Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations.
Quite often, the RaaS [ Ransomware as a Service ] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.
State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.
Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.
Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation.
Fig1. Popular attack vectors
REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.
Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm.
Ransomware strains reported
Fig2. Ransomware strains Q1 2020 (incl. STOP)
Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.
Fig3. Ransomware strains Q1 2020 (excl. STOP)
STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.
Malware attacks vs. Malware-free attacks
Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.
Cost of a Ransomware Attack
The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom.
It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.
Fig4. Largest amount of ransom reported in 2019
Fig5. Largest avg. ransom pay-offs in 2020
Ransomware statistics for 2020
Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:
- Italy: $1.1 billion – $4.3 billion
- Germany: $1 billion – $4 billion
- Spain: $830 million – $3.3 billion
- UK: $469 million – $1.9 billion
- France: $121 million – $485 million
Hidden Costs of ransomware
- Downtime of Information systems
- Loss of Reputation
- Legal Action from user
Cyber security during COVID-19
“WHO reports fivefold increase in cyber attacks, urges vigilance”
Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:
- Increased security risk from remote working/ learning
- Potential delay in cyber-attack detection and response
- Business Continuity Plans (BCP) to feature global pandemics
Effective Threat Intelligence
For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year.
A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.
An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.
A CTI team can actively monitor and create actionable intelligence on the following areas of your business:
- Supply chain
- Dark web monitoring for data leaks
- New emerging attack vectors
Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.
Indicators of Compromise
These are some of the common Indicators of Compromise:
- IP addresses, URLs and Domain names used by malware
- Email addresses, email subject, links and attachments used by malware
- Registry keys, filenames and file hashes and DLLs of malware
- hxxp://184.108.40.206/bssd [sectopRAT Trojan]
- hxxp://220.127.116.11/blad [SectopRAT Trojan]
- firstname.lastname@example.org [djvu ransomware]
- Gorentos2@firemail.cc [djvu ransomware]
- ef95c48e750c1a3b1af8f5446fa04f54 [maze]
- f04d404d84be66e64a584d425844b926 [maze]
Tactics, Techniques, Procedures/ TTPs
TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet.
MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.
Example of Tactic and Technique
|Initial Access||T1193: Spear Phishing Attachment|
|Execution||T1059: Command-Line Interface|
T1204: User Execution
T1028: Windows Remote Management|
The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.
To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.