Ransomware is now commonly referred to as a ‘pandemic’ due to its widespread disruptive nature and its critical capabilities in causing harm to an organisation. Andy Swift, Technical Director of Offensive Security at Six Degrees, discusses practical steps organisations can take to mitigate this growing threat.
The ransomware market is changing fast as established cybercriminals commercialise and diversify their ransomware operations in ever more creative ways.
Making it easier and more straightforward for novice cybercriminals to access the skills and capabilities they need to launch ransomware attacks, the growing commoditisation of cybercrime opens the door to any type of attacker with any level of skillset.
This is all made possible by the growing number of online collaboration, information and data exchanges designed with one intent in mind: getting the right tools to the right people, at the right price.
Cybercrime as a commodity
Taking a leaf out of the world of mainstream business, ransomware groups have found innovative ways to extend and scale their portfolios. This includes selling their wares and know-how to the widest possible audience.
In addition to working with business affiliates that conduct attacks in return for a share of the profits, they now offer subscription services that give users access to everything from malware to phishing kits for a one-off payment. This makes it easy and cost-effective for a new generation of cybercriminals to enter this lucrative trade and conduct their own malware operations.
Unsurprisingly, this is driving a significant uptick in ransomware attacks. Organisations can’t afford to ignore how the evolution of this billion-dollar industry means the nature of the online threat landscape is changing fast.
The commercialisation of ransomware
The past 20 years have seen ransomware criminals evolve from individuals working in isolation to highly organised groups who collaborate, share code and use ‘as-a-Service’ style models to execute highly targeted attacks.
Groups are now dedicated to the co-development of malware code like LockBit, which recently crippled Royal Mail’s overseas operations. This is then sold on to other groups to make use of, powered by the rise of the so-called Dark Web, where threat actors are able to purchase the toolkits they need to undertake ransomware attacks.
Worryingly, recently intercepted chatter on Dark Web forums reveals how criminals are now attempting to use innovative AI-tools like ChatGPT to generate malicious code. This technology has the potential to make it easy for criminals with minimal tech know-how or coding expertise to easily create ransomware, keyloggers, viruses and other nefarious software that can be used to perpetrate extortion. Indications are that criminals are also using ChatGPT to create scripts that will automate Dark Web marketplaces for buying and selling stolen account details and more. It also makes it easier to generate convincing phishing emails.
These worrying developments indicate how next-generation AI tools are changing the rules of the game when it comes to making ransomware toolkits increasingly accessible and user-friendly. The ramifications of lowering the entry bar for cybercriminals has the potential to further accelerate complexity within the threat landscape.
A question of when, not if
These advancements mean it’s becoming easier and faster to enable ransomware attacks from both a technical and commercial perspective. This makes it a question of when, not if, an organisation will experience a breach.
Typically, phishing emails remain the top attack method used to steal credentials and access an organisation’s networks and systems. However, today’s cybercriminals are using ever more sophisticated approaches to perpetrate ransomware attacks.
Having successfully gained access to a network, cybercriminals will deploy a variety of techniques to build a ransomware environment that will deliver optimised results. Often remaining undetected for months, they take time to explore an organisation’s infrastructure and identify the best systems to exploit, only releasing their ransomware when they are ready.
While some companies have resorted to using data encryption to protect files, this doesn’t address the issue of preventing attackers from accessing their environments in the first place.
Threat mitigation must-haves
Protecting an organisation against the rising challenge of cyber breaches is a bit like playing a game of ‘whack a mole’, given that attackers are constantly innovating their approaches. So, what practical steps can organisations take to mitigate this growing threat?
Minimising the attack surface of a given host and reducing the potential attack vectors available to hackers is a vital first step. Systems should be designed and built from the ground up with security in mind. Ideally, every exposed service on the host should be configured well enough to survive, in theory, being put on the Internet without a firewall – after which layers of more sophisticated protections can be added as required. In essence, you should be able to view the firewall as a ‘nice to have’ and not the first and only line of defence.
Next, organisations need to ensure they are primed and alert enough to spot anything in their environment that will indicate hackers have already infiltrated and are ‘exploring’ the options open to them.
Alongside conducting real-time monitoring of the environment, organisations will need to invest in approaches like penetration testing and red teaming, which are becoming vital tools in the battle against cybercrime. Alongside revealing potential system security vulnerabilities in a controlled and safe way, these tools make it possible to test out the ability of the organisation to detect and respond to a threat. This makes it possible for organisations to recognise and uncover hidden advanced attack techniques and identify the flags that indicate where malware is present and active within the environment.
Ultimately, mitigating risk in today’s elevated threat environment requires a shift in mentality – one that prioritises finding ways to spot the incremental build-up steps that are indicative of a malware infection. In this way, ransomware can be caught early and isolated before it is activated.
Click below to share this article
