Top cyber threats: Prepare for attacks to avoid ransom demands

Vulnerabilities are exploited as more people work from home.
IMAGE: ARROW – STOCK.ADOBE.COM

The COVID-19 outbreak triggered unimaginable disruption to workplaces. This has led to a significant increase of ransomware attacks across Canada and in all industries as hackers take advantage of vulnerabilities stemming from the rushed implementation of ‘work-from-home’ arrangements.

Not all ransomware variants are equal. In fact, some of the sophisticated ones will demand higher ransoms while the more commoditized will not. A look at the top five shows how they typically infiltrate an organization, who they target, the average ransom amounts (in US dollars) and whether they involve data theft.

Sodinokibi. It exploits known security vulnerabilities in software extensions or VPN networks using phishing campaigns. Originally IT-managed service providers were targeted since the COVID-19 outbreak. Several VPN vulnerabilities are more common among large enterprises. Ransoms range from $5,000 to $1 million. Data theft and threatened public release is part of the attack.

Ryuk. It relies on sophisticated spear phishing and banking trojan integrations, such as Trickbot and Emotet. Small to large enterprises are targeted. In Q1-2020, focus shifted slightly down market as the average size of victims fell by nearly a third. Ransoms are $100,000 to $500,000. Data theft is not common.

Phobos and the Mamba Phobos variant. Remote desktop protocols are used to access poorly secured RDP ports by easily applying either brute force, or by purchasing credentials on dark market sites. Phobos strikes smaller companies and individuals with less capacity to pay than larger businesses. In Q1, Phobos went slightly up market and successfully attacked a few larger enterprises. Ransoms range between $10,000 and $15,000. Data theft is not common.

Dharma. It accesses poorly secured RDP ports, either by applying brute force or purchasing credentials on dark market sites. At risk are companies that allow employees or contractors to access their networks remotely without implementing adequate protection. Ransom is $15,000 to $25,000. Data theft is not common.

Maze. Different techniques are used to gain entry, mainly using exploits kits, remote desktop connections with weak passwords or e-mail impersonation. Nearly every industry sector – including manufacturing – has been attacked. Ransom is $15,000 to $3 million. Maze is stealing data in almost all cases, but as threat actors broadened their attack profile to include smaller companies, the frequency of data theft decreased.

Data theft on the rise

Until last year, most of the ransomware attacks were not associated with data theft but between January and April, variants (notably Maze, Sodinokibi, DopplePaymer and Mespinoza) were increasingly stealing data and threatening public release.

After gaining access to the target’s network, hackers will conduct reconnaissance and steal small amounts of data over time, then deploy the ransomware. They’ll typically provide sample data to demonstrate “proof of life.” This technique increases the likelihood of a pay off. It’s a way to force targets with viable recovery backups who are less likely to pay do so.

Most threat actors focus on small and medium-sized business, although the size of ransom demands made to large enterprises increased dramatically during Q1-2020. Several reports show the average payment has increased by 33% during this period, reaching approximately $110,000.

In comparison, the average payment at the end of Q1-2019 ranged between $5,000 and $10,000.

Expect ransom amounts to continue increasing, especially if data theft is involved.

Foiling attacks depends on speed of the response team acting decisively and methodically. Here are some suggestions for protecting data and preparing for an attack:

Have a cyber incident response plan (CIRP). This guide details what to do, who to call and when.

Develop or update your data mapping. This provides visibility to what, where and information is held, and allows cyber experts to quickly assess whether key data was accessed or stolen.

Check your systems regularly. Verify security tools in the network and the software applications in place. Excellent security technology is often in place, but it’s not properly configured or not capturing the right information.

Remind staff about cyber hygiene. Most attacks trace back to a phishing e-mail clicked on by an employee. They’re sophisticated and difficult to distinguish from legitimate e-mails.

Despite best efforts, a ransomware attack will occur. Acting quickly is key but so is access to the right legal, digital forensics and crisis communications experts. Build them into your CIRP. This avoids having to search for the right vendor in the midst of a crisis.

Imran Ahmad is a partner at law firm Blake, Cassels & Graydon LLP in Toronto. E-mail imran.ahmad@blakes.com or call (416) 863-4329. Joe Abdul-Massih is an associate at the firm’s Montreal office. E-mail joe.abdul-massih@blakes.com or call (514) 982-4297.

This article appeared in PLANT Magazine’s July-August 2020 print edition.