Ransomware is big business for cyber criminals, which involves encrypting files on an organisation's systems to make them unusable. Criminals then demand a ransom payment, usually in a cryptocurrency such as bitcoin, to decrypt the files.
Criminal gangs have changed their tactics over the last three years. Previously, criminals would target consumers however there has been a change and there are now larger and more powerful attacks targeting large businesses, a trend termed ‘Big game hunting'.
Large businesses are now seeing attacks known as ‘double extortion', whereby threat actors use the access they gain in carrying out the ransomware attack to steal corporate files. The criminals then threaten to leak them onto the dark web if ransoms are not paid. Ransomware gangs will continue to explore new methods to increase the pressure on organisations to pay.
The most impactful ransomware attacks happen when there is a gap in basic controls or breakdown in control effectiveness, called cyber hygiene.
These attacks can be initiated from anywhere in the world, and are usually started by criminals in countries where there are no penalties for cyber attacks - as long as they don’t target entities at home.
What controls do organisations need to have to prevent or respond to an attack?
Attackers typically get their initial point of entry to the network via five means which are explained below.
Phishing is when an email is sent with a malicious link or attachment with the intent of trying to fool the user into clicking on the link or opening the attachment. While this is the most common form of ransomware attack, in our experience, it is not often the cause of the most impactful attacks.
Credential stuffing involves collecting leaked credentials of a user account, and attempting logins to web services using those leaked credentials. This is where a staff member from an organisation signs up to an external service, such as a news site, using their work email address and may use the same password as they use for work. If the news site is hacked, that email address and password that was used during the sign up process can be used to access that organisation's systems.
Password spraying involves a threat actor attempting to authenticate a large number of user accounts using a small number of commonly used passwords.
The private sale of credentials is when individuals sell credentials to criminal gangs, typically when they leave an organisation. To reduce the risks of these attacks organisations need strong termination, identity and access management controls, as well as multi factor authentication for remote access (something additional to just a password).
Weak remote access solutions: employee focused or used by IT staff or third parties to access your network, we've seen a lot of remote access solutions that are poorly protected / don't enforce Multi Factor Authentication. It's the primary cause of the attacks we respond to.
Organisations must ensure other key controls are in place to prevent ransomware attacks which includes keeping up to date with the latest patches and ensuring old or unsupported environments are decommissioned.
There are a number of other additional controls as well, noted in standards such as the ACSC Essential 8 and the Australian Government Information Security Manual.
Andrew Gordon explains examples of these attacks and highlights the questions businesses should be asking internally to ensure an attack can be prevented in this short video.
ransomwarevideoV2
ransomwarevideoV2