CSLATEST
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ansomware<br />
attachment, such as a Microsoft Word<br />
document or PDF file containing malware.<br />
Others, however, may contain a link to a<br />
webpage controlled by the attackers. The goal<br />
is to get the target to open the attachment<br />
and trick the victim to enable macros or click<br />
the link, which can then deliver a malicious<br />
downloader, leading to the final payload,<br />
which is ransomware.<br />
"Software vulnerabilities play a key role in<br />
facilitating ransomware attacks through<br />
several avenues. These include vulnerabilities<br />
used as part of malicious documents, vulnerabilities<br />
found in perimeter devices like Secure<br />
Socket Layer Virtual Private Networks (VPNs),<br />
as well as a plethora of flaws designed to<br />
elevate privileges, once inside an organisation's<br />
network."<br />
Prolific ransomware groups such as LockBit,<br />
Rhysida, Play and ALPHV/BlackCat make use of<br />
multiple exploits in their efforts to compromise<br />
organisations. "For illustration, throughout the<br />
last quarter of 2023, threat actors exploited<br />
CitrixBleed in attacks against a variety of organisations.<br />
Some notable examples include<br />
attacks against Boeing and Comcast."<br />
While initial access is how ransomware<br />
groups gain access to an organisation's<br />
network, once inside they will set their sights<br />
on Active Directory, says Montel. "Gaining<br />
domain privileges provides attackers with<br />
the necessary capabilities to distribute their<br />
ransomware payloads across the entire<br />
network. Once threat actors are inside,<br />
the game is fundamentally over. Today's<br />
ransomware gangs will look to extrapolate<br />
data silently and, once that's achieved, they'll<br />
prepare to encrypt systems and cripple the<br />
organisation's ability to function.<br />
"A further trend that has been seen is threat<br />
actors wiping data at rest. This is even more<br />
insidious and can be undetected, compared<br />
to encryption. Often, the first the organisation<br />
knows anything about the attack is a communication<br />
from the gang threatening to<br />
encrypt systems or publish the data on the<br />
dark web, if demands are not met. The added<br />
pressure from this type of extortion is what<br />
has helped make ransomware so successful."<br />
The question of whether to meet ransomware<br />
demands is complicated, he adds. "Only<br />
the organisation impacted will be able to<br />
determine the best cause of action. Given the<br />
financial impact from ransomware attacks,<br />
be it the inability to function from crippled<br />
systems or sensitive data exposed, prevention<br />
has to be better than cure. Gaining visibility<br />
into where the biggest areas of risk are -<br />
exposure management - is absolutely critical<br />
to knowing which doors and windows are<br />
wide open and need to be closed to stop<br />
ransomware in its tracks."<br />
14-STAGE ASSAULT<br />
A ransomware attack typically involves 14<br />
stages, according to Kennet Harpsoe, senior<br />
cyber analyst at Logpoint. "The first stage is<br />
reconnaissance, where the threat actor<br />
gathers information about the victim. The<br />
second stage is resource development to<br />
support targeting, followed by initial access,<br />
in which the attacker tries getting into the<br />
network. The fourth phase is execution,<br />
where the attacker tries executing malware."<br />
The next stage is persistence, he says, in<br />
which the attacker attempts to maintain a<br />
foothold in the victim's network, even if the<br />
system terminates the payload process or<br />
reboots. "Afterwards, attackers use privilege<br />
escalation to gain access to accounts with<br />
higher-level access and defence evasion by<br />
disabling security, clearing logs or obfuscating<br />
the payload. At the privilege escalation stage,<br />
attackers then retrieve logins.<br />
"The discovery phase allows attackers to<br />
identify other weaknesses within the network<br />
and plan and execute more advanced attacks,"<br />
continues Harpsoe. "Using lateral movement,<br />
the attacker moves to other hosts to establish<br />
a presence and access information. The collection<br />
stage is when attackers collate data<br />
Justin Giardina, 11:11 Systems:<br />
ransomware attacks reflect a chilling<br />
professionalisation of tactics and leverage<br />
military-grade encryption.<br />
from systems and the Command and Control<br />
(C&C) phase is where the attacker establishes<br />
control over the victim's systems."<br />
Exfiltration is where attacks extract data using<br />
various methods. The last stage is impact,<br />
where the attackers use techniques at a later<br />
stage to disrupt availability, compromise<br />
integrity or manipulate business and operational<br />
processes. Knowing these tactics is<br />
essential to detect an ongoing attack before<br />
the attackers deploy the ransomware.<br />
"Ransomware can result in downtime, data<br />
loss and ransom payments, but now the fines<br />
for non-compliance are an additional concern,<br />
as we saw in the case of BlackCat," he states.<br />
"It filed a complaint with the SEC over Meridian-<br />
Link's failure to disclose a cybersecurity incident<br />
to punish the company for not paying the<br />
ransom. This new extortion tactic will likely<br />
be used going forward, especially with the<br />
introduction of NIS2.<br />
"Compliance-driven extortion could diminish<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />
31