Ransomware Special Reports


Special Report

software inventory) is as crucial as knowing how your enemy (the ran - somware attackers) operate. Supply pains The SolarWinds supply chain breach proved how suppliers and business partners can also potentially be an - other weak link in an organisation’s security.

business partner could be an easier stepping stone into multiple targets all from one hack. The potential pay- out is much higher, so it has become an area of focus,” he warns. “To work best, both companies need to vet each other to ensure they’re as secure as possible”

legitimate services such as Team - Viewer to mask their presence in the network. Another detection-avoid- ance technique is to try and learn the method used for remote access by the admins, and only use that method to log in remotely. Dwell time before an attack, accord - ing to our experts, is now down to several weeks or a month at most (compared to 6-8 months a few years ago) thanks to the way the business models and ransomware gangs have evolved. “Members of ransomware gangs are paid based on successful attacks, it is in their best interest to get in, secure the access they need, exfiltrate data and then execute their ransomware so that they can move on to the next target and keep chasing those com - missions,” Heasley explains. The use of automation in an attack or the ability to deploy a blanket en - cryption has also speeded things up more. As new Ransomware-as-a-Service (RaaS) models emerge, it could be that several groups are involved at different points along the way. An initial access broker may gain access to a network, then sell that to a RaaS affiliate that uses a malware dropper from one group and a ransomware from another.

Muhammad Yahya Patel, Check Point

Remote access Once they’ve broken into a company’s network an attacker will often go into stealth mode – ‘living off the land’ – making a silent entry to observe what the business does and what its ac - tivities are, before deciding on what course to take. “They will read financial statements and cyber security insurance policies. They will exfiltrate data and pass- words in 90% of all cases,” Grimes warns. Lateral movement can be facilitated by ransomware tools, existing soft - ware vulnerabilities or via misconfig- ured networks where attackers can escalate privileges and obtain more sensitive credentials. In tandem with escalating their level of privilege, hackers also examine the type of security tools that are in place and how they can best spread ran - somware throughout the company’s computers. They will try and delete back up files to make decryption harder. They will also seek out other networks they can gain access to. To remain hidden, hackers might try to disable security tools to some ex - tent and use obfuscation techniques to hide their malicious payloads. “They tend to use pen testing tools that are explicitly trusted in the en - vironment, such as Cobalt Strike and Ngrok, but also misuse Git reposito - ries,” says Filip Verloy, tech evangelist at API security platform Noname. Cyber criminals are also known to use

Muhammad Yahya Patel, security evan- gelist at Check Point It’s not unusual for companies to allow third-party vendors or partners to connect to their networks, either in-house or via a secured remote connection. The connection typically only authenticates the external user; once they have proven their identity, communication can flow freely, and ransomware/malware can be deliv - ered. According to Muhammad Yahya Patel, security evangelist at Check Point, it’s key that a supply chain can demon - strate how it’s making itself secure and this should be a two-way agree- ment. “Too often it’s a one-sided conversation but to work best, both companies need to vet each other to ensure they’re as secure as possible,” he adds. Baird points out that small business - es are a target because often they don’t have the resources to spend on security, and have weaker defenc - es. “Attacking a weaker supplier or


Powered by