Sunday, 5 December 2021

10 ways hackers pressure your company to pay the ransom

With nation states and criminal gangs using ransomware to attack companies, it’s no surprise that these bad actors have upped their game when it comes to persuading organizations to pay the ransom they are demanding. A new report from Sophos looks at 10 different techniques that these bad can utilize in order to persuade their victims to pay up. You can read all about it here.

Let’s take a look at some the techniques listed in the report – techniques that go beyond simply encrypting an organization’s data and corrupting their backups. Things that any organization needs to be aware of.

Perhaps not that new, the first trick in the book is to make a copy of a company’s data available on the dark web (or anywhere else, come to that) unless the company pays the ransom. They may even auction the data if they think it is that valuable. This pressure can make it difficult for sites not to pay up, even if they did find a backup copy that they could use. This avoids the embarrassment, the loss of customers and reputation, and even legal repercussions, if the data were to be made public. Of course, you are dealing with criminals, so there’s no reason they will keep their end of the bargain.

Similarly, these bad actors may contact employees and senior management, letting them know that their personal data has not only been stolen, but also may be auctioned online unless their ransom demands are met. These employees will pressure the organization to pay the ransom.

If that doesn’t put enough pressure on an organization to pay the ransom, the next strategy is for the hackers to contact business partners, customers, the media, and other people. Basically, these people receive an email or text using the contact details that come from the hack. They’re informed that unless the hacked company pays the ransom, their personal details will be up for sale. This, the hackers hope, will encourage the company to pay the ransom.

Not surprisingly, and in a similar manner to when people are held for ransom, the bad actors will warn the hacked organization not to contact law enforcement. The hackers fear that once the police are involved, they may help the company resolve the hack without paying the ransom. It will also draw the attention of the police to the bad actors and their work.

The threat from insiders has become better recognized in the past couple of years. Criminal gangs may well convince employees with a drug or gambling habit, in exchange for the money they owe the gang, to help the gang infiltrate the organization. Similarly, the hackers may use disgruntled employees to break into a network.

Another technique, once the hackers are inside an organization is to create a new domain admin account. Once that’s been achieved, the passwords for the other admin accounts are reset. As a consequence, the real IT administrators can’t log in to the network to fix the system. They’re only option is to set up a new domain and then try to restore from backups (if available).

Some hackers have used phishing attacks to get control of employees’ email, and then email IT, legal, and security teams to warn of further attacks in the future if the ransom isn’t paid.

Hackers may delete backups or even uninstall backup software. According to Sophos, at one company, a compromised admin account was used to contact the host of the victim's online backups and they were told to delete the offsite backups.

Hackers have also printed physical copies of their ransom note on all connected devices, including point of sale terminals. Apart from the nuisance value, and the waste of paper involved, this can be upsetting for office staff.

Lastly, the bad actors may launch distributed denial of service (DDoS) attacks in the event that the ransom negotiations have stalled. This, the hackers hope, will convince their victim to restart negotiations. DDoS attacks can also be used as ways to keep IT security resources busy while the actual ransomware attack is taking place.

Sophos also gave some thought to what can be done to defend against ransomware attacks. What they suggest is:

  • Implement an employee awareness program that includes examples of the kind of emails and calls attackers use and the demands they might make.
  • Establish a 24/7 contact point for employees, so they can report any approaches claiming to be from attackers and receive any support they need.
  • Introduce measures to identify potential malicious insider activity, such as employees trying to access unauthorized accounts or content.

Their other suggestions for security against various cyberthreats, including ransomware include:

  • Monitor network security 24/7 and watch out for early signs of an attack
  • Shut down Internet-facing remote desktop protocol (RDP) to prevent hackers accessing the network. If users need access to RDP, put it behind a VPN or zero-trust network access connection and use Multi-Factor Authentication (MFA).
  • Use robust security policies.
  • Keep regular backups (at least one copy offline) and practice restores.
  • Prevent attackers from getting access to and disabling security: choose a solution with a cloud-hosted management console with MFA enabled and Role Based Administration to limit access rights.
  • A layered, defence-in-depth security model is essential.
  • Have an effective incident response plan in place and update it as needed. Turn to external experts to monitor threats or to respond to emergency incidents for additional help, if needed.

The excellent suggestions are clearly aimed at distributed systems, but there are still some things that mainframers can learn from this.

No comments: