Why Organisations Should Worry About Big Game Hunting (and it’s Nothing To Do with Wildlife)
Read the original blog on eWEEK (previously PCWeek) 👉👉
One of the biggest, and most serious, cyberthreats that companies face today is from ransomware. And despite security teams’ best efforts to mitigate this threat, cybercriminals inevitably remain one step ahead. The scale of attacks are continuing to increase and are becoming ever more sophisticated.
The first ransomware attack was in 1989 and it targeted individuals’ computers. This was known as the AIDS Trojan because it was distributed via a floppy disk to attendees of a World Health Organisation’s AIDS conference. As an attack methodology it really came into its own in the early 2000s when fast and reliable Internet usage took off, paving the way for new ransomware.
Fast forward to today and ransomware has become a multi-billion dollar industry with the Big Game Hunters targeting the largest organisations with each attack designed for maximum impact. And the reason? Attackers know that large enterprises have the deepest pockets and can afford to pay the highest ransoms.
Who Are the Big Game Hunters?
The Big Game Hunters are organised, well-funded criminal gangs, many of which operate as large distributed businesses, complete with call centres to handle ransom payments.
Just one example of a large and lucrative cyber-criminal operation is the group known as Sodinokibi (aka REvil), which uses ransomware as a service (RaaS) business model and recruits affiliates to distribute their ransomware. Their exploits include stealing nearly a terabyte of data from a large law firm and demanding a ransom to not publish it.
And then there’s the Darkside Gang that was responsible for The Colonial Pipeline ransomware attack – undoubtedly the most high-profile ransomware attack in 2021. The company was responsible for bringing nearly 50% of the US East Coast’s fuel. In May, the DarkSide group deployed ransomware on the company’s computer system that oversees and manages the pipeline. Within just a few hours of the attack, Colonial Pipeline paid the ransom of $4.4 million (£3.2 million). The firm’s CEO later revealed that the business didn’t use multi-factor authentication, which explained the ease of hacking to the system.
Targeting Their Prey
The ransomware variants deployed by the Big Game Hunters have multiplied, evolved and become more sophisticated, with their proliferation going virtually unimpeded by security tools as they look to exploit the specific vulnerabilities of a single, high-value target.
No industry, it seems, is immune. The Big Game Hunters are targeting industries across the board driven by their desire for a windfall payout. The 2021 Verizon Data Breach Investigations Report indicates that ransomware now makes up 10% of all security breaches – double the level from just the previous year. The attackers are going after the bigger game and they’re catching them to the tune of millions of dollars.
Big Game Hunters are discerning. They will spend time selecting and studying their targets before conducting any form of attack. With the potential to secure millions of dollars ransom at stake, meticulous planning is important.
They’ll then use more and more sophisticated methods to install ransomware on their victims’ systems. Typically these methods will include looking for RDP servers that are available on the Internet and unpatched, they’ll exploit vulnerabilities, or use webshell-type implants – all of which enable them to gain access to the enterprise, perform reconnaissance and credential dumping, and move laterally to find those hosts they’re after.
Defending against Attacks
As the number and sophistication of ransomware attacks continues to escalate, security teams should continually review the tools and business processes that are in place and rethink how their organisation is approaching security. The unfortunate truth is that Big Game Hunters will always be one step ahead, with security teams one, two or three steps behind. But all is not lost. There are steps that organisations can – and must – take.
Cybersecurity can be likened to an onion. It is multi-layered. But at its heart must be a robust cybersecurity policy that outlines the organisation’s cyber defence strategy. This should include the assets and data that need to be protected, the specific threats to those assets and what security tools and processes have to be adopted to deal with these threats
Coining a phrase from Tony Blair’s famous 1986 Blackpool speech, another key element is “education, education, education”. And it’s not a one time event. All employees must be continuously trained on – and reminded of – the kind of threats they might face. They must have at least a basic understanding of how to recognise those threats – and what action to take if and when they spot them. Cybersecurity must become the responsibility of the whole organisation, not just the security teams.
And finally, it’s worth reinforcing the importance of ensuring that employees use strong and complex passwords, as this is the first line of defence against a hacker. Regularly changing those passwords is also very important. Worryingly a recent study found that less than half of users change their passwords after a breach. More education is required, clearly. As an added layer of protection, organisations should also set-up alternative multi-factor authentication processes such as encryption, so that in the event of a password being compromised, the attacker still won’t be able to access the files. Joseph Blount, CEO of Colonial Pipeline, take note.
The cyber threat landscape continues to evolve and become ever more complex. It’s inevitable that at some point organisations will find themselves in the cross-hairs of the cyber criminals, and all will want to avoid the decision between paying up, or losing critical data that could shut down their business. Businesses must prioritise security so that when the inevitable happens and they’re exposed to a breach they have the tools in place to minimise the potential financial, reputational or technologically losses that will likely occur.