The trope of the burglar comparison in cybersecurity is more than overused. But when we talk about the damage of a break-in, it’s not just picking the lock that’s the problem- we worry about what they’ll steal, what they’ll destroy, even what they’ll plant (yes, I have an active imagination). What seals the deal on a good heist is always the inside man, the bank clerk, the janitor or even the shareholder with gambling problems. It seems that the ransomware groups are catching up.
Ransomware comes in different shapes, and sizes – whether it be of nation-state origin, competitive attack tactics, or the work of criminal enterprises, the ransomware business is booming, as noted in the recent White House memorandum on cybersecurity. The risk for attackers of being caught is low, and the rewards are enticingly high. The repercussions of the threat have reached our daily lives, making ransomware personal, no longer just following along as the news explodes with stories of threats and attacks. When Colonial Pipeline was hacked by DarkSide just a few months ago, lines at gas stations were long due to a fear of shortage, and gas prices jumped. The mere specter of this kind of attack can send the public into a frenzy, and an organization into a spiral.
All cybersecurity professionals are aware of the threat of ransomware. And in order to protect customer data and business continuity as much as possible, they stack their network with the latest most cutting-edge technologies the industry has to offer. But what happens when the threat comes from within?
The latest adoption by cybercrime groups is recruiting employees themselves to help – yes, the call is coming from inside the house. Why break in when someone can prop the door open for you? It’s quite ingenious – social engineering quite easily equips attackers with lists of possible aids.
Abnormal Security documented an attempt they caught wind of and played along to see which tactics were employed, to find out how it works and who in the organization is capable of carrying out the attack. Among other findings, they found that the attacker (apparently based in Nigeria) wasn’t particularly tech-savvy but that the attachment he requested from our fake persona to execute was indeed ransomware with the intent to extort an amount which proved to be flexible. He piled C-level corporate email addresses from LinkedIn and originally attempted a more classic phishing scheme to no success. With the new phenomenon of Lockbit announcing their RaaS and the fact that all the code for DemonWare is available on GitHub, reaching out directly to possible “assistants” to execute relatively easily attainable ransomware strains has become a completely viable (and frankly quite smart in its simplicity) option to bypass the middleman.
This is the newest evolution of the ransomware “business,” and has been gaining traction. Only recently, a Russian national pleaded guilty to attempting to recruit a Tesla employee to plant malware after the employee reported the attempt. But will every employee or consultant come forward and collaborate with the FBI? In Gartner’s Ransomware Defense Life Cycle, the first phase is about preparation, and this is indeed the key to the rest of the stages as well. So how do we equip ourselves in light of a growing array of ransomware strains and business modules?
Even with the tightest policies and attempts to institute a zero-trust and least-privilege policy, there’s always risk. What-if an internal employee decides to deploy ransomware? How can one detect it before it’s too late? So, as an organization, all that’s left is to test and test again. With actual ransomware strains and actual exploitations.
Automated security validation is the call of the hour. Knowing where the organization is vulnerable, and reducing the cyber exposure as much as possible. When security professionals have full visibility to the network they can make the right decisions on where to focus remediation efforts in an effective way. This way you can have eyes on your potential insider threat as well as an outside attacker and cover the various ransomware threats. The key is to validate as often as possible, not once a year or once a quarter, but on-demand as needed or desired. Make the switch from pondering what the payout will be to feeling more confident that you’re RansomwareReady™. Validate, remediate, repeat.
Shift from ransomware aware to Ransomware Ready™ by requesting an assessment today.
Director of Content
Why Gartner is Calling External Attack Surface Management (EASM) a Critical Functionality
External Attack Surface Management (EASM) tools are not new, but only this year has Gartner named this category as a top trend to keep an eye on in 2022. So, why does the top research & consulting firm think its time has come? The main reason is the relentless expansion of the digital footprint of...
The Good, Bad and Compromisable Aspects of Linux eBPF
2022 discoveries of new privilege escalation techniques Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can lead to the compromise of the entire system. Executive summary Modern hacking techniques often use legitimate operating system tools for bad purposes. Such is the potential case with the common...
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...