July 19, 2024
Blog

Cyber Threat Deep Dive #2 - Ransomware

In the latest in our blog series taking a detailed look at specific types of cyber threat, we turn the spotlight on the pernicious world of Ransomware.

Following on from Cyber Threat Deep Dive #1, in this blog we take a look at the rise of Ransomware.

Ransomware is a type of malicious software (malware) designed to hold your data prisoner, making it inaccessible until a ransom is paid. Your valuable files – photos, documents, financial records – are locked away in the digital vault of encryption.

  1. Infection: The malware infects your system through various methods like phishing emails, malicious attachments, or software vulnerabilities. This enables threat actors to gain control of your systems and explore your network.
  2. Exfiltration: Your data is harvested and sent back to the threat actors for exploitation.
  3. Encryption/Lockdown: The ransomware is deployed, encrypting your files, or locking you out of your device.
  4. Ransom Demand: A message is left behind or pops up on your screen, informing you of the attack and demanding a ransom payment (often in cryptocurrency) for the decryption key or access to your system.

The pressure is immense. Businesses face the potential loss of critical data, operational downtime, and reputational damage. Individuals risk losing irreplaceable personal files and memories.

Paying the ransom is risky. There's no guarantee of decryption. It fuels cybercrime.

Multi-Extortion

As if things weren't bad enough, ransomware has taken a nasty turn with the rise of “Double-Extortion”, "Triple-Extortion", “Quadruple-Extortion” etc. Here are some of the typical threats from Ransomware:

  1. Data Theft: The attackers steal your sensitive information before encryption, threatening to leak anything sensitive to the wider world.
  2. Encryption: Your data is encrypted through many different means, sometimes total encryption of files, or just critical elements of those files.
  3. Credential Harvest: With your business data, the threat actors have also taken your valuable login information. They can use this information (or sell it) to breach your systems again, or any other systems you may use with the same credentials such as banking information, or even create fraudulent accounts using your leaked details.
  4. Double Dipping: Groups have been known to threaten businesses to release their data, even months after payments have been made, unless they pay even more money.
  5. DDoS (Distributed Denial of Service): Threat actor groups have been known to apply pressure by artificially overwhelming your systems whilst you negotiate payments.
  6. Threats of Harm: Some groups have threatened physical harm of individuals including their families unless payment is made.

Major Ransomware Cases

Here are some real-world examples of the havoc ransomware can wreak:

  • WannaCry (2017): This global cyberattack exploited a vulnerability in Microsoft Windows systems to encrypt data on a massive scale. WannaCry crippled over 200,000 computers across 150 countries, including critical infrastructure such as hospitals, government agencies, and businesses. The attack caused significant disruptions, financial losses, and panic as essential services were compromised. While the attackers demanded ransom payments in Bitcoin, the true cost of WannaCry extended far beyond financial losses, as hospitals struggled to operate amongst the chaos. It highlighted the interconnectedness of the digital world and the potential consequences of widespread cyberattacks.
  • NotPetya (2017): In June 2017, Maersk, a global leader in shipping and logistics, experienced a devastating attack with NotPetya, a destructive malware disguised as ransomware. Unlike typical ransomware, NotPetya focused on wiping data rather than encryption, causing immense damage. While targeting Ukrainian entities, the attack rippled across the globe due to Maersk's international reach. Their critical systems were crippled for weeks, leading to operational disruptions, financial losses estimated at $250-$300 million, and a domino effect on global supply chains.
  • DarkSide (2021): The Colonial Pipeline attack of May 2021 serves as a significant example of ransomware targeting critical infrastructure.  The attack impacted computerised equipment managing the pipeline, forcing the company to shut down operations as a precaution. While the primary target was believed to be the billing infrastructure, the shutdown caused widespread panic and fuel shortages along the East Coast of the US. Although the company eventually paid a reported $4.4 million ransom to regain access, this incident highlighted the vulnerability of essential services and the potential economic disruption caused by ransomware attacks.
  • Rhysida (2023): This particular attack, by Rhysida, crippled the British Library's IT systems for months, disrupting operations, and resulted in the theft and leak of internal HR data. The library commendably refused to pay the ransom and is currently focused on recovery and IT modernisation efforts. The British Library published an excellent document on 8th March 2024 detailing the attack so that the wider community can learn from the incident.

