Ransomware Makes a Comeback

The attack on TSYS last December was a sobering reminder of the vulnerability of payments companies to this insidious fraud. But there are steps you can take to protect your network.

Criminals are businessmen, too, which is why they are always looking for ways to maximize the return on their efforts. It’s no surprise, then, that criminals are embracing ransomware, a type of malware that locks up a company’s data with encryption, enabling the criminal to demand a ransom for the decryption key that unlocks the data.

While ransomware is not new, its popularity is growing among criminals. There are two primary reasons for this. First, ransomware allows criminals to realize the payoff from their attack sooner, as they don’t have to spirit out data undetected, then find buyers for it on the black market.

Second, criminals can demand the ransom be paid in cryptocurrency, usually Bitcoin, which makes the payoff more anonymous. Since cryptocurrency is unregulated, it’s easier to move large amounts of it without attracting the attention of bank regulators or law enforcement. That’s especially helpful for cross-border transactions, since criminal rings are often located in countries known for illicit online activity.

Also, once the cryptocurrency has been transferred to the criminal’s digital wallet, it can be converted into fiat currencies such as dollars, further masking the criminal’s trail.

These are not occasional assaults. More than 4,000 ransomware attacks have occurred daily since Jan. 1, 2016, according to a multi-agency report from the United States government that includes input from the Federal Bureau of Investigation and the Secret Service. That’s up fourfold from the 1,000 attacks per day seen in 2015.

“Ransomware has evolved into a very sophisticated, capitalistic enterprise for criminals,” says John Stark, president of John Reed Stark Consulting, a Bethesda, Md.-based cybersecurity consultancy. “It’s an easier, faster way to commit cybercrime.”

The frequency of attacks has gotten worse during the coronavirus pandemic. By some estimates, the number has increased by as much as 10-fold since the pandemic hit the United States last March.

A big reason, says Ed Dubrovsky, managing partner and chief operating officer for Cytelligence, a Toronto-based cybersecurity firm, is that with more employees working at home, criminals have a whole new set of back doors into corporate networks.

If a company has any data a criminal thinks it will pay to unlock in the wake of malware attack, intruders will probe those back doors for any weakness, Dubrovsky says.

 Bad Business

For processors, it’s not just the sensitive consumer and account data they hold, but their size that makes them prime targets for malware attacks. It’s no secret there has been a lot of consolidation in the processing industry in recent years. These mergers have occurred for solid business reasons, but they have also created a size problem when it comes to cybersecurity.

The issue is that the larger a processor becomes, the larger its defensive perimeter needs to be. And the larger the defensive perimeter, the greater the risk that a weak spot in it will be missed by cybersecurity.

In December, for example, Total System Services Inc., which was acquired by Global Payments Inc. in 2019, came under attack when criminals found their way into TSYS’s network through Cayan, a payments company TSYS bought early in 2018 for more than $1 billion. The attack reportedly did not affect systems that handle payment card processing.

“As processors grow in size, especially through acquisitions and mergers, the task of growing their cybersecurity defenses becomes Herculean,” says Jeff Montgomery, senior vice president for cyber risk services at Sysnet Global Solutions a Dublin, Ireland-based cybersecurity firm.

As attacks have increased, so too have the sums criminals are demanding. A few years ago, the average ransom demand was in the low five figures, but today criminals can demand six-, seven-, and even eight-figure ransoms, depending on how deep they think the victim’s pockets are and how much it would cost to evict the attacker. “One of the largest ransomware demands we’ve seen was for $46 million,” says Dubrovsky.

While criminals can never be sure that a victim will pay up, they know companies are more likely to send the money if the ransom is set below what a response to the attack would cost, says Gideon Samid, chief technology officer for Bitmint, a McLean, Va.-based provider of cybersecurity solutions. (Samid is also the author of Digital Transactions’ monthly “Security Notes” column. See his take on ransomware in this issue).

For criminals, that strategy is better than pricing the ransom so high a company cannot afford pay it. That can leave the attacker with no choice but to permanently lock the data, erase it as it exits the network, or make the data public to prove his credibility.

In such instances, the victimized company typically goes out of business, but the criminal gets nothing, which is bad business for the criminal, cybersecurity experts say.

 High-Pressure Tactics

With the potential to hit a home run on every attack, ransomware is no longer the domain of lone-wolf hackers. Large criminal enterprises are behind more and more attacks. Some criminal enterprises are actively recruiting hackers who have mounted successful attacks.

Others are going a step farther, gaining entry into multiple company networks and selling that access to other criminals, rather than launching a ransomware attack themselves.

“There are criminal enterprises that are franchising the opportunity to launch a ransomware attack because it is a more efficient way to monetize their efforts,” says Andy Barratt, managing principal, enterprise solutions for CoalFire Systems Inc., a Westminster, Colo.-based cyber-risk management advisory firm. “We’ve seen access sold for $250,000. For a criminal organization that acquires access into, say, 10,000 companies, that’s a lot of potential money.”

