Are you being held to ransom?
Managing Director, Security, APJ
Thought Leadership, Security
As the threats posed by hackers constantly evolve, attacker behavior is shifting to malware and ransomware that seeks to destroy a network or hold its owners to ransom. We have seen two new types of attack emerging – ransom denial of service (RDoS) and destruction of service (DeOS).
Attackers are looking to completely disable an organization’s network and hold the company to ransom for bitcoins or to just simply destroy the system. Their toolbox to achieve such devastation has grown with the rise of the Internet of Things (IoT) and connected devices providing new entry points. The cloud is also providing a new platform for attackers to look for security gaps. Another weak spot is outsourcing – as the number of external vendors increases, so too does an organization’s attack surface.
A global survey carried out by our partner Radware shows that last year, nearly half of all companies suffered at least one cyber ransom incident. And worryingly 17% of these were RDoS attacks. Asia suffered more cyber ransom incidents (39%) than North America (35%) showing what a huge challenge this is for the region.
Ransomware originally started off as a problem for unsuspecting consumers, but now businesses are increasingly being targeted by threat actors. Organizations, big and small, promise a much bigger payday for attackers than a private individual, especially if they get the ransomware distributed across a company’s entire network.
What we have seen from previous attacks is that they can be extremely harmful and have a long-term effect on an organization when its entire network has been compromised. In our Midyear Cybersecurity Report, we cover hacker groups such as the Armada Collective, who account for the majority of attacks. Their typical ransom demand is 10–200 bitcoins and a short teaser or demo attack is usually carried out along with the ransom note. We are now seeing copycats use the Armada Collective name to attempt similar attacks. One such attack was an attempted $7.2 million extortion from three Greek banks. These players issue fake ransom letters, hoping to turn a quick profit with minimal effort.
Here are some tips to help detect a fake ransom letter:
Check the ransom – The Armada Collective typically demanded 20 bitcoins. Copycats often ask for a lower amount hoping their lower price point snares victims.
Monitor network activity – Real hackers will normally run a small attack when delivering a ransom note. If there is a change in network activity then the letter and the threat are likely to be genuine.
Look for structure – Real hackers are well organized. Fake hackers tend not to link to a website and lack official accounts.
Consider other targets – Real hacker collectives often target multiple companies in the same sector. So check with peers and industry bodies to see if they have been attacked.
With a rise in the different types of attacks and in the level of sophistication, spotting threats quickly is becoming increasingly important. We measure the window of time between a compromise and the detection of a threat, calling it “time to detection” or TTD. From November 2016 to May 2017 we have dramatically reduced our time to detection rates from just over 39 hours to about 3.5 hours on average. With faster detection times, attackers are now under more pressure to evolve their threats to evade detection and devise new techniques. Defenders cannot afford to stand still and watch as attacks become more sinister and destructive. Cybersecurity should be made a top priority, and organizations need to invest in automated tools to help their security teams stay on top of alerts, gain visibility into their dynamic networks, as well as detect and respond swiftly to threats.
Source: Cisco 2017 MCR