Beyond Ransomware, What are Cyber Criminals Looking At? Can I Protect Myself Against These Evolving Cyber Threats?

State of Ransomware Economy

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation. The appreciation in the value of cryptocurrencies directly correlates to the rise of ransomware attacks on organisations as it gets a good payout for each successful attack and ransom payment.

Indeed, ransomware continues to be a headline-grabbing topic and this is ultimately backed by a relatively small, connected ecosystem of players driving this sector of the cybercrime economy. The specialisation and consolidation of the cybercrime economy has fuelled Ransomware-as-a-Service (RaaS) to become a dominant business model, enabling a wider range of criminals, regardless of their technical expertise, to deploy ransomware.

Something has changed, though. Cryptocurrencies valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting a formidable defense against ransomware. The cyber criminals have been searching for another opportunity – and found one. It is called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

 

Cybersecurity Trivia Did you know?  Email Threats* - Median time for an attacker to access your private data if you fall victim to a phishing email is one hour, 12 minutes. Endpoint Threats* - Median time for an attacker to begin moving laterally within your corporate network if a device is compromised is one hour, 42 minutes.

 

The Threat to Data Leakage of Confidential Information

Ransomware exists to extort payment from a victim. Most current RaaS programs also leak stolen data, known as double extortion. As outages cause backlash and government disruption of ransomware operators increases, some groups forgo ransomware and pursue data extortion.

Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it has become – and how, for some organisations, it may be a threat that is even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

With geopolitical tension rising and the threats of withholding access to technologies, for example semi-conductor chips used for smart phones to electric vehicle navigation systems, it is expected that the increasing threat of cyber espionage will further fuel the rise of data extortion attacks.

 

How Can I Protect Myself Against These Evolving Cyber Threats?

It is the same cybersecurity principles that continue to count, even more so given the greater risk of the evolving cyber threats. After so many years of alarming headlines, most organisations have deployed ransomware protection in the form of better backup strategies, more fine-tuned and granular data access, and better rules and monitoring for detecting unwanted file changes to name a few. But in general, an organisation should minimally:

Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Attackers move toward organisations’ IT resources, it’s important to secure these resources and identities both on-premise and accounts in the cloud. Security teams should focus on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins/tenant admins with the same level of security and credential hygiene as domain administrators.

Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.

Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware associated activity groups, organisations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on keyboard activity.

 

Ransomware and Data Exfiltration Assessment (RDEA) Services

BDO offers Cyber Security Resilience Assessment the Ransomware and Data Exfiltration Assessment (RDEA). We conduct an assessment to evaluate an organisations’ cybersecurity practices on their networks. This is applicable to both information technology (IT) and industrial control system (ICS) networks — and BDO performs a comprehensive evaluation of the cybersecurity posture using many recognised industry standard techniques for simulation of a ransomware attack.

The RDEA includes a simulated ransomware attack, is based on a tiered set of practices to help organisations better assess how well they are equipped to defend and recover from a ransomware incident. BDO can tailor the RDEA to varying levels of ransomware threat readiness to make it useful to all organisations regardless of their current cybersecurity maturity. The RDEA:

• Helps organisations evaluate their cybersecurity posture, with respect to ransomware, against recognised standards and best practice recommendations in a systematic, disciplined, and repeatable manner.
• Guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices against the ransomware threat.
• Provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form.

Ransomware attack is not going away any time soon but has evolved into a more sinister form of attack pilfering and exfiltrating Intellectual Property and sensitive personal data in order to extort monies from victim organisations. While it is not possible to prevent all targeted attacks against an organisation, regularly reviewing and assessing an organisation’s cybersecurity posture in addition to maintaining good credential hygiene is important to minimise any impact of a ransomware attack.

 

References

• Email Threats*, Endpoint Threats* - Cyber Signals August 2022  “Extortion Economics Ransomware’s new business model”