enterprisesecuritymag

The Big Hunt

Nicola Sotira, Head of CERT, Poste Italiane

Nicola Sotira, Head of CERT, Poste Italiane

As all reports on the state of cyberattacks point out, criminal organizations have become increasingly bold. The critical step is that they have moved away from targeting individuals and small organizations to targeting large companies that can afford to pay large ransoms.

In the variegated cyber terminology, this method is called Big Hunting Game. This last year has affected relevant organizations damaging both companies and insurances, for those companies had a cyber policy that had to intervene in the compensation.

"Be ready, i.e., prepare a plan and provide regular exercises on these issues, improvising in an attack situation wastes time, and developing a plan under stress is not advisable"

In the reports made available by the companies that produce security solutions, you can see that the frequency increases and the amount of ransom demanded. When we talk about the rise, it means 300 percent on the frequency and amounts almost tripled. The assignment indicates that the origin very often involves Russia and Eastern Europe, with some state-sponsored organizations.

The trend

Long gone are the days when ransomware was demanded to mitigate DDoS-type initiatives towards infrastructure and then moved on to threats that aimed to lock down the operating system through cryptography to prevent its use. Two thousand thirteen marks the year of the transition to this type of threat with the emergence of CryptoLocker that used 2048-bit RSA key pairs, and the then main distribution techniques were watering holes.

In parallel, it is necessary to highlight the increase in the popularity of cryptocurrencies that allowed to move from payments through vouchers to the full use of electronic currency that guarantees adversaries an additional level of anonymity.

But it is since 2016 that this type of threat began to target enterprise entities. At this stage, the extortionate activity consisted of restoring files once the ransom was paid through tools online to decrypt previously encrypted documents. However, the analysis of these files has often revealed that complete encryption was not performed in many cases but only arbitrarily substituted some sequences to make the compromised material unusable. Some examples were WannaCry and NotPetya.

As in the best business logic, ransomware is also adopted As A service model or better Ransomware as a Service. In this model, we have operators that provide complete bundles of malware and a platform for decryption. In the Dark Web it is possible to find affiliation networks, communities, and forums a whole commercial network of refined hunting tools.

The negotiation

Analyzing the various incidents from 2018 shows that most of them ended with a ransom payment. The attackers who carried out this hunt now adopt a double extortion model, meaning that the ransom payment coincides with the recovery of the compromised documents and a commitment from the adversaries to remove the stolen data.

Analyzing some cases, it is possible to notice that after the encryption and the data exfiltration, the attackers leave the instructions to make the payment on the compromised servers. In some cases, the files contain strings with IDs that the victims can use to access real web interfaces created for the operation. The negotiations then pass to a phase of direct communication that generally happens on chat or via email. If there is no first contact in the established times, generally, an announcement is published on the owner portal where some details of the incident are released. In some cases, the attackers do not proceed to the exfiltration but limit themselves to the encryption and compromise of the data. An interesting hypothesis is the one that links some malware that have carried out targeted campaigns on companies that had subscribed cyber insurance policies with requests for payment, even quite large ones as if they were confident that the insurance company would pay for the damages.

If the negotiations do not lead to an agreement, the attackers start publishing the stolen material. These are made public on blogs created explicitly for the campaign, with public auction mechanisms for more relevant files that have been stolen from organizations. This technique adds another issue; if the ransom is not paid, the organization could see its data in the hands of competitors or lend itself to other operations by other attackers who could benefit from the acquired information.

What we can do to mitigate the risk

Some things need to be paid attention to or periodically analyzed, such as having clear visibility of assets with personal and sensitive data or financial assets. On this perimeter, it is necessary to limit access, control, and update security policies with particular attention to user access and their revocation in case of problems or non-use. In this area, it is necessary to restrict access, trying to reduce the attack surface. Be ready, i.e., prepare a plan and provide regular exercises on these issues, improvising in an attack situation wastes time, and developing a plan under stress is not advisable. Document the backup procedures and especially provide for their protection; in these cases, you must be sure that the backups are free from compromise and that the restore operations do not introduce other problems. Increase automation in monitoring procedures by investing in improved detection processes and prioritizing critical, business-relevant assests. Entry points such as, for example, the Active Directory should have a greater focus and ability to detect anomalous behavior. Review the security of remote workers by introducing the double factor authentication on VPN accesses and especially on Cloud accesses; it is advisable to focus monitoring activities on these and introduce systems to detect behavioral anomalies. Give more impulse to introducing security policies and risk analysis to the supply chain, suppliers, and third-party software; this last area has been the most exploited in the last attacks. Therefore, on the supply chain, it is necessary a greater maturity from the organizations.

Weekly Brief

Read Also

Mitigating Cybersecurity Risks

Mitigating Cybersecurity Risks

Giuseppe Donvito, Partner, P101 Ventures ("P101")
The Evolution of Cybersecurity in the COVID-19 Era

The Evolution of Cybersecurity in the COVID-19 Era

Cedric Gourio, Chief Information Security Officer, Allianz Partners
The Key Practices to Reduce Turnover and Shorten Time to Fill Positions

The Key Practices to Reduce Turnover and Shorten Time to Fill...

Dave Stirling, Chief Information Security Officer, Zions Bancorporation
In 2021, the Last Thing We Need is Another Security Tech Hero

In 2021, the Last Thing We Need is Another Security Tech Hero

Henry Mason, VC Investor, Dawn Capital
 Are You an Information Security Manager?

Are You an Information Security Manager?

Jana Puskacova, CISO, Slovnaft
What are the Latest Trendsin Access Control?

What are the Latest Trendsin Access Control?

Avianna Frank, Director, Control and Compliance, The Estée Lauder Companies