What Lessons Have We Learnt From Recent Ransomware Group Attacks?

Uploaded on 2024-01-30 in NEWS-Cybersecurity News, FREE TO VIEW

Ransomware gangs such as LockBit, Alphv, Clop and Black Basta, continue to dominate headlines. Research shows that these organised crime groups enjoyed runaway success in 2023, with two in three organisations suffering a ransomware incident.

2024 may not be that different. Immediately, Black Basta’s hack into the international automation & engineering company, ABB, comes to mind, but the reality is that there are just too many breaches to name.

Crime As A Business

The reason for their success? These organised crime groups have enjoyed success in the past due to their increasingly professional approach. They have carried out ransomware attacks end-to-end – from initiating the initial compromise to establishing a foothold in the organisation, propagating the malware on user devices through to managing the ransomware demand and negotiation process, complete with sophisticated dashboards showing the exact data they have stolen, their contact phone numbers and how to make the payment.

However, they realised that this in-house, end-to-end approach was often successful only up a point. When external factors interfered or disrupted the process, at any point in the attack chain, the whole operation would unravel.

They have since evolved, which yet again demonstrates their professional approach to cybercrime. These organised crime groups have ingeniously divided themselves into specialised ransomware-as-a-service ‘brands’, ensuring that no single outfit is solely responsible for an attack. They are able to maintain plausible deniability, making it extremely difficult for already short-staffed authorities to bring them to account.

Furthermore, through their services, these groups are lowering the barrier to entry into this space. The smaller criminals don’t even have to be computer experts, they can merely use available software to initiate breaches and fill the gaps using the specialist services – all provided by these ransomware brands.

There is a supply chain in this sophisticated underworld. Many of these organised crime groups outsource data collection to specialists who use advanced vulnerability detection tools at scale to identify ‘sitting ducks’– which companies are vulnerable, whose mail servers haven’t been patched, what kind of links users click on most, and so on. The cliché ‘no rest for the wicked’ is truly apt in this context!

It's worth pointing out whilst we typically tend to hear of security breaches in large corporates, attacks on the small and medium sized businesses are equally prolific. In fact, a trend that is increasingly become visible is bad actors breaching smaller organisations in the supply chain to eventually lay their hands on the data in the larger corporates.

There Is No Magic Bullet For Protection

A holistic strategy, alongside dogged execution of that strategy is needed to ensure risk mitigation and cybersecurity protection. Most organisations have cybersecurity policies and programmes in place, especially as compliance in this area is becoming ever more stringent, but they are often not appropriately enforced.

Security awareness training for users must be at the top of the list of priorities, given that the specialist data collectors are continually analysing user behaviours to identify new phishing and malware proliferation techniques to catch employees off guard.

Vigilance is critical. Users are constantly under attack, so they need the necessary skills to be watchful in order to spot suspicious activity, be that in the form of dodgy emails, malicious QR codes and links, stolen passwords and so forth.

At the same time, the insider threat is a real and present danger. A thorough vetting process is a must. Surreal as it sounds, criminal gangs do actively deploy individuals through third-party organisations to implant and detonate ransomware.

It’s not unusual for malicious code to remain hidden for several months before the criminal decides to initiate the attack. This is long after the bad actor has left the organisation, systematically covering their tracks.

Timely patching of software is a no brainer. Today, there are advanced vulnerability assessment software available that can automate the process, targeting everything that is within the organisation’s network range, including devices. Once properly configured, literally with a click of a mouse, the software will identify the software and devices that need patching, in order of criticality.

Archiving or backing-up data in a ring-fenced, encrypted state is essential too. Should a breach occur, the business is in a better position to deal with the criminals and potentially refrain from paying the extortionate ransom demand.

Likewise, regularly monitoring and auditing access controls to data is vital so that business-critical information stays within the ‘castle walls’ of the business. In today’s remote working environment, the ability to secure remote connections, and lock down services without creating a hindrance for users, is important.

All other standard, routine measures such as penetration testing, phishing simulations, properly configuring and monitoring email gateways and firewalls are fundamental to cybersecurity.

A Parallel White-Collar Profession

Organised crime groups now operate in the underworld like a white-collar service industry, providing cutting-edge, highly proficient and unconventional capabilities to criminals whose profession it is to breach, steal and fraud. Often, they are ahead of the corporate ecosphere in terms of investing in the latest cybersecurity tools and techniques.

Consequently, for businesses there is no room for laxity. They must fully optimise the technologies at their disposal to bolster their defences, and in the unfortunate event of a breach, effectively mitigate its impact. Whilst regulatory fines are computable, reputational loss and its longevity are impossible to quantify.

Jack Garnsey is Subject Matter Expert, Email Security at VIPRE Security Group

Image: Andrey Popov

You Might Also Read:

Ransom Attackers Impersonate Security Researchers:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.