THANK YOU FOR SUBSCRIBING
Cyberattacks are almost as old as the internet itself. A medium that was built to be open and collaborative, inherently found its flaw in abuse of that openness.
In the early days, attacks were largely experimental and opportunistic. We first saw worms in the 80s, such as that created by a 23-year-old Cornell University graduate, Robert Morris, whose worm replicated across the internet, crashing around 10 percent of the 60,000 computers connected to the internet. In the 90s, we saw a phishing scam where some users who were reluctant to pay for internet access launched an internet access trial period to pose as administrators and phish for genuine credentials.
If we skip to modern day, many of the old principles remain the same–compromise unsuspecting users by appearing legitimate, land and expand to reach more victims–but the engine these scams are fueling is much more sophisticated and arguably becoming more destructive and violent in an attempt to become more effective.
Cybercriminals Turn the Screw
Holding files hostage for money isn’t a new concept; indeed, the PC Cyborg virus asked victims to send money to a P.O. Box in return for a floppy disk full of files. Cryptocurrency changed the game with ransomware, however, and turned it into a difficult-to-trace and therefore highly lucrative scam. As with other cyberattacks, we have seen an evolution not only in how a ransomware attack is coordinated but also what changes have been made to aid its effectiveness.
One noticeable shift was double extortion. In addition to the encryption of files and demand of a ransom, cybercriminals added the threat of exposing the data online. For many businesses, this publicly put their customer’s data at risk and data management practices into question. Not to mention the potential fines and legal action that may have ensued.
A trend we’re seeing today is “intermittent encryption,” where only parts of a file are encrypted, but because of how it is structured, the file content is unrecoverable as if every byte had been encrypted. This allows threat actors to move faster. We are also observing certain threat groups implement intermittent damaging of data during ransomware incidents. In these engagements, data inside a file is damaged during a ransomware attack to the extent that there is no possibility of decryption because the state of the data is corrupted. Even if the data owner pays the ransom, they will not be able to recover their data successfully. The tactic is used by cybercriminals to encourage the victim to pay up, to prevent the remaining files from being damaged.
“In a business email compromise (BEC), threat actors are increasingly taking pages from the ransomware organized crime groups and moving from straight wire fraud/wire transfer tactics to data exfiltration and extortion tactics.”
In a business email compromise (BEC), threat actors are increasingly taking pages from the ransomware organized crime groups and moving from straight wire fraud/wire transfer tactics to data exfiltration and extortion tactics. They threaten to expose the data publicly and look for a payout to keep from posting the data.
A Violent Future
It will come as no surprise that cybercriminals are refining their tactics to become more effective but where this may lead is increasingly a cause for concern.
From an individual’s perspective, they face businesses not being able to function because data has been destroyed, as well as their own personal privacy being compromised. For businesses, recovery looks more difficult, as previous safeguards are becoming less feasible. For example, if the data has been destroyed, there is no point paying a ransom to have it returned. Beyond this, regulators are cracking down on ransomware payments. In Florida and North Carolina, for example, it is now against the state statutes for a public sector organization to pay a ransom. Cyber insurance is also becoming more difficult to source and terms are more stringent, reducing the amount of coverage available for firms, and consequently increasing their potential exposure.
There has also been evidence of online threats and retaliation crossing into the physical world. Violence-as-a-service has been reported within the cybercriminal community, where harassment between rival groups has resulted in “swatting attacks.” There have been examples of brickings, firebombings and even shootings for hire that have begun in cybercriminal conversations online.
The SIM swapping community may be particularly open to this. In a SIM-swapping scenario, a thief hijacks a victim’s phone number through a cyberattack in order to assume their identity, make fraudulent payments and so forth. With the motivation of money, perhaps, similar individuals would be willing to take what began as an online ransomware threat and extortion attempt into the physical world.
On the whole, avoiding becoming victim to a cyberattack comes down to doing cyber security basics well and raising the proverbial castle walls to stop from being one of the “low-hanging fruit” targets compared to the next potential victim. If there are too many hurdles for an attacker to get into your systems in the first place, and less of a barrier of access on the next victim, the next victim is likely to be the easier and more likely targeted—it’s truly that simple. Threat actors evaluate speed and accessibility in their intrusion lifecycles.
At a simple level, this means reducing your employee’s susceptibility to phishing attacks and having good data management processes to ensure that access rights are kept to a minimum and sensitive data is protected. It is also important to continuously monitor your networked endpoints to include servers and cloud resources. Data exfiltration is normally a precursor in the intrusion lifecycle to a cybercriminal getting ready to launch a ransomware attack, if intercepted early enough; security teams may be able to mitigate the impact of the incident.
Beyond following best practice cyber principles, it is important for us to remember that the cyber and physical world are not so distant. The data that cybercriminals are holding to ransom has real consequences, and if exposed, identities can be compromised and people can lose control of accounts that they rely on. If we do begin to see growth in violence-as-a-service within the cyber community, this will become more significant, and we will need to evolve defense for the future.
For businesses, this may mean building and engaging more multidisciplinary teams for the future. We are already seeing increased appetite for broader response teams in incidents. It is now often necessary to have technical experts, dark web intelligence analysts, insurance specialists, lawyers, strategic comms support, technical recovery teams and ex-law enforcement in a response team. Perhaps, increasingly, we’ll start to see physical security risk management teams also added to that list.