From ransomware to RansomOps: Why the ‘new kid on the block’ spells trouble for the unprepared enterprise
Article by Vectra director of security engineering for APJ Chris Fisher.
Ransomware has become a prolific and challenging problem for organisations across every industry in the APAC region.
The average cost of remediating a ransomware attack has grown by more than US$1 million, with remediation costs, including business downtime, lost orders, operational costs and more, increasing from an average of US$1.16 million in 2020 to US$2.34 million in 2021. In fact, APAC organisations are 80% more likely than the global average to be the target of a cyber-attack.
The Gartner 2021 CIO Agenda Survey found that CIOs in Australia and New Zealand are recognising the need to address cybersecurity, with 67% of respondents in A/NZ increasing investment in information security — second only to business intelligence and data analytics (73%).
It’s not only the propensity but the nature of the attacks that must be addressed as more cyber-criminals target customers and supply chains. Robust cybersecurity systems and solutions must be put in place — to not only protect data but entire business operations.
From traditional ransomware to RansomOps
Driven by the desire for greater monetary gain, ransomware groups have changed their model and behaviour, acting more like SaaS vendor organisations than unorganised cyber-criminals of the past.
In 2021, driven, collaborative groups have launched sophisticated attacks on specific targets. Instead of sending out technology in a mass, automated sweep, these groups act similarly to the technology company itself, so they can operationalise attacks and monetise as much as possible.
Today's ransomware works as a double extortion, where the group will first extract critical data and access details and then encrypt and ransom their target. There’s the crew that build the technology, those with affiliates designed to target the chosen company or victims, and the affiliates that will target and infiltrate the victims. This is the process of the big names that make headlines, such as DarkSide and REvil.
Cyber-criminals engaged in RansomOps attacks put a human in the driver’s seat and use a platform of tools to make their way to the final stages. RansomOps groups deliberately work to understand the network and infrastructure so they can evade or disable them.
They use automation and affiliates to work through the environments, taking advantage of credentials rather than vulnerabilities. All of this helps to accelerate their movement inside an organisation and to hide their tracks.
They can also move incredibly quickly. The average time that a RansomOps crew spends inside an organisation is very short — most attackers usually sit between 50 to 280 days in an organisation, while these ransomware crews are typically done and dusted in 30 days.
These attacks no longer rely on automated malware alone and consequently aren’t nearly as predictable. Often, teams don’t see it until it’s too late. As a result, teams must isolate the attackers as fast as possible before the malware surfaces.
If this is to happen successfully, a mindset shift is needed.
Stopping modern-day ransomware – visibility and control
Gaining visibility over networks, implementing proper controls, and understanding how RansomOps Groups function will help to adequately protect organisations against these attacks.
How quickly we can identify and respond to attackers will come down to whether teams have visibility of an environment and the appropriate controls in place. Attackers still tend to operate and move through environments in a set way, so security teams can leverage this knowledge to identify a breach early on.
In the past, a lot of work has been done on perimeter-based defences for networks. However, now the perimeter is basically dissolved as businesses adopt more solutions such as infrastructure-as-a-service (IaaS), software-as-a-service (SaaS) and platform-as-a-service (PaaS).
In addition, attackers are using novel ways to move around a network — for instance, using credentials that exist on the network, granting them access. This means the attack doesn’t look like anything out of the ordinary because it’s a legitimate user account connecting to a legitimate service.
Overall, many still think critical assets are assets that may house data, but that’s not how the attacker views an environment. They look at any assets that give enough of a foothold to do the job.
As a result, defenders must treat everything equally to make sure they can identify whether an attacker is coming in. They must look at what a company’s data center is, how it interacts with IaaS, PaaS and SaaS, and how an attacker could move laterally through all of that.
The way forward: best security practices for 2021
We can’t defend what we can’t see; therefore, change begins with visibility. When teams have a clear view of all assets and treat them equally, then they are much closer to stopping attacks in their tracks.
Moving forward, to be prepared, organisations must make sure that they can identify breaches quickly. This means regularly engaging in rigorous exercises that look at security controls, the processes and procedures in place, and identifying any gaps.
This may be uncomfortable, but it’s worth it. Be sure to patch well and diligently and run the latest security software with a strong security strategy on the network and endpoint.
With a technology partner specialising in threat detection and response, organisations can break everything down to very detailed attack phases, and implement better exfiltration.
They can further break this down into specific behaviours in those phases to identify what could potentially be a ransomware incident early on and ensure business as usual.