Ransomware extortion tactics put businesses in a fix | #malware | #ransomware


A spate of high-profile ransomware attacks has also taken its toll on critical Australian service providers. Victims in the last 12 months include the world’s largest meat supplier, JBS Foods, logistics specialist Toll Group, beverage giant Lion, media conglomerate Nine and steel heavyweight BlueScope.

Under major changes to Australia’s cyber security laws, reporting of ransomware attacks is set to become mandatory for companies with an annual turnover of more than $10 million. The government is yet to determine penalties for non-compliance, but aims to prioritise education and assistance over sanctions.

Mandatory reporting of ransomware attacks will sit alongside existing obligations to report data breaches.

In many cases, ransomware attacks are also data breaches, as attackers ramp up extortion tactics involving sensitive data, says Michael McKinnon, chief information officer and strategic information security adviser at Pure Security.

Triple extortion tactics are seeing attackers not only demand money for the return of encrypted data, but also payment – from the attacked organisation and even its customers – not to publicly release sensitive data.

This increases the likelihood of victims handing over payment, even if they are capable of recovering their systems without paying the ransom.

London-based high society jeweller Graff recently had 69,000 documents leaked on the dark web after falling victim to a ransomware attack, believed to have been carried out by infamous Russia-based ransomware group Conti. Information such as celebrity client lists, invoices, receipts, shipping addresses and credit notes were included in the hack.

While Graff is able to rebuild its systems without data loss, Conti is believed to be demanding tens of millions of dollars in order to prevent the further release of customer information.

“Conti is really well-known for these types of attacks,” McKinnon says. “The first thing they do is exfiltrate as much data as they can out of their victim’s network. Once they’ve got all the pieces in place, then they go for the kill – using the threat of releasing that sensitive data as an incentive to pay extra.”

In a recent advisory to private companies, the FBI warned that ransomware groups were also targeting companies involved in “significant, time-sensitive financial events”, such as mergers and acquisitions, in an effort to access sensitive data and coerce victims into paying.

Ransomware is a “massively under-reported” crime, and the introduction of mandatory reporting will increase visibility into the scale and breadth of the threat, says Rachael Falk, chief executive of Australia’s Cyber Security Co-operative Research Centre.

The centre advocates that the new cyber security laws should go further and make it mandatory for businesses to report the root cause of their ransomware attack.

“Ransomware doesn’t just magically appear in your network, attackers exploit vulnerabilities in order to get a foothold,” Falk says. “Perhaps an employee clicked on a malicious link, perhaps passwords were compromised, or perhaps there was a technical vulnerability.

“Through mandatory ransomware reporting, we also need to know the root cause to gain a better understanding of which attack vectors were exploited and what actions the attackers took, to help every business better combat the threat.”

Prohibiting cyber insurance from covering ransom payments would be one of the most effective ways to tackle the threat, Falk says. This would “cut off the food chain” of attackers deliberately targeting organisations with ransomware insurance policies.

Overseas evidence indicates attackers have accessed systems in search of insurance certificates, and then demanded payment of the specific amount covered by the insurer.

Furthermore, ransomware groups have hinted they target insurers themselves, accessing their customer lists as a way of identifying targets.

“We know of insured organisations that have become ransomware targets because they are insured,” Falk says. “While cyber insurance can help with ransomware remediation costs, it should not be used to pay the actual ransom.”

The true impact of mandating the reporting of ransomware attacks will depend on whether the government decides to wield the carrot or the stick, says Alex Tilley, head of intelligence research APAC at Secureworks and former cyber crime technical analyst with the Australian Federal Police.

Tilley points to the historical low number of fines issued to organisations which breach the Payment Card Industry Data Security Standards scheme as an example of where regulation is not always backed by meaningful action.

“While it’s great to see the government pick up on this and potentially bring out the hammer, I think we’ve got to wait for the first big prosecution to see if there is anything here,” he says.

“I hate to use the term sacrificial lamb, but the government will need to make an example of a company before anyone will believe they have something to fear.”

One of the biggest challenges when tackling ransomware is dissuading business from the notion that, if they pay the ransom, they can quickly and easily return to business as usual.

“By the time the attackers demand a ransom, they have likely already been in your systems for two months – with full administrative privileges and complete data access,” Tilley says.

“How can you assure your customers, stakeholders and regulators that your systems are clean and your data is trustworthy?

“There’s a big misconception that if you just pay up then your problems go away overnight, but realistically you’re still in for a world of ongoing pain and disruption as you gradually recover from a ransomware attack.”



Original Source link

Posted in Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

+ thirty seven = thirty eight