Sunday, September 25, 2022

Where Are The Ransomware Attackers Hiding At? 4 Places You Need To Know

 


Ok, I went out yesterday to do some shopping for groceries, and other much needed items.  My favorite store I usually Jewel Osco and Aldi.  Luckily where I live, the two are close by from one another. Durning the height of the COVID-19 pandemic, all that was played on the intercom were warning messages about it. 

But as things tempered down with the vaccinations that came out, the normal music started to emerge again, which was finally great.

So now you hear barely anything COVID-19 anymore.  But now, believe it or not, holiday music has started to play, at least intermittently, to get you in the mood for buying gifts for family and friends.  So yes, this year has gone buy very quickly, even more so than the previous one.  Where does this all lead up to?

This is the starting point where all of the Cyber pundits start to make their predictions for 2023.  I have not seen anything yet, but I bet in the next two weeks its going to start to trickle out.  This year of 2022 has been a relatively quiet one, when compared to 2021, when all of the Ransomware attacks were really coming out. 

Even with the geopolitical concerns that are happening in Russia, luckily nothing major has happened here in the US.

Even this year, Ransomware has declined to a degree that nobody has expected.  But it won’t stay quiet for so long, now that Christmas will be here before we even know it.

So, you might be asking where the Ransomware hackers, have they all disappeared?  No they haven’t, but instead, they have taken on different types of tactics which makes them even more elusive than ever before.

The following list details where they have been this year:

1)     They hire somebody else to do the dirty work:

The Dark Web is not just a place where PII datasets can be sold for a great price, but it is here where you can even hire what is known as Initial Access Broker (aka IAB) to launch the Ransomware attack for you.  More specifically, their services are called “Ransomware as a Service”.  All you have to do is a pick a target or targets, and voila, they do the rest of the work.  So while the IAB breaks down the doors for you to steal the victim’s credentials, you can from there plan how you are going to launch a subsequent attack like an extortion based one, based upon what has been given to you.  IABs are the real thing, as demonstrated by these stats:

*There were more than 1,300 IABs listed on the Dark Web in the last recent checks;

*The price for using their services ranges anywhere from $1k to $10k;

*Average costs of services are $4,600.00 to launch a sophisticated Ransomware attack;

*Some of the highly valued credentials that you can get by hiring an IAB are the VPN login credentials and other forms of privileged access.

               More information about IABs can be seen here at this link:

               https://www.digitalshadows.com/blog-and-research/rise-of-initial-access-brokers/

2)     Cyberattackers are becoming more elusive:

I have written many times before as to how the Cyberattacker is now taking their own sweet time to study their victims.  But in some of these instances, they don’t get onto the Dark Web.  Rather, all of the information and data that they need to build up a profile is publicly available through social media sites and OSINT tools.  Once they can find a weak spot that they can lurk into, they will also then spend forever lurking in silence to see what the prized possessions of the company are, but most importantly, determine where they can drop off their malicious payload(s) at.  These are typically known as APT style attacks.  What is unique about these kinds of threats are that the Cyberattacker can move in a sideways or lateral fashion, thus making them even more detect.  Also, another technique to avoid detection are fileless attacks, where the Cyberattacker can also lurk about in the physical memory of the wireless device, and literally leave no signature trails behind them.

3)     Low profile targets are now getting attention:

As the Fortune 500 companies are becoming less of a favored prey for the Cyberattacker, the next target are the SMBs and nonprofits.  Very often these kinds of businesses simply do not have lines of defenses that are associated with them.  The fallacy in thinking here is that (which I have heard so often) is that:  “If we have not been hit yet, we probably won’t be.  We offer no value to the Cyberattacker”.  Well, just recently, one of my clients told me that their own client said the same thing, and the next day they were hit with a Ransomware attack.  In the end all business have some value for the Cyberattacker.  It does not matter how large or small you are.  Even an SMB could contain just a few PII datasets that could prove to be very profitable for the Cyberattacker in the end. Also, many SMB owners feel that Cyber solutions are too expensive for them to procure.  This is not true anymore.  Many Cyber vendors are now starting to realize that the SMB market can be a lucrative one as well, and thus, are now starting to offer products and services that are very affordable.

4)     The person sitting right next to you:

In this instance, I am talking about Insider Attacks, which have been initiated by a rogue employee.  These kinds of individuals are often hard to detect, but they do give away tell tale signs, especially with changes in their behavior.  These particular individuals may not be planning an attack directly by themselves per se, but rather, they could have been contacted by a malicious third party (via Social Engineering techniques) to give them the details of the insides of the business, especially the IT and Network infrastructure.  From here, the rogue employee would then be paid a handsome price. Consider these stats:

               *57% of the employees that were contacted were offered less than $500,000.00;

               *28% were offered between $500,000 and $1,000,000.00;

               *11% were offered more than $1,000,000.00.

               The above stats were taken from a survey just recently conducted by Hitachi, and more     information about that can be seen here:

               https://www.hitachi-      id.com/hubfs/A.%20Key%20Topic%20Collateral/Ransomware/%5BInfographic%5D%20The%20R        ising%20Insider%20Threat%20%7C%20Hackers%20Have%20Approached%2065%25%20of%20E          xecutives%20or%20Their%20Employees%20To%20Assist%20in%20Ransomware%20Attacks.pdf

My Thoughts On This:

The next step in this blog would be how to write on how to mitigate the risks from becoming a victim of a Ransomware attack.  But I am not going to do it, many other Cyber professionals have written blogs, articles, and even eBooks on this same subject matter.  A simple Google search will reveal what you need to know.

Personally, I think Ransomware attacks will probably not emerge so much for the remainder of this year, but a lot is going to depend as to what happens with Russia and the Ukraine.  If things go further south, then things could get worse again on the Cyber front.  But my biggest fears are those Ransomware attacks on our Critical Infrastructure.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...