Who is behind Ransomware? Part II
Description: Ransomware implanted via social engineering or perimeter hacking
Attack tool: Ransomware, malware, or intrusion & exfiltration of data
Preventability: Somewhat preventable
Prevalence: Somewhat prevalent
Attacker sophistication: Medium
Cost per infection: Medium
Mid-sized organizations with healthy security budgets can largely prevent commoditized ransomware. Their perimeter defense products filter inbound malicious attachments, and their patch management programs keep exposure to vulnerabilities low.
A higher degree of cyber criminal trade-craft is required to penetrate a well secured organization. Based on agency profiling, and some recent law enforcement actions, a picture emerges of small teams that possess both technical and non-technical criminals, working together to construct a combination of social engineering and intrusive activity to implant malware or ransomware that can be used to extort the victim. The sophistication of the attack is much higher than the commoditized spam, and costs the criminal group more per campaign to orchestrate. Accordingly, ransom amounts tend to be higher in this bucket. Ransom amounts can range from a few thousand dollars and up. It is believed that the recent city of Atlanta ransomware incident was result of the SamSam ransomware variant. A recent analysis personifies the sophistication, and also that the payload delivery required the attention of the attacker, which demonstrates the targeted nature.
Criminals begin with a large subset of targets that exhibit a risky security practice, and work down from there.
While the social engineering aspect of the attack is certainly bespoke to the individual victim, the pattern that the criminals are targeting is still based on common behavior that the organization exhibited. Examples of this behavior are the likelihood that employees reuse credentials between social and business accounts, or the likelihood that an employee would to fall for a spear phishing message. On the technical side, mass-scanning techniques can easily uncover IP addresses with exposed ports that can be brute forced. Either way, the criminals first begin with a large subset of targets that may exhibit a risky security practice, and work down from there. Being socially engineered, certainly feels like a personal attack, especially if one lax employee causes the ransomware to proliferate. Once the victim company is infected or some data exfiltrated, the company is extorted. The recent Canadian bank ransom incident is an example of this type of incident.
Even though these types of attacks are highly coordinated, they are becoming increasingly commonplace and will eventually become as commoditized as current off the shelf ransomware kits.