Industries Under Siege: Prime Targets for Ransomware

Ransomware attacks can hit any organisation, but some industries are more vulnerable due to the sensitive data they handle or the potential disruption to their operations. Here are some of the top targets:

  • Healthcare: Hospitals and medical facilities are prime targets due to the life-critical nature of their data (patient records) and their reliance on functioning IT systems.
  • Manufacturing: Disruptions to production lines and critical industrial control systems can be immensely costly for manufacturers.
  • Government Agencies: Government organisations hold a wealth of sensitive data and often have complex IT infrastructure, making them attractive targets.
  • Financial Services: Financial institutions manage highly sensitive financial data, making them a lucrative target for ransom attacks.

Notorious Ransomware Groups

The ransomware landscape is constantly evolving, with new threat groups emerging all the time. Here are just a handful of the prominent ransomware groups causing trouble in recent times:

  • LockBit: Recently in the news for being taken down by international law enforcement, and swiftly returning. this prolific group has been around since 2019 and is responsible for a significant portion of ransomware attacks. They operate using a Ransomware-as-a-Service (RaaS) model, where they develop and maintain the ransomware tools and infrastructure, and then lease them out to other cybercriminals. This model allows LockBit to scale their operations and reach a wider range of victims. Arguably the first group to act as a business, even paying for white-papers and novel software weaknesses (zero-days) to grow their capabilities.
  • Akira: This relatively new ransomware group emerged in 2023 and quickly rose to prominence. Akira is known for its aggressive tactics, employing high volumes of attacks, and leveraging stolen data to pressure victims into paying ransoms. Security researchers believe Akira may have ties to the now-defunct Conti ransomware group, due to similarities in their code and targeting strategies.
  • 8Base: Another newcomer to the scene, 8Base first appeared in March 2022. They have gained notoriety for their technical sophistication and focus on data exfiltration. 8Base often targets organisations in the business services, manufacturing, and construction sectors. They are not afraid to leak stolen data to extort victims, making them a serious threat.

Protecting Yourself from Ransomware

There's no foolproof shield, but here are some steps you can take to significantly reduce your risk of falling victim to Ransomware and Cybercrime in general:

  • Regular Backups: Implement a regular backup schedule for your critical data. Store backups on a separate server using different credentials and consider using the (for now) ‘un-hackable’ offline, physical tape drives.
  • Software Updates: Always keep your operating system, applications, and firmware updated with the latest security patches. Outdated software contains vulnerabilities that attackers can exploit.
  • Phishing Awareness: Train yourself and your staff to identify and avoid phishing emails and suspicious attachments. Look out for red flags like generic greetings, grammatical errors, and requests for urgent action. Don't click on suspicious links or download attachments from unknown senders.
  • Security Software: Invest in robust security software with real-time protection against malware, including ransomware. Enable features like email filtering and web filtering for additional layers of defence.
  • Security Awareness Training: Conduct regular security awareness training for your employees to educate them on cyber security best practices, including password hygiene and social engineering tactics.
  • Incident Response Plan: Develop a comprehensive incident response plan that outlines the steps to take in case of a ransomware attack. This plan should include procedures for isolating the infected system, notifying the appropriate authorities, and restoring data from backups.

CCL’s Incident Investigation Team can support your business by providing the following services when ransomware strikes:

Containment and Eradication:

  • Identifying the source: We can help identify the point of entry for the ransomware, such as a phishing email or a software vulnerability. This helps prevent further infection within the network.
  • Isolating infected systems: Our team can assist in isolating infected devices to prevent the ransomware from spreading laterally and compromising additional systems.
  • Forensic analysis: We can conduct forensic analysis to understand the scope of the attack, the type of ransomware involved, and the data that may have been compromised.

Recovery and Restoration:

  • Data recovery: If backups are available and haven't been compromised, we can help restore affected systems and data from those backups.
  • Negotiation (if applicable): In some cases, negotiation with the attackers might be necessary. We can advise on communication strategies and help assess the feasibility of paying a ransom (though this is generally not recommended).

Post-Incident Activities:

  • Damage assessment: We can help assess the overall damage caused by the attack, including data loss, operational downtime, and reputational harm.
  • Reporting: We can assist with creating a comprehensive report that documents the incident, the response actions taken, and the lessons learned.
  • Improved security posture: Based on our findings, we can recommend improvements to your organization's security posture to prevent similar attacks in the future. This may involve strengthening access controls, improving user education, or implementing new security tools.

CCL’s Incident Investigation Team serves as a valuable resource throughout the entire ransomware response process. We offer expertise, guidance, and support to help your organisation mitigate the impact of an attack and recover as quickly and efficiently as possible.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch