By Fady Younes
2020 was a turbulent year as the world grappled to cope with the impact of COVID-19 – both on general sense of wellbeing and the critical infrastructures which connect and protect to ensure our livelihoods. From an enterprise standpoint, cyber attackers have increasingly seized the world of remote working and e-learning to exploit vulnerabilities in systems and steal critical information via ransomware tactics.
Over the past year, we have seen several ransomware trends emerge, but to fully understand the evolving threats ransomware can pose to businesses, a clear definition is required. Ransomware is a form of malicious software also commonly referred to as malware. Once a computer is infected, it encrypts a victim’s data until the attacker is paid a ‘ransom’. Often, the attacker demands the payment in cryptocurrency such as bitcoin. Only once the payment has been received will the attacker send a decryption key to release the victim’s data.
The nature of these threats has been changing in recent times and research conducted by Cisco Talos discovered multiple threats using the pandemic to lure victims with coronavirus themes, as the public searched for information about the condition.
Where businesses once viewed these attacks as a nuisance, they are now creating widespread disruption, loss of sensitive information and damage company reputation. This is being caused largely by the adoption of new tactics, techniques, and procedures to deploy ransomware onto corporate networks.
Rather than activating ransomware on the first successfully compromised system, attackers now leverage the infected system as an initial access point into the network. Once this is established, they can then move across the network to gain additional systems and privileged access to critical network infrastructure. This enables the ransomware to be activated on all these systems simultaneously to inflict maximum damage. Organizations are more likely to pay in these circumstances and ransoms can be set much higher.
The crimeware ecosystem has continued to evolve in recent years with new ransomware product offerings emerging on hacking forums, darknet markets and in closed communities. These cater to criminals who seek to launch extortion attacks without having to first obtain initial access into the networks they are targeting. Individuals selling these offerings are known as ‘initial access brokers’, they seek to obtain an initial foothold in corporate environments and may also perform the post-compromise activities necessary to escalate privileges. These criminals then sell this access capability to others, rather than deploy malware themselves. Online sales postings have become increasingly frequent, with access to multiple networks common, and they are popular among attackers as they can be purchased for between hundreds to thousands of dollars.
Offensive security and dual-use tools have become increasingly widespread to carry out post-compromise activities. Dual-use tools are applications that were initially created to help legitimate administrators but are now often co-opted by malicious attackers as well. Such files enable IT departments to gain remote access to another computer to solve issues, but they can also be used to place malicious files on another system.
Many attackers are not only causing widespread disruption to business operations but are also stealing large quantities of sensitive data before issuing ransom demands. These are known as ‘double extortion attacks’ and create significant problems for organizations that have to deal with the disruption, as well as the threat of important information such as intellectual property and trade secrets being publicly released. These types of attacks also risk reputational damage to targeted organizations and decrease customer confidence.
Defending Against Attacks
Although threats have evolved over the course of 2020, the good news is many of the security controls recommended for other types of attacks remain effective against the likes of ‘big-game hunting’ and ‘double extortion attacks’. As a precaution, businesses should use a defense-in-depth approach to securing networks. Companies should focus on network defense, which includes prevention, detection, and fast response. As a result, failure of one layer will not result in an inability to react to other threats.
Cisco Secure offers a number of security solutions that not only address security concerns based on key trends but can also be tailored to meet the specific requirements of a business. These products integrate seamlessly with the Cisco SecureX platform and include Cisco Secure Network Analytics, Cisco Secure Endpoint, Cisco Secure Firewall, Cisco Secure Email and more. Each of these solutions helps to secure areas where ransomware attackers may attempt to exploit.
(Fady Younes is the Cybersecurity Director for Middle East and Africa at Cisco).