The rising threat of human-controlled ransomware
Article by Attivo Networks regional director for A/NZ Jim Cook.
Of all the potentially disruptive and costly cyber threats faced by legal firms today, one of the most significant is ransomware attacks.
Cybercriminals manage to inject malicious code into an IT infrastructure where it then encrypts vital data stores, preventing access by staff. The criminals then demand a ransom payment in exchange for the decryption keys.
Until recently, most ransomware attacks have been automated affairs. Attackers try to spread their code as widely as possible in the hope of infecting and locking down systems.
However, things are now changing. There is a rise in so-called human-controlled ransomware that is much more targeted and potentially dangerous. As the name suggests, these attacks are not automated but rather manually controlled by a cyber-criminal in real-time.
This evolution is the latest development of a threat that has been evolving for some years. When it first appeared, ransomware code tended to target consumers and demand relatively small payments to unlock their infected PC.
More recently, however, the attention of cybercriminals has shifted into the business sector, where the potential for bigger payment demands is more significant. A consumer losing access to a PC is one thing, but a ransomware attack locking a law firm out of critical files and systems is another thing altogether.
Taking a human-controlled approach to a ransomware attack shifts the goalposts even further. Rather than relying on code to find suitable targets for encryption, a human operator can take time to move laterally through an IT infrastructure and be sure they are locating the most valuable data stores.
Depending on the skill level of the cyber-criminal, it could be possible to spend weeks or even months combing through an extensive IT infrastructure and identifying potential targets. Once the attacker has confirmed a target, it can set the timing of the encryption to make the attack as debilitating as possible, thereby maximising the prospects of swift payment of the demands.
To add insult to injury, many criminals are stealing sensitive data and then using it as leverage to force payment by threatening to release it to the public. Often, the attackers will disclose a sample of the data and then raise the ransom demand, subsequently requiring a second payment to prevent further disclosure of the data. The firm thus faces double-extortion, once to decrypt their data, a second time to stop disclosure of stolen information.
Cybercriminals can also provide a ransomware-as-a-service offering. They offer their knowledge to other criminals not as well versed in the tactics and techniques, in exchange for a portion of the end payment they receive.
Protecting a law firm against human-controlled ransomware attacks requires the same steps taken to prevent automated attacks. One of the first steps is staff education to ensure people are aware of the dangers of opening unusual email attachments or clicking on web links. These simple actions can give an attacker the initial access to the IT network, and, from there, they can execute their attack plan.
On the security front, an increasingly popular and successful approach is to undertake what security professionals term a deception strategy. This approach involves deploying components, such as applications and file stores, that blend in within a corporate IT infrastructure. However, they have nothing to do with day-to-day operational activities, and because the staff has no reason to access these resources, any access is highly likely to be part of a cyberattack.
Once the decoy assets trigger a warning, the IT team can then safely observe the attacker and understand their goals and operating methods. The organisation can then take steps to remove them from the network and prevent their return.
In the past, cybersecurity teams have tended to focus on using perimeter-based prevention techniques. However, when one considers the growth of threats such as human-controlled ransomware, this approach is no longer sufficient.
Instead, proactive techniques such as cyber-deception should also be part of the security mix. Law firms will then be better able to detect and derail threats much earlier so that criminals cannot establish a foothold or complete their planned attack.
Understanding the continually evolving threat landscape is also crucial, as techniques that work today may not be useful in the future. Take the time to understand the threats and deploy effective countermeasures to position one’s organisation well in the future.