Ransomware-as-a-Service: the next big threat to businesses
Covid-19: a catalyst for cybercrime
The introduction of remote working in response to the Covid-19 pandemic has led to an increase in cybercrime. Many organizations implemented telecommuting overnight and were ill-prepared for the threats that dominate the realm of cyberspace. Some remote workers are still unfamiliar with security concepts and controls, IT staff continue to be overwhelmed, business leaders are focused on survival rather than security, and telecommuters continue to use home networks not secure.
Although the pandemic has resulted in huge cost savings for businesses, removing the need for physical office space, some home networks still lack the security controls and detection mechanisms of corporate networks, which means causes vulnerabilities in the IT infrastructure. Meanwhile, even for employees using VPNs, many are unaware of the additional security protocols needed to ensure proper use.
The rise of Ransomware-as-a-Service
The recent wave of ransomware attacks across the world has led to the emergence of Ransomware-as-a-Service (RaaS) – a strategy in which ransomware developers lease variants of ransomware to customers. This business model provides the technology to unsophisticated criminals to launch ransomware attacks through a paid service.
Ransomware is part of a diverse family of malware and is designed to prevent organizations from gaining access to their data and computer systems until a ransom is paid. During an attack, a malicious actor will deploy malware inside a target organization and from there the software will be manually directed to a storage repository or present itself as dormant while it collects information. on Critical Value Data (CVD). Once determined, the malware uses a private key or a complex encryption algorithm to encrypt the CVD. Once encrypted, the data is almost impossible to decrypt via a “brute force attack”. The victim organization can either restore its data from a backup or face the demands of the attackers. After the ransom is paid, the private key is provided (presumably) to the victims and the file can be decrypted.
How to respond to RaaS attacks
Since RaaS often works in a way that prevents normal business operations, it is important for companies to think through their recovery strategy. They need to get back to business as soon as possible while building on the lessons learned to ensure that they are smarter and in a better position to defend themselves. The RaaS has lowered the bar of entry for cybercriminals, which means our understanding of how these types of crimes are committed should change as well. If we fail to scale with it, we risk leaving businesses more vulnerable than ever.
Human involvement remains a constant consideration in how to guard against cyber threats. It is the people who create the opportunities for exploitation. They configure their systems and networks, deploy software, configure it and support it. Whether unintentionally by an employee making a mistake, or deliberately by an insider threat or external attacker, it is usually a human being who is at the root of the vulnerability.
There are five root causes to consider in order to combat the success of cyber attacks. These solutions also require taking into account people and their cooperation, interacting transparently with each other. First, laziness continues to prevent necessary actions in many businesses. Creating the right security frameworks requires constant levels of attention and effort. Most organizations simply don’t have them implemented in order to successfully defend their systems.
Second, missing patches remain a high security risk, especially in the event of a data breach. Without a comprehensive patch management program to prioritize, deploy, and test vendor patches, organizations leave themselves wide open to a wide variety of attack vectors. Lack of patches has been the most common attack vector for years and promises to remain so in the future with breaches at an all time high.
Third, quickly detecting intruders is just as important as trying to keep them out. Success does not necessarily lie in the deployment of security controls; it has them calibrated adequately to identify the activities of cybercriminals on corporate systems. Many companies struggle to achieve this because they set the wrong criteria for success.
Fourth, to identify a violation, an organization must establish a baseline. Security teams should focus on classifying the normal activity of their networks and users. This will allow teams to detect abnormal behavior. When system administrators use a baseline, they gain a deep understanding of what is considered “normal” in their day-to-day operations and can identify malicious activity faster.
Finally, and by no means last, logging should be a top priority for businesses of all sizes. If businesses do not use logging systems to monitor activity, then it is almost impossible to properly detect harmful activity. Audit logs specifically help determine what, when, where, and how intrusion activity took place and, as such, should be stored in a secure remote location to prevent tampering.
Defense against post-Covid-19 cybercrime
To successfully detect and prevent attacks in today’s cyberspace age, it is essential to remember that attackers rarely strike monitored systems. Instead, they focus on the less obvious routes to access data, such as a non-administrative network segment with a path to the domain controller. Most data breaches tend to involve negligent exploits of the system, including missing patches, configuration errors, and open ports.
Since it is almost impossible to stop ransomware attacks completely, businesses should focus on detecting intruders early in order to minimize unnecessary risk. Future post-Covid-19 frameworks to evict intruders must have appropriate protocols regarding the reactionary response to attacks, the specific steps needed to isolate the attack, and access restrictions.
As part of this framework, organizations must understand and investigate their existing security vulnerabilities before and after attacks. By understanding the failure of the intruder’s entry into their systems, they can properly fill any security gaps and integrate their learning into strengthening their security posture.
Protect the most vulnerable
The proliferation of payment card data in the retail industry, combined with security concessions to improve customer convenience, creates a recipe for breaches. Although PCI DSS has increased the overall security posture of these organizations, they remain the most popular targets among attackers.
The best way to identify the industries most vulnerable to cyber attacks in the future is to look at the money transfer in each industry and see how those industries are handling their digital transformation. In addition to retail, the biggest targets today include food and beverage, hospitality, pharmaceutical companies, government agencies, and law firms. Any organization that has valuable data and deals with large sums of money makes it a target because their data has significant market value.
Business Email Compromise (BEC) continues to be one of the simplest and most effective attacks in use around the world. Attackers will create an email address with the name of an executive in the company and send an email to everyone in the company asking them to perform an activity – grant access to files, shares or to transfer funds are popular requests, while waiting to see if someone bites. Although the success rate can be low, it only takes human error for the attacker to gain access.
Chris Pogue, Head of Strategic Alliances, Nuix