What changes have you observed in the ransomware landscape?
At the start of the year we made a prediction that synergistic threats will multiply in 2019, which requires combined responses. For the context, attacks are usually centered on the use of a single threat, with poor actors concentrating their efforts on repeating and evolving a single threat to effectiveness and avoidance. Once an attack is detected, it is then classified (e.g., Ransomware) and defenses are set, at which point the attack success rate is reduced. However, if an attack uses different attack vectors that work synergistically, the defense panorama becomes more complex, acts as a smokescreen, and the ultimate goal of the attack is unknown or difficult to identify.
Unfortunately, our observations are stuck, with cyber criminals buying toolkits from dark web markets to make their attacks more sophisticated in the pursuit of more profit and efficiency.
We have also noticed that new ransomware players use signals from successful repetitions from the past. Ryuk reuses Hermes' source code or uses each other's ransom notes ' s – an example is a slightly modified Ryuk ransom note that can be observed with certain LockerGoga strains.
What is Ransomware as a Service and why has this been an area of growth lately?
Ransomware as a Service (RaaS) has been gaining hold of cyber criminals in underground markets for some time. It is possible to purchase affiliate arrangements with ransomware types such as GandCrab, where cyber criminals get a percentage of the profits extorted from victims in exchange for spreading the malicious code.
In the world of ransomware, the recently deceased GandCrab had a disturbing reputation that he always had to pay his debts, just like the Lannisters in Game of Thrones. These partner schemes often fail due to a lack of trust in the community, but GandCrab seems to have given this to the table by appearing reliably when dealing with their customer relationships.
We have seen that targeted ransomware models have been used in combination with network vulnerabilities such as poorly secured RDP access (Remote Desktop Protocol) to achieve highly successful under-the-radar schemes. In this scenario, attackers try to find a system with a weak RDP, gain access and distribute it through networks, using a weakly protected active directory. Once full control was obtained, the deployment of the ransomware would follow the entire network, resulting in paralysis of the organization in question. In fact, we have observed conversations that the author of the GandCrab RaaS-based model worked on automated internal propagation methods. In many ways, the use of RDP is not a new approach, as we observed with SamSam last year.
It is worth remembering that the McAfee Advanced Threat Research team only discovered last year that it was possible to purchase RDP access keys for the security and building automation systems of a major international airport for a fee of just $ 10USD .
Can you give an example of an industry initiative to challenge ransomware?
No More Ransom is one of the most successful cyber security projects of its kind in the field of cooperation between the public and private sectors. It serves as a bridge between law enforcement agencies and cyber security companies in the fight against ransomware and allows victims to retrieve their encrypted data without having to pay. cyber criminals. If you ever fall victim to ransomware, it's a great resource to turn to for help. However, prevention is better than the remedy; I would recommend visiting the site to educate yourself about how ransomware works and how this can be prevented in the first place.
What tips would you give organizations to prevent ransomware infections?
A holistic approach to cyber security with adequate security hygiene plays a key role in preventing these infections. As part of this, it is important to close known attack vectors such as RDP access and ensure that your network is segmented with powerful identity management. Backups must also be a priority within the security strategy of every organization: place them in place and ensure that they are tested regularly. Unfortunately, ransomware is flourishing, which proves that safety hygiene is often poor and that too many IT teams and C-suites only wake up in the event of a crisis.
A little planning can often go a long way, and as the Scouting motto of Baden-Powell reads: be prepared.
How can organizations reduce damage from infections?
If you are infected with ransomware, you should always seek professional advice. The general consensus is that it is better not to pay the ransom – not only is there no guarantee that you can recover your files, but it also reinforces the message that ransomware works and is a profitable way for cyber criminals. The No More Ransom portal can provide incredibly valuable advice on what to do once it is infected. If a free decryptor is available, it is recommended that you back up the encrypted disk so that you can fall back on it in case the decoding process goes wrong.
Businesses have a very difficult job when ransomware increases standstill time with crippling costs and paying ransom can be seen as a quick solution. But when an organization is hit by targeted ransomware, they must remember that the ransomware is that this is only the final phase of a complete breach. Removing the ransomware is then only a small part of a much larger security issue.
John Fokker is the head of Cyber Investigations for McAfee Advanced Threat Research
- The best antivirus service from 2019