The threat landscape is a volatile place. Just when you think you know where you are, a new development forces a rethink. That means security plans must always be flexible enough to adapt to changing circumstances. We’ve seen this over recent months with an evolution in the way ransomware attackers do business. By stealing data before they encrypt it, there’s now extra leverage to force payments: it’s a risk that back-ups alone can’t mitigate.
Worse, attackers are increasingly happy to go after smaller organisations, as the latest raid on SpaceX contractor Visser Precision reveals. This makes it more important than ever that firms detect and block attacks up front.
From Maze to DoppelPaymer
For the past year or more, we’ve seen hackers shifting their attention away from consumers and towards businesses and public sector organisations. This has been matched by a more targeted approach, often including more sophisticated techniques such as lateral movement and “living off the land” to maximise the damage caused before IT security teams can react. The escalation to include data theft ahead of the encryption process can be seen in this context.For the past couple years, hackers have been shifting their attention away from consumers and towards businesses and public sector organizations. #ransomwareClick To Tweet
The first group to do this was Maze, at the end of 2019. We’ve seen a string of incidents where those unwilling to pay were listed on a dedicated website where data was leaked bit by bit. Some organisations paid up to get their name off the list, which is never advised. And one firm even sought a court order to get the site itself taken down. Sure enough, it popped up on another domain soon after.
Maze has struck a wide sweep of organisations: including several law firms, French construction giant Bouygues and the local government of Pensacola City in the US. Unfortunately, other ransomware groups have followed its lead. Cyber-criminals using Sodinokibi (REvil), Snatch, Nemty, and DoppelPaymer have also begun publishing data from ransomware victims who don’t pay up.
The DoppelPaymer attack on Visser Precision saw the potential impact such attacks could have. It exposed NDAs with partners including defence contractor Boeing as well as Tesla and SpaceX, as well as schematic diagrams for a missile antenna that appears to be Lockheed Martin IP. By going after smaller, perhaps less well defended organisations in sensitive supply chains like defence and space, the hackers could drive ransom demands even higher.By going after smaller, perhaps less well defended organizations in sensitive supply chains like defense, cybercriminals can drive ransom demands even higher. #ransomware #cybercrimeClick To Tweet
How are they getting in?
The good news for now is that the same tried-and-tested methods appear to be most commonly used to breach organisations’ defences. This means social engineering via malware-laden phishing emails, or targeting of Remote Desktop Protocol (RDP) clients through brute force attacks. Sometimes drive-by-malware and/or malicious advertising is used.
In one notable case, that of UK-based foreign exchange company Travelex, it appears as if an unpatched vulnerability in a VPN product known about for months was exploited.
The compliance angle
One vendor claimed recently that ransom payments alone cost firms over $6 billion globally last year, and that’s just for reported cases. When downtime is factored in, it could bring the figure as high as $170 billion. However, the new trend towards “ransomware + data breach” could escalate these costs further.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.