Successful attacks are on the rise. But ransom demands are far from being the hackers’ only goal. Increasingly, the main problem for businesses is the sale or disclosure of data.
Haftpflichtkasse Darmstadt is an insurance company whose systems were cut off from the network, and it could no longer be reached even by telephone. It became aware of a ransomware attack during the night of 10-11 July. “We are not currently able to say when business operations will be fully resumed,” the company was still advising on its website two weeks later. Not a single week passes without similar reports: The problem of ransomware has now grown to huge proportions worldwide.
In most cases it is clear that these attacks are preceded by a lengthy period of preparation that can reveal signs of a planned attack to the organizations being targeted. If the criminals are unable to scavenge access data in the dark net, the attack will usually start with an extensive reconnaissance phase. The attackers will spend a few weeks or months sounding out the future victim, via social media channels, for instance. Information about the IT systems it uses and any potential security loopholes will be reconnoitred, as will employees who could serve as victims for phishing campaigns.
Once the break-in to the company network has succeeded, the criminals look for attractive targets such as Windows domain controllers or Active Directory servers, since these can be used to control access rights. These lateral movements within the network will stand out, because previously unknown user registrations will appear on the systems, for example. The gradual expansion of access rights for hacked accounts is also a typical next step. All the data the gangsters discover while rummaging around will be stolen: in a recent case, 700 gigabytes’ worth. The alarm bells should be ringing within the company by that point at the latest. One of the last actions is to remove traces, delete accessible data backups, and put the brakes on databases and mail servers. It will soon be too late: The next step, encrypting relevant files, usually happens very quickly, but by then there is little that can be done.
That, or something like it, is how most ransomware gangs operate. Specialist investigations suggest that six groups dominate the “market”, with each focusing on particular industries. Security researchers report that hard-fought battles often take place between the groups first, in which the gangs try to take over or destroy the infrastructure the other parties use in their attacks. But sometimes they also work together. For example, the Ryuk/Conti gang concentrates on major industrial, construction and transport companies, whereas the Sodin/Revil group prefers to target the healthcare industry or laptop manufacturers. One of their targets was the Taiwanese IT manufacturer Quanta, which manufactures notebooks for Apple, for example. Quanta refused to pay the $50 million ransom that had been demanded, and in response, the data thieves published details of new Apple products, which made no great waves in Silicon Valley.
Backups, not ransom
Many businesses have improved their backup strategies and are no longer prepared to pay ransoms. Instead, they draw on their backup data to replace the fraudulently encrypted files. The criminals counter the businesses’ unwillingness to pay with threats to publish or sell the stolen data. For that reason alone, businesses are well advised to encrypt all the sensitive data they save. An FBI report claims the DarkSide group maintains dedicated servers in Iran to publish stolen data. The FBI presumes that the system “serves to prevent competitors or prosecutors from disrupting DarkSide’s business activities”.
The FBI and US cybersecurity authority CISA are therefore urgently advising businesses to beef up their security measures. That includes “robust network segmentation between IT and OT networks; ensuring that backups are implemented, regularly tested, and isolated from network connections”. Backups of critical data should also be stored in different locations. State-of-the-art spam filters help to filter out phishing emails. “Access rights should be reduced to the minimum necessary, and system administration rights limited to a small group of persons.” Remote access to OT and IT networks should be secured using multi-factor authentication, according to the official US recommendations.