Hackers Step Up Their Ransomware Game

Written by Jameson Miller, M&J Cybersecurity Practice Leader, in partnership with Jerry Jones of Advisory IT (AdIT), a division of Mauldin & Jenkins, LLC.

Cybersecurity has long been a game of cat and mouse, with hackers constantly working to get around new security measures as businesses, schools, government entities and nonprofit organizations increase their efforts to keep sensitive systems and data safe. The latest ransomware tactic takes a two-pronged approach also known as “double extortion ransomware” to force payments from victims even if their preventative measures leave them well equipped to carry on as usual despite the attack.

Ransomware is a popular method of attack that uses computer viruses to prohibit authorized users’ access to the organization’s data by encrypting files. To get the data back, organizations are instructed to pay a ‘ransom’ to the cybercriminals who stole it – which may or may not actually result in the data being safely returned. Tip: While the FBI does not advocate paying a ransom, it does encourage reporting the incident (www.ic3.gov) for tracking and future prevention.

To counteract that threat, many organizations have been investing more effort and resources in making sure all data is securely backed up, with “air-gaps” that create physical as well as digital distance to ensure backups won’t be touched even if hackers manage to breach the system.

In the newest ransomware twist, hackers gain access to the system (often using social engineering tactics), extract, and then encrypt the data, as usual. This is followed by a demand for bitcoin or another form of payment in exchange for the ransomed data’s decryption key. But if the organization feels confident enough to ignore that threat, knowing backups are current, complete, and can be easily accessed, hackers are ready with their fallback plan.

Instead of simply walking away and seeking a less-prepared victim who might be more inclined to meet their demands, the hackers then change the terms of the ransom to “double-up”: Pay up or we’ll make the data public, thus creating massive liability issues and reputational damage to the organization. Individuals whose data was affected by the release then face the hassle of trying to monitor for identity theft and other types of fraud for decades to come. Tip: Doxing is a term used by hackers for documenting or gathering information about a target and making it public.

Data made public can include all manner of information organizations would prefer to keep private, as well as info they are legally required to protect:

  • Proprietary secrets
  • Sensitive internal communications
  • Business financials
  • Customer credit card numbers
  • Bank account numbers
  • Protected health data
  • Treatment records
  • Customer names, addresses, phone numbers and ages
  • Fundraising and donation records
  • Social security numbers
  • Student records

August and September saw a number of high-profile incidents of this type, including attacks on school districts in Nevada and Connecticut as well as Brown-Forman, the company that makes popular Tennessee whiskey, Jack Daniels. When school district leaders in Clark County, Nevada refused to meet hackers’ demands, hackers published private data on students and staff. In the case of Brown-Forman, the hacking group Sodinokibi, commonly known as REvil, will likely leak out in smaller doses the 1TB of company data it claims to have stolen, in hopes that sooner or later company leaders will pay up in order to limit the damaging exposure.

Attackers will continue to be more creative in finding multiple ways to monetize a security breach. In fact, ransomware as a service (“RaaS”) continues to grow whereby the infrastructure, tools, and techniques are shared with everyone on the dark web for a license fee or percentage of ransom. With Covid-19, Virtual private networks (VPN) and remote desktop protocol (RDP) technologies used in increasing remote working environments have had several vulnerabilities exploited in these attacks.

This kind of digital crime isn’t breaking any new ground; it’s just one more kind of cyber extortion doubling the pressure on the organization to pay a ransom. It should, however, serve as a wake-up call to organizations that may feel ransomware isn’t a serious threat because solid backups are in place. Tip: Backups are a clear necessity but think twice before stopping there.

Keeping systems and sensitive data secure is a critical priority for every organization today. Organizations of all sizes should strongly consider seeking a professional cybersecurity assessment that includes rigorous penetration testing. The steps you take to identify and minimize cyber-risks can deliver benefits many times in excess of their cost, in addition to priceless peace of mind. For help keeping your business safe, contact the cybersecurity consultants at Mauldin & Jenkins.

3 steps to “stress test” your business

During the COVID-19 crisis, you can’t afford to lose sight of other ongoing risk factors, such as cyberthreats, fraud, emerging competition and natural disasters. A so-called “stress test” can help reveal blind spots that threaten to disrupt your business. A comprehensive stress test requires the following three steps.

1. Identify the risks your business faces

Here are the main types of risks to consider:

Operational risks (based on the inner workings of the company),
Financial risks (involving how the company manages its finances, including the threat of fraud and the effectiveness of internal control procedures),
Compliance risks (related to issues that might attract the attention of government regulators, such as environmental agencies and the IRS), and
Strategic risks (regarding the company’s market focus and its ability to respond to changes in customer preferences).
If you’ve conducted a risk analysis in prior years, beware: Current risk factors may be different due to changes in market conditions, business operations and technology. For example, if your business pivoted to more online orders or remote working arrangements during the pandemic, it may now be more exposed to cyberattacks than it previously was.

2. Establish a risk management strategy

Meet with managers from all functional lines of business — including sales and marketing, human resources, operations, procurement, IT, and finance and accounting — to discuss the risks that have been identified. The goal is to improve your team’s understanding of business threats and to brainstorm ways to manage those risks.

For example, if your company operates in an area prone to natural disasters, such as earthquakes or wildfires, you should have a disaster recovery plan in place. Review copies of the disaster recovery plan and ask when it was last updated.

In addition to asking for feedback about identified risks, encourage managers to share any additional risk factors and projections regarding the potential financial impact. Their frontline experience can be eye-opening, especially during these unprecedented times.

3. Review and update your strategy

Managing risk is a continuous process. After creating your initial risk mitigation strategy, your management team should meet periodically to review whether it’s working. If it isn’t, brainstorm ways to fortify it.

For example, if your company’s disaster recovery plan has been activated recently, ask your management team to assess its effectiveness. Then consider making changes based on that assessment.

Need help?

While risk is part of operating a business, some organizations are more prepared to handle the unexpected than others. To ensure your company falls into the “more prepared” category, implement a stress test. We can help you assess current risks and develop a plan that’s right for you.

© 2020