What Lessons Have We Learnt From Recent Ransomware Group Attacks?

Ransomware gangs such as LockBit, Alphv, Clop and Black Basta, continue to dominate headlines. Research shows that these organised crime groups enjoyed runaway success in 2023, with two in three organisations suffering a ransomware incident.

2024 may not be that different. Immediately, Black Basta’s hack into the international automation & engineering company, ABB, comes to mind, but the reality is that there are just too many breaches to name. 

Crime As A Business  

The reason for their success? These organised crime groups have enjoyed success in the past due to their increasingly professional approach. They have carried out ransomware attacks end-to-end – from initiating the initial compromise to establishing a foothold in the organisation, propagating the malware on user devices through to managing the ransomware demand and negotiation process, complete with sophisticated dashboards showing the exact data they have stolen, their contact phone numbers and how to make the payment. 

However, they realised that this in-house, end-to-end approach was often successful only up a point. When external factors interfered or disrupted the process, at any point in the attack chain, the whole operation would unravel. 

They have since evolved, which yet again demonstrates their professional approach to cybercrime. These organised crime groups have ingeniously divided themselves into specialised ransomware-as-a-service ‘brands’, ensuring that no single outfit is solely responsible for an attack. They are able to maintain plausible deniability, making it extremely difficult for already short-staffed authorities to bring them to account. 

Furthermore, through their services, these groups are lowering the barrier to entry into this space. The smaller criminals don’t even have to be computer experts, they can merely use available software to initiate breaches and fill the gaps using the specialist services – all provided by these ransomware brands. 

There is a supply chain in this sophisticated underworld. Many of these organised crime groups outsource data collection to specialists who use advanced vulnerability detection tools at scale to identify ‘sitting ducks’– which companies are vulnerable, whose mail servers haven’t been patched, what kind of links users click on most, and so on. The cliché ‘no rest for the wicked’ is truly apt in this context! 

It's worth pointing out whilst we typically tend to hear of security breaches in large corporates, attacks on the small and medium sized businesses are equally prolific. In fact, a trend that is increasingly become visible is bad actors breaching smaller organisations in the supply chain to eventually lay their hands on the data in the larger corporates.

There Is No Magic Bullet For Protection 

A holistic strategy, alongside dogged execution of that strategy is needed to ensure risk mitigation and cybersecurity protection. Most organisations have cybersecurity policies and programmes in place, especially as compliance in this area is becoming ever more stringent, but they are often not appropriately enforced. 

Security awareness training for users must be at the top of the list of priorities, given that the specialist data collectors are continually analysing user behaviours to identify new phishing and malware proliferation techniques to catch employees off guard. 

Vigilance is critical. Users are constantly under attack, so they need the necessary skills to be watchful in order to spot suspicious activity, be that in the form of dodgy emails, malicious QR codes and links, stolen passwords and so forth. 

At the same time, the insider threat is a real and present danger. A thorough vetting process is a must. Surreal as it sounds, criminal gangs do actively deploy individuals through third-party organisations to implant and detonate ransomware.

It’s not unusual for malicious code to remain hidden for several months before the criminal decides to initiate the attack. This is long after the bad actor has left the organisation, systematically covering their tracks. 

Timely patching of software is a no brainer. Today, there are advanced vulnerability assessment software available that can automate the process, targeting everything that is within the organisation’s network range, including devices. Once properly configured, literally with a click of a mouse, the software will identify the software and devices that need patching, in order of criticality.

 Archiving or backing-up data in a ring-fenced, encrypted state is essential too. Should a breach occur, the business is in a better position to deal with the criminals and potentially refrain from paying the extortionate ransom demand. 

Likewise, regularly monitoring and auditing access controls to data is vital so that business-critical information stays within the ‘castle walls’ of the business. In today’s remote working environment, the ability to secure remote connections, and lock down services without creating a hindrance for users, is important. 

All other standard, routine measures such as penetration testing, phishing simulations, properly configuring and monitoring email gateways and firewalls are fundamental to cybersecurity. 

A Parallel White-Collar Profession

Organised crime groups now operate in the underworld like a white-collar service industry, providing cutting-edge, highly proficient and unconventional capabilities to criminals whose profession it is to breach, steal and fraud. Often, they are ahead of the corporate ecosphere in terms of investing in the latest cybersecurity tools and techniques.

Consequently, for businesses there is no room for laxity. They must fully optimise the technologies at their disposal to bolster their defences, and in the unfortunate event of a breach, effectively mitigate its impact. Whilst regulatory fines are computable, reputational loss and its longevity are impossible to quantify. 

Jack Garnsey is Subject Matter Expert, Email Security at VIPRE Security Group

Image:  Andrey Popov

You Might Also Read:

Ransom Attackers Impersonate Security Researchers:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Deep Fake Images of Taylor Swift Taken Down
Britain's New Digital Markets Act Could Cost Business Billions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

Quantea

Quantea

Our multi-patented solutions - QP Series Network Analytics Accelerator appliance and PureInsight Analytics Software Suite allows you to capture, analyze, store, replay, network traffic data.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

StrataCore

StrataCore

StrataCore is a single-source technology lifecycle advocate that works behind IT teams as a strategic partner to help them achieve peak enterprise outcomes.

Dutch Institute for Vulnerability Disclosure (DIVD)

Dutch Institute for Vulnerability Disclosure (DIVD)

DIVD's aim is to make the digital world safer by reporting vulnerabilities we find in digital systems to the people who can fix them.

HEQA Security

HEQA Security

HEQA Security (formerly QuantLR) offer the world’s most cost-effective, easy-to-integrate, and secure Quantum Key Distribution (QKD) solution

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

KYND

KYND

KYND has created pioneering cyber risk technology that makes assessing, understanding, and managing business cyber risks easier and quicker than ever before.

Trustmarque

Trustmarque

Trustmarque delivers customer-centric IT solutions that enable better outcomes. We combine the technology, expertise and services to release value at every stage of the IT lifecycle.

Global Resilience Federation (GRF)

Global Resilience Federation (GRF)

GRF builds, develops and connects security information sharing communities for mutual defense.

Strata Information Group (SIG)

Strata Information Group (SIG)

Strata Information Group (SIG) is a trusted partner in IT solutions and consulting services.

Vantor

Vantor

Vantor is a Managed Security Services Provider (MSSP) that specializes in providing outsourced, managed cybersecurity services.