I believe there is value in more people having a deeper understanding of what is behind some of the recent cybersecurity incidents. Because this is a new breed of threat, from a new generation of bad actors, operating with a whole new set of capabilities. This threat is closely tied to Russia and will get a lot worse than it already is. Major companies, infrastructure services, and just about anything tied to a computer of any sort is at risk these days. No defense is perfect.
These are not the hackers of a few years ago, who took pride in crashing systems, defacing websites, and causing chaos. Those folks were in it for fun and challenge. Sometimes they got caught. Usually they did not. Afflicted systems would be down for a few hours or a couple of days. They would be restored, hardened, and put back in business. The damage was generally containable and not very profitable for the attacker. Ransomware has also been on the scene for a number of years now. The early attacks were somewhat clumsy and unsophisticated. That is all changed now.
Most large organizations have invested substantially in their security infrastructure. The layers of defense are many and some are quite costly. But there is really no choice. Tools include obvious things like two-factor authentication, up-to-date patching, antivirus, email scanning, firewalls, etc. More costly things include a full-time Security Operations Center that monitors all device logging, active scanning for threat signatures on the network, and even AI-based tools that look for changes in flows of network traffic. This stuff costs millions and takes expensive people to run it all. It usually works pretty well, most of the time.
But every defense a company can employ has an effective counter. You just hope to be secure enough that your attacker will look elsewhere. If they are skilled and determined enough, there are always ways to get through. Just because a company became a victim doesn’t necessarily mean that their IT staff was not skilled and capable.
Ransomware “as a service” has emerged as a newer threat. These are essentially pre-built business models and tools that a hacker can use so that they don’t have to create their own malicious code. The hacker can then concentrate on penetrating the business, and the Ransomware provider is paid for the use of their tools. Here's a brief overview from one security service provider.
Attacks can start in many ways, but they usually begin with some sort of knowledge of the company. Executives, IT staff, and other trusted employees are often researched. Knowing their affiliations can provide a way in. Maybe via a faked email from a trusted customer or charitable organization. Or via a newly acquired subsidiary that hasn’t yet been fully hardened. (I’ve personally seen that.) Maybe via a thumbdrive left in a nearby coffee shop. A prominent 2019 intrusion was via software patches from a well-known provider. IT staff applied the patches to protect their networks, thus opening them up to compromise. We’ll see more attacks like this, via the software supply chain. (I don’t know whether that particular intrusion led to any ransomware incidents, but it certainly opened up the possibility.)
Once inside, the attacker will lurk for a while. Days, weeks, maybe months. They will gain understand of the network topology, naming conventions, and data stores. They will find a way to escalate their privilege to a higher level. Often via a test system that doesn’t receive the same scrutiny as production but is still privileged. Maybe by compromising access that was provided to a vendor. All it takes is one mistake.
With both knowledge and escalated privileges, the attacker can identify and download sensitive data. The data may be valuable or compromising. It could include anything on the system. We hope the most sensitive stuff is encrypted. But there are times when even encrypted data is vulnerable. It has to be decrypted to be read by a person on a screen.
The attacker then installs the ransomware payload, set to detonate at a particular time. Long enough into the future that the payload is incorporated into multiple backups and present at any mirrored data centers. And if the attacker has gained access to the system backups, those are also encrypted at detonation time. At T0, all systems go offline.
Ransom is demanded. $6M is the latest data I’ve seen on the average demand. Some of the ransomware service providers include a payment facility for victims. You can report the incident to law enforcement, but the actors are offshore. For obvious reasons, there’s not a lot of hard data on the percentage that pay, but we know it is enough to make this a profitable business model.
The attacker and ransomware provider strive to be reliable business partners. If you pay, they will agree to not release your data and will provide the tools to decrypt your systems. This is a very tempting path. If you do not pay, they will be equally reliable at posting your sensitive data publicly, and your systems will stay encrypted.
Ongoing vigilance in basic security practices, “immutable” backups and “air gaps” are the defenses of choice these days. But even restoring things from a “safe” backup is an arduous task. Since the backup likely included the payload, it will attempt to spring to life and re-encrypt on restoration. Backups need to be cleansed of the infection before systems can be rebuilt. All-in-all, you’ll be down for a while. Maybe weeks.
As I write this, Dish Network has had their internal systems down since February 23rd. I doubt there are a lot of happy folks over there right now. And they may have been very competent and diligent in their attempts to prevent this, but the attacker was more so. Every long outage that hits the press increases the likelihood that the next company will pay out, because this stuff is scary. As in lose your job and crash the stock scary. Unlike most crime, publicity is good for these actors.
Cyber insurance companies are raising rates, increasing deductibles, and becoming very careful about who they will cover and under what circumstances. Liability is becoming a major concern.
The technology will eventually be able to better address the threat, but that could take a long time. We also need very strong government pressure against the countries that host these activities. Stronger than we have today, with real consequences. This is terrorism. For profit.
One of the worst IT proposals I have ever seen is DJT’s suggestion that the US and Russians should work jointly to prevent hacking. He did that. Let’s just ask the Boston strangler to massage our necks while we’re at it.
Backup your data and unplug the backup drive. And if you get hit, don’t plug that drive back in. Call for help.
Cheers.