Coveware: Ransomware Recovery First Responders

View Original

Who is behind Ransomware? Part II

Description: Ransomware implanted via social engineering or perimeter hacking

Attack tool: Ransomware, malware, or intrusion & exfiltration of data

Preventability: Somewhat preventable

Prevalence: Somewhat prevalent

Attacker sophistication: Medium

Cost per infection: Medium

Mid-sized organizations with healthy security budgets can largely prevent commoditized ransomware.  Their perimeter defense products filter inbound malicious attachments, and their patch management programs keep exposure to vulnerabilities low.  

A higher degree of cyber criminal trade-craft is required to penetrate a well secured organization. Based on agency profiling, and some recent law enforcement actions, a picture emerges of small teams that possess both technical and non-technical criminals, working together to construct a combination of social engineering and intrusive activity to implant malware or ransomware that can be used to extort the victim. The sophistication of the attack is much higher than the commoditized spam, and costs the criminal group more per campaign to orchestrate. Accordingly, ransom amounts tend to be higher in this bucket.  Ransom amounts can range from a few thousand dollars and up. It is believed that the recent city of Atlanta ransomware incident was result of the SamSam ransomware variant. A recent analysis personifies the sophistication, and also that the payload delivery required the attention of the attacker, which demonstrates the targeted nature.  

Criminals  begin with a large subset of targets that exhibit a risky security practice, and work down from there.

While the social engineering aspect of the attack is certainly bespoke to the individual victim, the pattern that the criminals are targeting is still based on common behavior that the organization exhibited.  Examples of this behavior are the likelihood that employees reuse credentials between social and business accounts, or the likelihood that an employee would to fall for a spear phishing message. On the technical side, mass-scanning techniques can easily uncover IP addresses with exposed ports that can be brute forced.  Either way, the criminals first begin with a large subset of targets that may exhibit a risky security practice, and work down from there. Being socially engineered, certainly feels like a personal attack, especially if one lax employee causes the ransomware to proliferate. Once the victim company is infected or some data exfiltrated, the company is extorted.  The recent Canadian bank ransom incident is an example of this type of incident.

Even though these types of attacks are highly coordinated, they are becoming increasingly commonplace and will eventually become as commoditized as current off the shelf ransomware kits.  

Read part III