The rise of ransomware attacks
Cybersecurity attacks have surged during the coronavirus pandemic. It is now more critical than ever that organisations and individuals are aware of steps they can take to mitigate the risk of being a target. The situation has gotten so bad that the U.S Department of the Treasury's Office of Terrorism and Financial Intelligence has issued a pair of advisories to assist individuals and businesses in efforts to combat ransomware attacks.
In conjunction with National Cybersecurity Month, we wanted to use this blog to bring to your attention the advisories and review the latest 2020 ransomware threat report from CrowdStrike.
Before we delve into the depths of the two advisories, we thought it would be beneficial to highlight what the Treasury defines as ransomware.
According to the Treasury, ransomware is defined as "a form of malicious software ("malware") designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims' access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities."
The advisories and what they mean
The two organisations releasing the advisories are Treasury's Financial Crimes Enforcement Network (FinCEN) and the Treasury's Office of Foreign Assets Control (OFAC).
1. The FinCen advisory is entitled: An "Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments." The aim of the advisory is to "provide information on the role of financial intermediaries in payments, ransomware trends, and typologies, and related financial red flags. It also provides information on effectively reporting and sharing information related to ransomware attacks."
Financial intermediaries have an essential role to play in preventing money from exchanging hands under duress. Like with standard fraud detection, the advisory explains that intermediaries are expected to intervene through active detection of suspicious transfers and report any transactions attempted through appropriately categorized SARs filings. The FinCEN advisory has provided ten red flags for intermediaries to integrate into their algorithms, helping such organizations identify payments made under duress.
2. The OFAC advisory is entitled: An "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments." The advisory aims to "highlight the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities."
Regardless of the duress a business is under when targeted by cybercriminals; they are ultimately responsible for any OFAC exposure incurred by the transfer of funds.
For example, if an organisation acts on impulse and exchanges money with a hacker, OFAC penalties may be incurred regardless of the context. While the attack may be considered when assessing the OFAC exposure, it won't protect the organization for ultimately being held responsible.
Why are they needed?
Over the last 12 months, ransomware attacks' severity and sophistication continue to rise across various sectors. The recent attack on Universal Health Services (UHS) reminds us that no organisation is safe from ransomware. In fact, according to CrowdStrike's 2020 Threat Report, this year has seen a dark turn in cybercrime, one that has moved from targeting large government entities to preying on educational institutions and understaffed and overburdened public institutions.
Ransomware attacks on such organisations as healthcare, government, and educational institutions have increased most likely due to the victims' weaker cybersecurity controls and sensitivity of the data. Without adequate backups systems and incident response capabilities, small businesses and public institutions are easy targets for cybercriminals. Unlike large government corporations who have resigned to being targeted by bad actors and have the funds and skilled resources to take steps to protect themselves, it's an entirely different matter for typical organisations and individuals trying to do their primary business.
New ransomware techniques
The CrowdStrike threat report highlights some new trends in ransomware tactics. These include:
Attempting to terminate security products
Cybercriminals are now trying to remove security software, such as endpoint protection products or security information and event management (SIEM) alert forwarders. Such publicly available utilities for this purpose include PCHunter, ProcessHacker, PowerTool x64, GMER, Total Uninstall Portable, and Defender Control.
Use of compromised sites hosting WordPress CMS
Crowdstrike has noted that 2019 saw an increase in cybercriminals using compromised websites hosting individual WordPress content management system (CMS). The sites were used to deliver malware (REvil, MUMMY Spider's EMOTET, and Qakbot). In addition, certain sites that were comprised by the vulnerabilities of WordPress were also implicated in credential harvesting operations. CrowdStrike also "identified several malicious phishing pages designed to impersonate a Microsoft Office 365 landing page. Most of these pages were hosted on legitimate domains likely compromised through vulnerabilities in CMS plugins."
Dropper document builders and distribution services
The development of numerous dropper document families named Gemini, Leo and Virgo were noted in late 2019. These malicious, macro-enabled documents allow the distribution of multiple malware variants from a single document, allowing the theft of information.
Email thread hijacking
This new type of cybercrime exploits email content previously collected by Emotet's email harvester module. After a victim's email content has been stolen, the malware identifies email threads by the subject line (e.g., Re:) and formulates a reply to the thread. This tactic increases the likelihood that a recipient will open a malicious attachment (or click a link) because the sender appears to be someone they previously communicated with, and the subject line matches a previous conversation thread that they had with that person.
Other ransomware techniques
Phishing attacks: Campaigns that induce victims to download a malicious file or visit a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy "drive-by" malware attacks that host malicious code on legitimate websites.
Big game hunting schemes: Where cybercriminals selectively target large organisations to demand bigger ransoms.
Partnerships and sharing resources: Some cybercriminals are sharing resources to enhance the effectiveness of their ransomware attacks. Some examples include the sharing of ransomware exploit kits that come with ready-made malicious codes. Some groups are sharing advice, code, trends, and techniques to increase their success rates.
Double Extortion scheme: This involves removing sensitive data from the targeted networks, encrypting the system files, and demanding ransom. The criminals then threaten to publish or sell the stolen data if the victim fails to pay the ransom.
How can organisations prevent ransomware?
Cybercrime will continue to grow as long as the people behind them are making money from the attacks. Putting steps in place to ensure organisations are in an excellent position to defend against ransomware is more critical than ever. Below are CrowdStrike's top tips to protect your organization going forward.
- Implement user awareness programs: The end-user remains a critical link in the chain to stop breaches. Your organisation should initiate user awareness programs to combat the continued threat of phishing and related social engineering techniques.
- Hire dedicated security professionals or look to partner with an external solution: Defending against sophisticated threats requires mature processes and effective, dedicated security professionals. If your organisation cannot hire one internally, look to outsource where possible.
- Configure your security controls and deploy across the organisational environment: Successful intrusions often occur where security controls were in place that could have defended against an attack, but due to a lack of configuration by the organisation, they fail to do so. Maximize the protection you have from existing security controls.
- Establish two-factor authentication: Cybercriminals are adept at accessing and using valid credentials to lead to deep compromise. All users should establish two-factor authentication to make it more difficult for criminals to leverage privileged access to achieve their objectives. However, it does not entirely solve the problem of protecting identities; therefore, you should look for a robust privilege access management process that will limit the damage adversaries can do if they get in and reduce the likelihood of lateral movement.
How Ontrack can help
When malicious code infects your system and extorts it for money, the overall impact - downtime, reputational damage, and the ransom itself - can be catastrophic.
The Ontrack engineering team have developed a specialised collection of proprietary tools to recover data from ransomware-encrypted files. Though each ransomware incident is unique and varies in complexity, data recovery is often possible. Although we can’t guarantee that recovery from ransomware is possible, we can guarantee a free consultation for businesses to walk through our processes and determine what the best results could be.
Learn more here.