Strategic moves to battle Human Operated Ransomware attacks
Microsoft named them adaptable, resourceful, and persistent. They pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today: Human Operated Ransomware Attacks.
In these hands-on-keyboard attacks that focus on credential theft and lateral movement methods, attackers usually have comprehensive knowledge of systems administration, common network security misconfigurations and perform through reconnaissance. They quickly adapt to whatever they find in a compromised network, which makes these attacks particularly malicious.
Investigations have shown that ransomware attack campaigns often appear in public and that attackers can operate in unrestricted networks.
Ransomware campaign examples:
History:According to IDG, Ryuk first appeared in August 2018 and developed from an older ransomware program called Hermes which was sold on underground cybercrime forums in 2017.
How it works: Ryuk attackers use manual hacking techniques and open-source tools in combination with other malware to move laterally through private networks to access and control as many systems as possible before they start the file encryption.
Targeted victims: Businesses, hospitals, and government organisations.
History:Sodinokibi, akaREvil (Ransomware Evil), first emerged in 2019. IBM reported that one in every three ransomware infections involved REvil/Sodinokibi.
How it works:By exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN, REvil spreads several ways. It targets Microsoft Windows systems and encrypts all files except configuration files. If the victims don't pay their ransom, they won't get their data back and, what's worse, the attackers will sell it on underground forums.
Success: REvil was responsible for shutting down more than 22 small towns in Texas and forced the UK currency exchange service Travelex to its knees on New Year's Eve 2019. The REvil gang adjusts the ransom requests based on the annual revenue of the victim organisations (between USD1,500 and USD42 million).
Targeted victims: A wide range of organisations globally.
History: Since 2015,SamSam has been mainly targeting healthcare organisations.
How it works:SamSam is a RaaS operation whose controllers examine pre-selected targets for weaknesses. SamSam attacks are critically damaging, as the attackers escalate privileges when they start encrypting files.
Targeted victims: US-based healthcare and government organisations .
What can organisations do to prevent these attacks?
Building an optimal organisational security posture is key to defending networks against human-operated attacks and other sophisticated threats.At The Missing Link, our end-to-end approach to security combines factual evidence and a strategic roadmap to improve your organisation's security posture.
Our Security Controls Review is a workshop designed to help you achieve a more mature, secure IT environment.In the workshop, we perform a security posture assessment on your current IT environment to give your business a score in relation to our security maturity model.
From here, we generate a report that outlines our recommendations and a roadmap to achieve your desired maturity.