that you remove all traces of the malware. You should be able to see what was used from the evidence provided by the investigation.
Then, when you are completely sure that you have removed all the traces you can find, you need to have been given the go ahead to restore the network back to functionality. This step should not be taken lightly as if you are using backups, the malware could have unintentionally be stored in backups which will mean when you restore you will have a high risk of being infected again.
Should you notify the authorities?
Sean Tickle: This is an important step as failing to report to the appropriate authorities can have serious ramifications. The list of reportees will entirely depend on the severity of the situation. Examples of these include and are not exclusive to:
- Your bank
- The Police
- Your insurer
- Your employees
- Your clients
A prime example of a company not reporting correctly was booking.com who received a data breach and was subsequently fined by the Dutch Data Protection…