Ironically enough, the WannaCry campaign taught the cybercriminals and state-sponsored actors how not to write a ransomware campaign but how to maximize their code to gain a quick buck. And what about the IT staff? Well, it depends; on the region you’re in, and on the budget your company allocates for cyber awareness, especially for internal training. Unfortunately, there are still organizations that protect themselves using out-of-date methods; They forget that threat actors have changed, evolved, and got nastier. The world has not become a safer place.
The AllFather of Modern ransomware
The cyber group that wrote the WannaCry code launched it without owning the domain. This insignificant detail turned out to be their biggest Achilles hill. Combining it with the other faults such as their inability to protect the code properly from security researchers, the campaign resulted in much more intimidating collateral than it could potentially gain. Some victims were able to get their files back by simply asking nicely the hackers, claiming they paid the sum with no proof or verification whatsoever required by their side.
Ransomware has gone a long way in the way cybercriminals overcome the technical shortcomings that stopped the original WannaCry from becoming even more devastating than it was.
To this day, the basic penetration efforts to embed the malware remain the same, (Unknown malware hid inside innocent-looking files, commonly and newly discovered exploited attack vectors, phishing, weak or stolen credentials, insecure remote access, and software vulnerabilities) but the techniques, strategies, and methods professional cybercriminal groups use in their ransomware have been increasingly evolved from the original threat. And skilled threat actors keep sharpening and enhancing their code every single day. Nowadays, there are no ransomware campaigns that are being initiated without having some sort of mechanism that generates a unique ID and Bitcoin wallet per each distinctive victim and by doing so can control the payment verification and release the associated decryption keys.
The cloud and MSPs’ birthday piñata
According to the joint Cybersecurity Advisory report, Ransomware groups have increased their impact by targeting the cloud, Managed Service Providers (MSPs, MSSPs, and CSPs), industrial processes, and software supply chains during holidays and weekends.
Cloud: threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems. Ransomware threat actors have also targeted cloud service providers to encrypt large amounts of customer data.
MSPs: MSPs have widespread and trusted access to client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
Still, to this day the WannaCry is beating and kicking; Hackers still using WannaCry or the EternalBlue exploit as a baseline for their code. There are still many old, unpatched machines out there connected to the network that just waiting to be traced by hackers and take advantage of old known vulnerabilities. Instead of trusting an automated system that will do the code, high-level threat actors replaced the worm functionality with a “hands-on” manual method once gain access to collect data, perform silent reconnaissance and exfiltrate information and collect more digital assets.
There has even been a boom in a new illegal market where individuals or cyber group offer their unique skill set to perform Ransomware-as-a-Service (RaaS) where the actors, tend to linger in the victim’s network for much longer to extract as much value as they can, before letting the company know of the threat by encrypting or destroying data. This means that you can gain by selling the data to the highest bidder, exposing it on the dark net, causing reputation and financial damages, and eventually encrypting the files before there would even notice. According to CISA, The market for ransomware became increasingly “professional” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals. some ransomware threat actors offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.
Don’t Cry Over Encrypted Files
So how an organization, big or small can ensure it won’t be the next news headline?
- Poor cyber hygiene leaves the door open for malicious actors. Ensure your technology, network, applications, and systems are never outdated or unpatched.
- Ensure your network has always the most up-to-date security patch policy, and your IT staff gets ongoing training, and across-the-board organization cyber awareness educational sessions.
- Always back up your files.
- Enforce a mandatory MFA (Multi-Factor Authentication).
- Restrict Server Message Block (SMB) Protocol within the network to only necessary access servers.
- Ensure all backup data is encrypted, Implement end-to-end encryption, and encrypt data in the cloud
- Protect cloud storage by backing up to multiple locations.
- Have the mindset of “when” a cybercriminal group shall target my organization. And draft protocols for “destruction day” that have a tangible action plan and case scenarios that are known across the security team.
- IT staff should always explore what is open to the internet which is not needed.
- Embed a security-first into the company’s DNA.
- Limit access to sensitive resources and assets over internal networks, especially by restricting RDP and using the virtual desktop infrastructure.
- adopt proper cyber security principles and apply them throughout the entire organization. Invest in proven security products and tools that are configured entirely to meet the specification and requirements of your system and networks.
- Countries should step inside using their national cyber security agencies, and encourage stronger collaboration between the public and private sectors to raise cyber resilience. The exchange of information and best practices is the key.
- For some enterprises, it is advised to consider the purchase of a cyber insurance policy*.
- Constantly inspire for better IT hygiene across the entire organization robust your IT security maturity,
It is recommended for any organization to track its national cybersecurity agency and check for periodic updates. Also, in the scenario of a cyber event, it is highly encouraged to involve government officials. an organization should report to the relevant cybersecurity bureaus or authorities in its region. For example for the US, Australia, and the UK:
- S. organizations should report incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office.
- Australian organizations should report incidents to the ASD’s ACSC via gov.au or call 1300 292 371 (1300 CYBER 1).
- UK organizations should report incidents to NCSC-UK via ncsc.gov.uk and/or Action Fraud, the United Kingdom’s fraud and cyber reporting center, via actionfraud.police.uk.
*According to the joint Cybersecurity Advisory (CISA) report, cybersecurity authorities in the United States, Australia, and the United Kingdom strongly discourage paying a ransom to criminal actors. Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations (or re-target the same organization) or encourage cyber criminals to engage in the distribution of ransomware. Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.
Cyber Hygiene and Backups. It’s not that hard.
What has the industry learned from WannaCry? Apparently, some haven’t learned a thing.