Not one day after writing my previous blog article inspired by the Garmin ransomware attack, I found out that another high-profile attack has impacted another major technology company, Canon. My last article, How to Protect Your Ranch, goes into detail about how you can help protect your organization from similar ransomware attacks. In this blog, I want to elaborate on a quote that I heard when I joined the Dataprise CYBER team several years ago: The bad guys have a boss and a budget too.
It may seem simple, but this phrase serves as a powerful reminder of the current state of cyber threats. I remember writing it down on my whiteboard at Dataprise headquarters when I heard it, and it has stuck with me ever since, whether I am assessing a company’s security posture, migrating servers into the cloud, or simply setting up a new computer. As a cybersecurity professional, it is imperative for me to remember that at any given time, there are paid engineers attempting to breach and compromise my clients' networks without their knowledge. The days of computer viruses written by a single programmer is over. In their place are organized businesses which exist to pay salaries and make profit just like yours. The business of ransomware is booming, and its one of many tools that enable the “bad guys” to profit from your vulnerabilities.
Advanced Persistent Threats
An Advanced Persistent Threat (APT) is, broadly, a group or company of organized hackers. You could imagine APTs as the 'Tom Clancy' or 'Hollywood' image of hackers: advanced, highly organized, and well-funded. In the information age, APTs are often associated with – or sponsored by – specific countries (e.g., North Korea, Russia, China, Israel, or the United States), but many operate completely independently. As far as the average business is concerned, an APT should not be viewed as a technical threat, but as a human one. These are organized groups of people using purpose-built threats to meet their quotas and keep their boss happy.
The recent ransomware attack on Canon was carried out using a type of ransomware called Maze. This relatively new type of ransomware threat has impacted numerous organizations since it was first discovered in November 2019, including the City of Pensacola, Florida (December 2019); LG (June 2020); Xerox (June 2020); and now Canon (July 2020). In response, the FBI has issued a warning to the public sector of active attempts to attack US-based companies through Maze. They requested that affected organizations provide Indicators of Compromise (IOC) from each attack, which are digital fingerprints left behind by ransomware attacks which can help to identify the perpetrator.
But why all the alarm and concern over these Maze attacks? What makes Maze unique is that instead of holding your data for ransom, they exfiltrate the information (or copy it offsite) for later use, including public disclosure.
Ransomware as a Service
One of the best parts of the digital revolution is that many software providers (like Microsoft or Adobe), cloud service providers (like Azure and AWS), and MSPs (like Dataprise) can offer their services or products to organizations with an intuitive and predictable monthly subscription model. But, just as Microsoft has realized that they can offer their services at a fixed monthly fee, so have the bad guys. Believe it or not, ransomware as a service (RaaS) has become an increasingly common business model for APTs and other hackers. Anyone with an internet connection a credit card (including a stolen credit card) can subscribe to a RaaS platform and start holding networks or computers for ransom. RaaS providers even offer service level agreements (SLA) and technical support so that you can get your ransomware business up and running quickly. The practice is so lucrative that one RaaS provider called Netwalker managed to make $25 Million in under five months.
As Sun Tzu said: “To know your enemy, you must become your enemy." Since committing actual cybercrime is illegal, it’s important to read about these threats to understand how they operate and better protect yourself from them. At a high level, most low-complexity ransomware attacks often include the following:
- The use of a RaaS provider
- Limited skill is required to start the operation, but the type of ransomware that is used is likely to be well known.
- Any off-the-rack anti-ransomware solution should detect most RaaS threats, but outdated “virus-only” solutions may not provide full ransomware protection.
- Data gathered through public information storage
- Many ransomware attacks make historical user information (like usernames and passwords from large breaches) readily available over the Dark Web, either freely or for a small fee. However, this information may not always be fresh.
- Therefore, it’s important to change passwords regularly, and to monitor for breached accounts that may be for sale.
- Attempts to infect targets using a “scattergun” approach, usually through phishing
- Most commonly, this is achieved using an infected PDF or another type of document, or an infected webpage accessed through a link.
- Reduce the likelihood of phishing breaches by implementing an anti-spam solution that blocks certain types of files and scans attachments, and by providing regular user training.
- If the PC is infected, the malware will probably attempt to exfiltrate its data
- Exfiltrated data could be credit cards, social security numbers, or simply lists of email addresses that could be used for future attacks.
- Knowing exactly where your sensitive data resides, how it’s created, and how it is used is the first step towards classifying all data and making sure it remains protected.
- Data will become encrypted and held for ransom
- Ransoms typically average $100,000 but this varies based on how many devices have been encrypted – the attacker wants to maximize the chance of payment
- If your systems become encrypted it’s almost always impossible to decrypt these files. Instead, you’ll need to restore lost files from backups, which should be somewhat trivial if you subscribe to the principles described in How to Protect Your Ranch.
- The ransom is paid (or not) but the threat doesn’t go away
- If the ransom is paid the attacker will usually provide a key or tool that can be used to retrieve files and for many organizations this leads them to believe the threat is gone.
- If the ransom is not paid the attacker may publicly post information that has been obtained.
- Generally, the attacker will still retain some form of foothold into the organization, though not always to re-ransom the network but to gather more data/passwords.
Why is this important?
I’m not a master strategist, and I won’t claim to fully understand the intricacies of business operations and strategy (that’s for the members of our vCIO team). But, as an amateur, at some point, you must take stock of your competition, changing trends, and other threats to your business to stay current in the market. The same principle should be applied to APTs and other cyber threats. Your business may not have the resources of a Garmin or a Canon behind you, but you as a small or mid-market business are probably in a better position implement new, more stringent, security controls compared to a large global enterprise.
By re-framing cyber-threats as business threats, it may be easier for you to develop a comprehensive strategy on how to handle an incident when it happens. It's no longer a matter of if it will happen, but when. Security is a continuous process. It requires the use of complementary administrative controls (e.g., policies, strategy, formalization) and physical controls (e.g., locks, logs, attentive personnel) to ensure that you’re getting the most of your technical tools (e.g., anti-ransomware, mail security, network monitoring). As with all things, when we pull together to work towards a common goal, we’re more likely to succeed.