Professional ransomware: how to deal with these new corporate criminals

(Image credit: Shutterstock / binarydesign)

The opening lines read like your typical product launch press release: “We created Darkside because we didn’t find the perfect product for us. Now we have it.”

 However, this is not your typical company press release – this is a group of cyber criminals who have created the latest strain of ransomware designed to hunt down and target big-game organisations for millions. But instead of dealing with back alleyway and flick-knife criminals, these crooks practically wear a suit and shake your hand with attacks that are shroud with an unnerving manner of professionalism.

They’ll break into your systems, steal and encrypt your files, lock you out, and then threaten to publicly expose your sensitive data unless you pay the ransomware fee. Very much like your typical ransomware attack, except that these criminals will pleasantly deal with the negotiator with a smile on their face and a helpful, can-do attitude. They offer real-time chat support, guaranteed turnaround times and discounts if payment is received in a timely manner. Darkside even have a corporate responsibility pledge – they promise not to attack schools, non-profits, governments or hospitals, and will only target those who they know can pay based on their net worth.

 Darkside isn’t the only ransomware to make the news for its cordial attitude in recent headlines. Ragnar Locker ransomware hackers successfully attacked travel company CWT, and a pleasant-enough criminal representative helpfully spoke to the company’s finance team in the support chat window. They offered a 20 percent discount for a quick payment, outlined what the ransom payment would deliver, and kept the support window operating after the decryption keys were handed over in case the company needed any troubleshooting. You’d almost believe you were buying a legitimate software product online – not frantically trying to recover your own organisation’s sensitive data before it gets leaked into the public.

 But, as Ragnar Locker pointed out, dealing with these cordial criminals is “…probably much cheaper than lawsuits expenses […] and reputation loss caused by leakage.”  And this is a problem that is only just beginning - Ontrack have now revealed that more ransomware attacks have been recorded in the past 12 months than ever before.

In the world of cybercrime, ransomware is currently where the money is. There is an immediate pay off with this kind of attack because the cyber criminal does not need to monetise data via sales and auctions on the dark web, but can immediately get money from bitcoin transactions.

 Ransomware has evolved from single cyber criminals blasting phishing emails – which are now frequently picked up by spam filters - to gangs of cyber criminals with different specialties working together to conduct sophisticated spear phishing campaigns and attacks on infrastructure. Recent ransomware variants have been taking advantage of vulnerabilities in VPN endpoints, and in some cases cyber criminals have been offering Ransomware as a Service attacks for prospective clients.

 The problem with ransomware is that organisations have very few options available to them if critical data has been encrypted and placed beyond reach – this is why it’s so effective. The key part of an attack is understanding how long the organisation can survive without access to its data and how much time it needs to restore the data in order to carry on as business as usual. In a targeted attack, cyber criminals will have done their research and found what they hope are the organisation’s pain points. This gives organisations limited options - either rebuild and restore the data, try and work without the data (which can be incredibly difficult) or pay the ransom. In some rare cases it can be possible to recover the data using tools such as No More Ransom by Interpol.

 Attackers want a pay-out to happen as quickly as possible, before the systems can be rebuilt. This means new tactics are being deployed which involve applying additional pressure through a number of escalating threats; releasing the names of victims, threatening to release data both privately and then publicly, and releasing exfiltrated data.

This causes even more of a headache for the organisation – because if the data includes personal, sensitive or valuable information, then threats to release the data can cause issues with regulatory bodies such as the ICO, potential problems with class actions, or fines from the payment industry. If it is a trade secret that the organisation relies on, then it can cause huge problems if it’s released into the public domain. So, the potential organisational damage or large fines from having a breach can lead to an organisation being persuaded to pay up in order to keep the incident quiet.

How can you spot a ransomware attack early on?

These kinds of attacks involve an attacker gaining a foothold in the system through a social engineering or network attack – typically through a VPN or RDP weaknesses. The attacker will then conduct reconnaissance, select their targets, exfiltrate data, trigger the ransomware and then monitor the responses.

Very often the first sign of a ransomware attack is the ransomware demand popping up on systems as users try to access them. However, there is a process that ransomware follows, and it’s possible to spot the early warning signs of an attacker’s covert journey:

  • If a cyber criminal is exploiting VPN and RDP vulnerabilities, you can look out for signs of an attack through logs and alerts from an IDS/IPS.
  • It’s possible to identify an attack through outgoing traffic travelling to a suspicious command and control server - blocking this may be a kill switch for the malware, but not in all cases.
  • Check to see if additional tools are being installed onto your organisation’s machines.
  • New admin accounts may start being created.
  • Monitor for unusual traffic on your networks.
  • There can be spikes in CPU and disk usage as encryption starts.

How should you react to a ransomware attack?

Naturally, the best response is to prevent an attack from occurring in the first place. This can be done through training employees to recognise and report the threats, hardening networks, external infrastructure and employee devices and continuously monitoring these for vulnerabilities that should be patched immediately when discovered. Multi-Factor Authentication should also be used for external or remote access to corporate resources, and you should look to move towards a zero-trust environment where internal networks are all treated as insecure.

 Preliminary steps should also ensure that data is secured should an attack take place. Keep backups that are protected from tampering, and ensure you cannot gain direct access to them from user devices or the network - if backups can be reached easily, then the malware can get to them and render them useless too. You should also encrypt data and implement strict “need to know” access only controls.

 According to Ponemon Institute’s latest report, the best form of preliminary defence is to implement automated tools that can help detect breaches and suspicious behaviour. Organisations that use analytics and AI (artificial intelligence) have the most success in mitigating the costs of breaches, and spend about £1.84 million on their recovery process. The organisations that don’t implement these measures face costs of more than double that - about £4.5 million.

 It’s fair to say that many organisations don’t know where to begin when it comes to implementing and testing their defences, or lack the necessary security skills and resources to manage their cyber security risks effectively. For companies that are struggling to deal with the rise in ransomware and cyber attacks, looking into implementing a CSaaS (Cyber Security as a Service) solution is often the simplest way to manage and overcome these security headaches. A CSaaS is an outsourced model of cyber security risk management that takes the burden off the organisation, and ensures it is secure against common cyber threats. This saves internal resources both time and money – which can be used to deal with the plethora of other fires 2020 has ignited so far.

 However, ransomware attacks can still penetrate an organisation’s defences even despite the best preparations. If you are continuously monitoring your systems for suspicious activities then you may pick up the early warning signs that can give you a head start, such as unusual web traffic, the use of privileged credentials, the creation of new accounts or unauthorised software installation and usage.

 If you have suffered an attack, follow your incident response plan – and make sure your entire organisation has practiced it beforehand so you’re not experiencing it for the first time in blind panic. You will need to be prepared to respond quickly and shut down the whole network if necessary - a short outage can be less disruptive than a long period of interruption to services. When restoring your systems and data, ensure the vulnerabilities that were exploited have been fixed and that all the malware has been removed so it cannot re-infect the systems again as they are restored.

 Given the increasing number of ransomware attacks targeting organisations, the cost of not having a secure backup and detection system in place can be disastrous. Investing in a solution today can ensure you’re not caught out later down the line – and learning from the past mistakes of failures can help protect your organisation from a similar fate in the future.

Geraint Williams is CISO of IT Governance

Geraint Williams is Chief Information Security Officer at IT Governance.