sb-nz logo
Story image

The rising threat of human-controlled ransomware

27 Oct 2020

Article by Attivo Networks regional director for A/NZ Jim Cook.

Of all the potentially disruptive and costly cyber threats faced by legal firms today, one of the most significant is ransomware attacks.

Cybercriminals manage to inject malicious code into an IT infrastructure where it then encrypts vital data stores, preventing access by staff. The criminals then demand a ransom payment in exchange for the decryption keys.

Until recently, most ransomware attacks have been automated affairs. Attackers try to spread their code as widely as possible in the hope of infecting and locking down systems.

However, things are now changing. There is a rise in so-called human-controlled ransomware that is much more targeted and potentially dangerous. As the name suggests, these attacks are not automated but rather manually controlled by a cyber-criminal in real-time.

This evolution is the latest development of a threat that has been evolving for some years. When it first appeared, ransomware code tended to target consumers and demand relatively small payments to unlock their infected PC.

More recently, however, the attention of cybercriminals has shifted into the business sector, where the potential for bigger payment demands is more significant. A consumer losing access to a PC is one thing, but a ransomware attack locking a law firm out of critical files and systems is another thing altogether.
 

More targeted attacks

Taking a human-controlled approach to a ransomware attack shifts the goalposts even further. Rather than relying on code to find suitable targets for encryption, a human operator can take time to move laterally through an IT infrastructure and be sure they are locating the most valuable data stores.

Depending on the skill level of the cyber-criminal, it could be possible to spend weeks or even months combing through an extensive IT infrastructure and identifying potential targets. Once the attacker has confirmed a target, it can set the timing of the encryption to make the attack as debilitating as possible, thereby maximising the prospects of swift payment of the demands.

To add insult to injury, many criminals are stealing sensitive data and then using it as leverage to force payment by threatening to release it to the public.  Often, the attackers will disclose a sample of the data and then raise the ransom demand, subsequently requiring a second payment to prevent further disclosure of the data.  The firm thus faces double-extortion, once to decrypt their data, a second time to stop disclosure of stolen information.

Cybercriminals can also provide a ransomware-as-a-service offering. They offer their knowledge to other criminals not as well versed in the tactics and techniques, in exchange for a portion of the end payment they receive.
 

Protecting against humans

Protecting a law firm against human-controlled ransomware attacks requires the same steps taken to prevent automated attacks. One of the first steps is staff education to ensure people are aware of the dangers of opening unusual email attachments or clicking on web links. These simple actions can give an attacker the initial access to the IT network, and, from there, they can execute their attack plan.

On the security front, an increasingly popular and successful approach is to undertake what security professionals term a deception strategy. This approach involves deploying components, such as applications and file stores, that blend in within a corporate IT infrastructure. However, they have nothing to do with day-to-day operational activities, and because the staff has no reason to access these resources, any access is highly likely to be part of a cyberattack.

Once the decoy assets trigger a warning, the IT team can then safely observe the attacker and understand their goals and operating methods. The organisation can then take steps to remove them from the network and prevent their return.

In the past, cybersecurity teams have tended to focus on using perimeter-based prevention techniques. However, when one considers the growth of threats such as human-controlled ransomware, this approach is no longer sufficient.

Instead, proactive techniques such as cyber-deception should also be part of the security mix. Law firms will then be better able to detect and derail threats much earlier so that criminals cannot establish a foothold or complete their planned attack.

Understanding the continually evolving threat landscape is also crucial, as techniques that work today may not be useful in the future. Take the time to understand the threats and deploy effective countermeasures to position one’s organisation well in the future.

Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Essential tools for managing user identity and how they impact your bottom line
Customer identity and access management (CIAM) is how companies give their end-users access to their digital properties, as well as how they govern, collect, analyse, and securely store data for those users.More
Story image
Trend Micro expands XDR capabilities through new platform
Trend Micro has rolled out new extended detection and response (XDR) capabilities through a new platform called Vision One.More
Story image
NZTech calls for Govt to fund cybersecurity education as risk ramps up
NZTech says it's time for the Government to put funding into educating Kiwis about how to avoid being a victim of cyber crime, just as it does for road safety.More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
WatchGuard rolls out updates to bring greater security to MSPs
"WatchGuard Cloud’s continued evolution is lowering the barrier to entry for MSPs to add security to their portfolios and solidifying it as the management platform of choice for the security channel.”More