Ransomware operators have traditionally relied on operational disruptions and reputational damage to force victims to pay the ransom. In 2020, a new form of ransomware attack took hold, one where cybercriminals were exfiltrating critical data before encrypting the targeted systems. This data could be used as leverage when demanding ransom from the victim, with the caveat being that if the ransom were not paid then the stolen data would be sold or leaked online.
In 2021- after the bumper year they have had with 2020 – threat actor TTP’s (Tactics, Techniques and Procedures) are consistently evolving. Some operators are attempting to build trust with the victims by adhering to a set of “principles” and providing “guarantees”. Another approach involves “Ransom DDoS attacks” (RDDoS) where the RDDoS attackers use the threat of taking down the organization’s network or any other such aggressive approaches.
Babuk Locker Ransomware – launched at the beginning of 2021 – targets corporate victims in human-operated attacks and has since accumulated a list of victims from around the world. Though the coding is deemed amateurish, the ransomware uses its own implementation of SHA256 encryption called “ChaCha8” and Elliptic-curve Diffie-Hellman (ECDH) key generation to protect its keys and encrypt files, thus making it secure and not decryptable for free. ECDH can be used for key encryption just like RSA (Rivest–Shamir–Adleman) public-key cryptography. Cracking either ECDH or RSA encryption is considered extremely hard if the program is implemented appropriately. Decryption is only possible with a fully-fledged quantum computer as neither ECDH nor RSA encryption is secure against quantum analysis. Therefore, Babuk Locker is better suited to protect its encryption against conventional decryption tactics.
This is just one example of how ransomware operators are tuning their malware to accomplish their agenda, namely, attacks that cannot be easily mitigated, and result in big ransom payments. By March 2021, the biggest ransom demands have totalled USD 30 million. How can organizations defend against such an onslaught of persistent, feature-rich, and expertly formulated attacks?
Most ransomware attacks begin when an employee clicks on a suspect link, or downloads a malicious attachment delivered as part of a phishing email from either a known or unknown source. Attackers spoof an organization’s domain name and display names such that employees of the targeted organization are not suspicious of the phishing emails. While vigilance is the key, most of the employees will not exert caution when checking official emails ‘allegedly’ emanating from their colleagues or management. Thus, an attacker posing as a colleague will be successful in duping the victim.
By leveraging on zero trust, employees will be prompted to treat all emails equally, with suspicion. Thus, if the communication included suspect links, or unsubstantiated attachments, the sender of the email can be contacted to ascertain the validity of the communication.
Thankfully, in recent times, the concept of zero trust is steadily moving away from the known perimeter-based model (where trust is dependent on physical location) to a model where trust is dependent on a combination of factors, including the location, identity, user behaviour, and the criticality of the data being handled. Organizations must adhere to this all-encompassing approach that includes a broader range of input parameters to establish trust.
Until recently, a major gap with the security mindset was that organizations were invested in defending their perimeters, while assuming that everything inside their organizational perimeter was trustworthy and cleared for access. However, in 2020, insider attacks have been a particularly disruptive challenge and organizations are forced to re-evaluate their stand on the security risk posed by their own people. Especially with the COVID-19 pandemic and the enforced remote working culture, the problem of an ‘unsupervised’ workforce that could willingly/unwillingly contribute to an insider threat incident has been greatly enhanced.
Investing in training the workforce about cyber security, alongside the implementation of the zero-trust policy, helps avoid reputational damage, operational disruptions, compromise of critical data by way of unintentional insider attack, and most importantly, loss of revenue stemming from a possible data breach incident.
For hackers looking to infiltrate a target organization’s IT infrastructure, the latter’s supply chain or third-party vendor’s infrastructure provides a convenient entry point. Globally, attacks on third party service providers are showing a steady increment. A major contributing factor to this, as seen in recent times, is the unwitting security and configuration issues on the part of these third-party entities that puts their own and the client’s infrastructure at risk. While the organization is connected to other business entities via supply chains, its own attack surface is greatly enhanced. With zero trust, the supply chain partners must adequately establish a competency towards cyber security and risk mitigation before business can commence.
Today’s enterprise IT departments cannot rely on a siloed approach. Organizations are leveraging applications on their premises as well as systems on the cloud. These are accessed by employees, partners, and customers from around the world, and a fair bit of that is vulnerable to malicious intrusions. By establishing zero trust, each connection can be addressed by a fortified security approach rather than a case specific approach. In an increasingly connected world, it is prudent to set up the firewall close to the asset being protected while all requests are treated meticulously to establish who, what, where and when the connection is attempted.
The adoption of a zero-trust policy is not an easy proposition. However, amidst ever increasing ransomware and other cyberattacks being honed to near perfection, a fail-safe security strategy is the need of the hour. Unfortunately, most IT professionals are trained to believe in perimeter defences and trust their own environments. This mindset needs to change, and fast. Cybercriminals are effortlessly breaching into these supposedly ‘safe’ environments and one of the aspects that could prevent their continued intrusions is the average IT professional’s evolving instincts (aided by technology, of course) to question everything and trust nobody.