sb-eu logo
Story image

The rising threat of human-controlled ransomware

27 Oct 2020

Article by Attivo Networks regional director for A/NZ Jim Cook.

Of all the potentially disruptive and costly cyber threats faced by legal firms today, one of the most significant is ransomware attacks.

Cybercriminals manage to inject malicious code into an IT infrastructure where it then encrypts vital data stores, preventing access by staff. The criminals then demand a ransom payment in exchange for the decryption keys.

Until recently, most ransomware attacks have been automated affairs. Attackers try to spread their code as widely as possible in the hope of infecting and locking down systems.

However, things are now changing. There is a rise in so-called human-controlled ransomware that is much more targeted and potentially dangerous. As the name suggests, these attacks are not automated but rather manually controlled by a cyber-criminal in real-time.

This evolution is the latest development of a threat that has been evolving for some years. When it first appeared, ransomware code tended to target consumers and demand relatively small payments to unlock their infected PC.

More recently, however, the attention of cybercriminals has shifted into the business sector, where the potential for bigger payment demands is more significant. A consumer losing access to a PC is one thing, but a ransomware attack locking a law firm out of critical files and systems is another thing altogether.
 

More targeted attacks

Taking a human-controlled approach to a ransomware attack shifts the goalposts even further. Rather than relying on code to find suitable targets for encryption, a human operator can take time to move laterally through an IT infrastructure and be sure they are locating the most valuable data stores.

Depending on the skill level of the cyber-criminal, it could be possible to spend weeks or even months combing through an extensive IT infrastructure and identifying potential targets. Once the attacker has confirmed a target, it can set the timing of the encryption to make the attack as debilitating as possible, thereby maximising the prospects of swift payment of the demands.

To add insult to injury, many criminals are stealing sensitive data and then using it as leverage to force payment by threatening to release it to the public.  Often, the attackers will disclose a sample of the data and then raise the ransom demand, subsequently requiring a second payment to prevent further disclosure of the data.  The firm thus faces double-extortion, once to decrypt their data, a second time to stop disclosure of stolen information.

Cybercriminals can also provide a ransomware-as-a-service offering. They offer their knowledge to other criminals not as well versed in the tactics and techniques, in exchange for a portion of the end payment they receive.
 

Protecting against humans

Protecting a law firm against human-controlled ransomware attacks requires the same steps taken to prevent automated attacks. One of the first steps is staff education to ensure people are aware of the dangers of opening unusual email attachments or clicking on web links. These simple actions can give an attacker the initial access to the IT network, and, from there, they can execute their attack plan.

On the security front, an increasingly popular and successful approach is to undertake what security professionals term a deception strategy. This approach involves deploying components, such as applications and file stores, that blend in within a corporate IT infrastructure. However, they have nothing to do with day-to-day operational activities, and because the staff has no reason to access these resources, any access is highly likely to be part of a cyberattack.

Once the decoy assets trigger a warning, the IT team can then safely observe the attacker and understand their goals and operating methods. The organisation can then take steps to remove them from the network and prevent their return.

In the past, cybersecurity teams have tended to focus on using perimeter-based prevention techniques. However, when one considers the growth of threats such as human-controlled ransomware, this approach is no longer sufficient.

Instead, proactive techniques such as cyber-deception should also be part of the security mix. Law firms will then be better able to detect and derail threats much earlier so that criminals cannot establish a foothold or complete their planned attack.

Understanding the continually evolving threat landscape is also crucial, as techniques that work today may not be useful in the future. Take the time to understand the threats and deploy effective countermeasures to position one’s organisation well in the future.

Story image
The ultimate network security audit checklist
Experts project that losses and damage from cybercrime will skyrocket, with attacks ranging from spam and phishing to malware and spyware — all compromising the safety of sensitive data and proprietary information. These attacks can be minimised by performing network security audits regularly.More
Story image
ThreatQuotient & Infoblox integrate threat intelligence capabilities
“Together, our integration eases the consumption of threat intelligence from various internal and external sources to ensure that intelligence is accurate, relevant and timely to an organisation’s business.”More
Story image
Ivanti extends ESM automation capabilities with latest additions
Ivanti has made additions to its Enterprise Service Management (ESM) portfolio, with greater automation capabilities between service management and SecOps. More
Story image
Cybercriminals are leveraging AI for malicious use
"At a time where the public is getting increasingly concerned about the possible misuse of AI, we have to be transparent about the threats."More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
Claroty and CrowdStrike form partnership to protect industrial control system environements
The integration will deliver visibility into industrial control system (ICS) networks and endpoints, with a one-stop-shop for information technology (IT) and OT asset information directly within The Claroty Platform.More