Indeed, no longer are criminals just threatening to withhold the key to unlock encrypted data or erase it if the ransom is not paid. They are instead applying new high-pressure tactics.

Attackers will make public some of the data they have locked up to demonstrate they will not hesitate to release all the data if the ransom is not paid. Another new tactic is public embarrassment. They threaten to publicize the attack through social-media channels if their demands go unmet.

Both tactics can undermine consumer confidence in the company under attack and its brand. “Ransom­ware affords criminals a lot of creativity when it comes to extorting money,” Montgomery says.

But some criminals are pushing the envelope even further. Today the likelihood that a criminal will sell data, even after the ransom has been paid, is greater than ever, cybersecurity experts warn.

“The way cyber attackers operate changes quickly, and trying to keep up with it can be like playing whack-a-mole,” says Rustam Lalkaka, director of product for Cloudflare, Inc., a San Francisco-based Web-performance and security company.

Even if an attacker promises not to sell copies of any of the data it accessed or launch another ransomware attack in the future, victimized companies choosing to pay a ransom should never be lulled into a false sense security, cautions Samid. “Once a company pays the ransom, it becomes a target for attack from other criminals,” he adds.

The Layered Approach

Experts point to two effective defensive strategies for fending off an attack: layered security measures throughout the network, which help to contain an attack once it is discovered, and the immunization of core data so it can be recovered in the event of a breach.

Installing defenses that cut off potential escape routes once an intruder is detected can also help eradicate a threat after it occurs, cybersecurity experts say.

Layered defenses include monitoring employee behavior on the network and limiting employee access to the network. Monitoring employee behavior is critical because employees can unwittingly have their computers compromised by hackers, who can steal an employee’s access credentials to move through the network.

Establishing a baseline for how an employee moves through the network can help identify an intruder in the network, says Mohit Tiwari, chief executive and co-founder of San Francisco-based Symmetry Systems Inc., a provider of cybersecurity solutions.

“Companies that have connections to third parties should also identify what the third party is doing to protect data at their end, then layer-in their own defenses around those connections,” Tiwari says. “Assume every third-party connection can be broken, if it is not broken already.”

Multifactor network authentication for employees is another must. So too is educating employees about the security protocols for remote access to the network.

 ‘No Easy Answers’

While criminals often target devices used by employees, bosses should not automatically blame employees for failing to follow security protocols until they know for certain how a breach occurred. “You can’t expect employees to be perfect, and blaming them is bad for morale and creates paranoia about opening emails or attachments,” says Tiwari. “Besides, there are a lot of other access points [beside] employee devices.”

Businesses should also identify core data sets and layer-in security around them in the event of an attack. Creating a redundant database for core assets on a separate, secure server with limited access can also protect core data and ensure recovery in the event of an attack.

Finally, businesses must be vigilant against attackers who breach their system but lie dormant, waiting for an opportune time to strike. In some cases, dormant attackers may have masked their route into the network through encryption to evade detection.

“There are no easy answers when it comes to safeguarding a network, because all criminals need to gain entry is a crack in the defenses,” says Cytelligence’s Dubrovsky. “The best way to secure a network is through vigilance. You can never let your defenses down.”

 

Best Practices for Defending Against a Ransomware Attack

• Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
• Restrict users’ permissions to install and run software applications and allow only approved programs to run on a network.
• Never click on links or open attachments in unsolicited emails.
• Back up data on a regular basis. Keep it on a separate device and store it offline.
• Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses

Source: Cybersecurity and Infrastructure Security Agency

 

DDoS Attackers Will Demand A Ransom, Too

As with ransomware, distributed denial of service (DDoS) attacks, are making a comeback. The reason: the opportunity to hold a business for ransom. But, unlike ransomware attacks, DDoS attacks flood a network with so much bogus traffic, customers and employees can’t use it.

While DDoS attackers have always demanded a ransom, the hefty ransoms being asked for in ransomware attacks have now filtered down to DDoS attacks. As a result, the average ransom demand for a DDoS attack is going up, cyberbersecurity experts say.

“A DDoS attack is a way to hold a company under water until they pay,” says Rustam Lalkaka, director of product for Cloudflare Inc.

DDoS attacks overwhelm a targeted company’s Web server with more traffic than the server can handle, which slows the server’s performance or freezes it up. The attacks are launched using multiple Internet bots, which are software applications that send simple, repetitive tasks to an Internet server using different nodes. Since the incoming traffic originates from different nodes, it is difficult for the server’s traffic filters to halt the attack.

“Once a DDoS attack starts, the victim has to be able to differentiate good traffic from bad traffic, and that’s where cybersecurity experts come in,” Lalkaka says. “The key is being able to see the volume of the attack so data can be gathered on how the attack is working and the damage it can cause, before a mitigation plan can be put into place.”

If nothing else, payments providers need to remember there are a lot of cybercriminal crews looking for ways to extort a ransom. “DDoS attacks [for ransom] are becoming more common as criminals look to increase the pressure on companies to pay,” says Jeff Montgomery, senior vice president, cyber risk services for Sysnet Global Solutions.