Ransomware: contemporary threats, how to prevent them and
how the FBI can help
In April 2021, Dutch supermarkets faced a food shortage. The
cause wasn’t a drought or a sudden surge in the demand for
avocados. Rather, the reason was a ransomware attack. In the past
years, companies, universities, schools, medical facilities and
other organizations have been targeted by ransomware threat actors,
turning ransomware into the internet’s most severe security
crisis.
The Ransomware Landscape
Ransomware has existed for more than 30 years, but it became a
lucrative source of income for cyber actors and gangs in the past
decade. Since 2015, ransomware gangs have been targeting
organizations instead of individuals. Consequently, ransom sums
have increased significantly, reaching millions of dollars.
Ransomware is effective because it pressures victims in two,
complementary ways. First, by threatening victims to destroy their
data. Second, by threatening to publicize the attack. The second
threat has an indirect impact, yet it is just as serious (if not
more). Publication could trigger regulatory and compliance issues,
as well as negative long-term brand effects.
Here are some examples of real ransomware notes:
Ransomware as a Service (RaaS) has become the most widespread
type of ransomware. In RaaS attacks, the ransomware infrastructure
is developed by cyber criminals and then licensed out to other
attackers for their use. The customer attackers can pay for the use
of software or they can split the loot with the creators. Etay
maor, Senior Director Security Strategy at Cato Networks[1]
commented, “There are other forms of RaaS. After receiving the
ransomware payment some Ransomware groups sell all the data about
the victim’s network to other gangs. This means the next attack is
much simpler and can be fully automated as it does not require
weeks of discovery and network analysis by the attackers.”
Some of the major RaaS players, who are notorious for turning
the RaaS landscape into what it is today, are CryptoLocker, who
infected over a quarter million systems in the 2000s and profited
more than $3 million in less than four months, CryptoWall, who made
over $18 million and prompted an FBI advisory, and finally Petya,
NotPetya and WannaCry who used various types of exploits,
ransomware included.
How the FBI Helps Combat Ransomware
An organization under attack is bound to experience frustration
and confusion. One of the first recommended courses of action is to
contact an Incident Response team. The IR team can assist with
investigation, recuperation and negotiations. Then, the FBI can
also help.
Part of the FBI’s mission is to raise awareness about
ransomware. Thanks to a wide local and global network, they have
access to valuable intelligence. This information can help victims
with negotiations and with operationalization. For example, the FBI
might be able to provide profiler information about a threat actor
based on its Bitcoin wallet.
To help ransomware victims and to prevent ransomware, the FBI
has set up 56 Cyber Task Forces across its field offices. These
Task Forces work closely with the IRS, the Department of Education,
the Office of Inspector General, the Federal Protective Service and
the State Police. They’re also in close contact with the Secret
Service and have access to regional forensics labs. For National
Security cyber crimes, the FBI has a designated Squad.
Alongside the Cyber Task Force, the FBI operates a 24/7 CyWatch,
which is a Watch Center for coordinating the field offices, the
private sector and other federal and intelligence agencies. There
is also an Internet Crime Complaint Center, ic3.gov, for
registering complaints and identifying trends.
Preventing Ransomware Attacks On Time
Many ransomware attacks don’t have to reach the point where the
FBI is needed. Rather, they can be avoided beforehand. Ransomware
is not a single-shot attack. Instead, a series of tactics and
techniques all contribute to its execution. By identifying the
network and security vulnerabilities in advance that enables the
attack, organizations can block or limit threat actors’ ability to
perform ransomware. Etay Maor added “We need to rethink the concept
that “the attackers need to be right just once, the defenders need
to be right all the time”. A cyber attack is a combination of
multiple tactics and techniques. As such, it can only be countered
with a holistic approach, with multiple converged security systems
that all share context in real time. This is exactly what a
SASE architecture[2], and no other, offers
the defenders”.
For example, here are all the steps in a REvil attack on a
well-known manufacturer, mapped out to the MITRE ATT&CK
framework. As you can see, there are numerous phases that took
place before the actual ransom and were essential to its “success”.
By mitigating those risks, the attack might have been
prevented.
Here is a similar mapping of a Sodinokobi attack:
Maze attack mapping to the MITRE framework:
Another way to map ransomware attacks is through heat maps,
which show how often different tactics and techniques are used.
Here is a heat map of Maze attacks:
One way to use these mappings is for network analysis and
systems testing. By testing a system’s resilience to these tactics
and techniques and implementing controls that can mitigate any
risks, organizations reduce the risk of a ransomware attack by a
certain actor on their critical resources.
How to Avoid Attacks – From the Horse’s Mouth
But don’t take our word for it. Some ransomware attackers are
“kind” enough to provide organizations with best practices for
securing themselves from future ransomware attacks. Recommendations
include:
- Turning off local passwords
- Using secure passwords
- Forcing the end of admin sessions
- Configuring group policies
- Checking privileged users’ access
- Ensuring only necessary applications are running
- Limiting the reliance of Anti-Virus
- Installing EDRs
- 24 hour system admins
- Securing vulnerable ports
- Watching for misconfigured firewalls
- And more
Etay Maor of Cato Networks highlights “Nothing in what several
Ransomware groups say organizations need to do is new. These best
practices have been discussed for years. The reason they still work
is that we try to apply them using disjoint, point solutions. That
didn’t work and will not work. A SASE, cloud native, architecture,
where all security solutions share context and have the capability
to see every networks flow and get a holistic view of the attack
lifecycle can level the playing field against cyber attacks”.
Ransomware Prevention: An Ongoing Activity
Just like brushing your teeth or exercising, security hygiene is
an ongoing, methodical practice. Ransomware attackers have been
known to revisit the crime scene and demand a second ransom, if
issues haven’t been resolved. By employing security controls that
can effectively mitigate security threats and having a proper
incident response plan in place, the risks can be minimized, as
well as the attackers’ pay day. The FBI is here to help and provide
information that can assist, let’s hope that assistance won’t be
needed.
To learn more about ransomware attacks and how to prevent them,
Cato Networks’ Cyber Security Masterclass
series is available for your viewing.[3]
Found this article interesting? Follow us on Twitter [4]
and LinkedIn[5]
to read more exclusive content we post.
References
- ^
Cato
Networks (www.catonetworks.com) - ^
SASE
architecture (www.catonetworks.com) - ^
Cato
Networks’ Cyber Security Masterclass series is available for your
viewing. (catonetworks.easywebinar.live) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/the-fbis-perspective-on-ransomware.html