Catastrophic Ransomware

Posted by Mark Greisiger

A Q&A with Chris Nyhuis of Vigilant Technology Solutions
Cyber security threats are always evolving, but in the last six months, a vicious new breed of ransomware attack has emerged, powerful enough to take down an enterprise organization. To learn more about it, we talked to Chris Nyhuis, President and CEO of Vigilant Technology Solutions, an international security and total IT solution provider.

Can you describe the recent cybersecurity breaches that should worry the C-Level most?
At Vigilant, we’ve been seeing a sophisticated new threat actor that operates in a very systematic way to actually dismantle an organization. This threat actor operates with patience; the attack may take months or even a year; the goal is to quietly learn as much about an organization so they can eventually turn off all operations and lock the organization down. Once locked down, they hold the company hostage until a sum, sometimes going into the millions, is paid.

How is this attack carried out?

  • Attacker(s) come through an open port on a firewall, or a vulnerability in a system. They can also come through users clicking on a link.
  • The attacker then quickly pivots to another system, and in most cases, deploys an easy-to-identify virus or malware on the original system. This triggers the IT department of the attacked organization to run antivirus on it or re-image the machine, taking them off the track of the attacker and destroying evidence.
  • The attacker then puts hooks in 25+ machines so they can retain consistent control.
  • Next, the attacker patiently gains control of key servers and file servers, identifies backup systems and where they are stored, takes over email and learns the financial status of the organization. (This last step may take months and up to a year.)
  • Once the attacker has taken control of key systems and feels they have learned enough to be able to take the company down, they then lock down all networking, firewalls, email servers, file servers, manufacturing lines and authentication servers—essentially taking the company and turning it off.
  • The attacker will then hold the company ransom and will leave it turned down until a ransom is paid.
  • Remember, in this case, the attacker knows your financials and stability. The ransom is, in many cases, based on this information, so they know how long you can be down and how much money you are likely and able to pay to be turned back on.

Once they inform the company of what has happened, they stand to make up to millions of dollars because the entire business is at stake.

How is this different from previous strains of ransomware?
At Vigilant, we’ve actually seen a decline in the traditional kind of ransomware. In a traditional ransomware attack, the malware is set to reproduce as fast as possible, encrypting as many systems as possible with no real designated plan. In this case, ransomware is used in a methodical and surgical way. The ransomware does not duplicate itself and is manually installed only on systems that are deemed by the attacker as critical to the organizations operations and function. This type of attack does take longer; however the benefit to the attacker is that the financial gain is also much larger. Instead of charging tens of thousands of dollars to random organizations, an attacker can choose their target based on profile, infiltrate their environment, learn what makes them operate (including what their financials are), and then once the surgically placed ransomware is deployed, the threat actor can simply turn the company off.

How is this different from previous strains of ransomware?
At Vigilant, we’ve actually seen a decline in the traditional kind of ransomware. In a traditional ransomware attack, the malware is set to reproduce as fast as possible, encrypting as many systems as possible with no real designated plan. In this case, ransomware is used in a methodical and surgical way. The ransomware does not duplicate itself and is manually installed only on systems that are deemed by the attacker as critical to the organizations operations and function. This type of attack does take longer; however the benefit to the attacker is that the financial gain is also much larger. Instead of charging tens of thousands of dollars to random organizations, an attacker can choose their target based on profile, infiltrate their environment, learn what makes them operate (including what their financials are), and then once the surgically placed ransomware is deployed, the threat actor can simply turn the company off.

Why did attackers start carrying out attacks in this manner?
In a nutshell, they are extremely intelligent business people. They understand economics, scale and growth. These attackers should be respected and not underestimated. Ransomware attacks are mostly about revenue for the attacker. As traditional ransomware attacks became more widespread, companies started protecting themselves by backing up their data better and creating ways to recover in the event of an attack. Instead of paying the attackers when systems were locked down, organizations would simply recover fast and ignore the attackers. With this taking place and revenues drying up, attackers regrouped and then attacked in this more sophisticated way. Think about it: They literally learn all your defenses and recovery processes over time. They identify your recovery documents, learn where you keep your backups, then not only encrypt your live data, but they do it at the same time they delete all of your backups both local and in the cloud. It’s pretty ingenious, really. Basically, attackers have started to focus on attacks that are more efficient and profitable for them—a better return for their investment in time. These new attacks can net them a lot of money in a very short time.

What can a customer do to proactively mitigate this kind of attack?
Many organizations only do a vulnerability assessment once a year, or quarterly at most. They may have SIEM solutions, firewalls and intrusion detection systems. The problem is that the attackers identify all the tech that companies use to defend themselves and they just go buy the same technology online. If you can buy it, so can they. Once purchased, they put it in their labs, learn about what you can detect and what you can’t, then attack with an undetectable custom attack.

Companies need to consider following:

  • There isn’t time to find a place in your budget next year, there isn’t time to find a place in a project plan. This is a serious danger that can take you out of business overnight.
  • Deploy detection and prevention technology that is not readily available on the market. What I mean is that commoditized technology, based on widespread accessible technology, will put you behind the attacker because they have access to the same technology.
  • Obtain threat intelligence that is curated and specific to your organization.
  • Move detection of SIEM and firewall technologies as these are easily visible and attackable to a threat actor.
  • Ensure that you have a team of highly qualified analysts consistently hunting and looking at your network and system traffic for threats. When I say this, I do not mean Artificial Inteligence or automatic detection. I mean actual people investigating. If you can’t afford, or do not have the expertise to build a team, it is important to outsource to a managed security provider.

We provide custom technology that can be deployed into your entire organization within 24-48 hours fully configured, and provides, as a service, a full team of analysts who investigate all traffic and find threats when they are still small—before your organization is held captive. We investigate in near real time all layers of communication in your organization, globally, to determine where threats are taking place and to stop them. In addition to continuous verification of data, we record all traffic forensically like a DVR, so the actual network state of your organization can be rewound, paused and investigated, tracking the threat actor faster than they can move through your organization.

How seriously should organizations take this threat?
Since mid-December, Vigilant Technology Solutions has been approached by six organizations that were attacked in this manner. In one case, the total consequences included data loss, a significant decrease in customers and great financial loss, including the ransom they paid, which was in the millions. We don’t typically recommend paying the ransom, but the threat actor had been in their network a long time and dismantled the environment pretty successfully. The backups were completely erased, so they needed to get back up and running. We were able to cordon off the infrastructure and allow them to rebuild everything quickly in a way that was 100 percent secure. This company was facing significant fines for being down, so time was of the essence. But that was the good case. Other companies have simply gone out of business.

The problem is that a lot of people are simply not prepared to imagine a scenario in which the entire company can be turned off and taken over. It’s a very difficult thing to prepare for psychologically—you need a certain amount of mental toughness to make the decisions and respond appropriately. The most important thing businesses can do is to not underestimate the intelligence of these threat actors—companies think their size will protect them and with threats of this magnitude, it won’t.

In Summary…
We want to thank Chris for his expert insights into the newer type of ransomware threat, which continues to morph. The many cyber risk insurance companies we support can confirm the frequency and severity of this peril, since they are now regularly paying cyber extortion and Bitcoin claims from several hundred thousand dollars, to multi-million dollar ransoms. Preparation is key. Having the foresight and determination to deploy effective detection and actionable data breach response plans that factor in these now common risks is critical, especially since catastrophic outcomes are no longer theoretical.