Ransomware – Interview with a Hacker
Recently, I sat in on an interesting webinar with former black hat hacker, Hector Monsegur and the CTO of Pure Storage, a US data storage company with revenues of more than $1.5 Billion last year. As the title suggests, the key topic was the rise in Ransomware attacks and what can be done to protect against them, with some great insights from the mind of a known hacker.
Ransomware has by no means peaked, expectations are that it is bubbling under the tipping point and will blow at any moment. With little concern for freely advertising everything about yourself online, it’s incredibly easy for attackers to find targets. As crypto currencies are now so widespread, it’s never been easier for them to collect their pay-outs. Add to this the fact that attackers no longer need to hack, with Ransomware As A Service widely available on the dark web, a carefully constructed phishing email or social engineering attack is all that they need. There is more focus on the insider threat element as well, with hackers paying out employees to deploy Ransomware from within the target network.
The motivation for these attacks is now financial for the most part, as opposed to the political or social reasons behind attacks which were more commonplace 10 years ago. These attacks are expensive for the target company and extremely consuming to mitigate and/or recover from.
They spoke in depth about the anatomy of a ransomware attack:
Attackers exploit credential stuffing (using passwords from another environment), they use social engineering, phishing and known vulnerabilities resulting from poor system hygiene (patching and lifecycle management).
Protection measures are using MFA, utilizing password managers to ensure unique passwords to each application, awareness training and asset and access management - including updating, patching and refreshing when hardware and software reaches end of life.
Security isn’t a “one-and-done” agenda, you need continuous security management, utilise analytics and anomaly detection if available and pay consideration to your data protection environment - can it bring back your entire environment quickly in the event of an attack?
Have a fully developed and tested plan in place so that everyone knows their role and actions required of them - and stick to the plan in the event of an attack.
Can you segment the servers? Can you shut any down before a virus can spread? Have there been any domain compromises? Is there any evidence that the attacker has logged in as a domain administrator? Can your backup system be segmented if it isn’t already?
Can you restore data? Can it be done quickly enough as not to cause too much disruption to company operations? Can you restore it securely without compromising the restore data and repository? Has the backup data been compromised? Are you able to identify how the attack occurred?
When hector was asked what deterrents there are from a hacker’s point of view, he answered that there weren’t any. If an attacker really want to target you then they will find a way in. Employees, supply chain, providers and communications partners are all tried and tested ways in. If, however, they’re just trying their luck, all combined security efforts will help.
The key takeaway here is to ensure you have a backup of your vital data that is separate from your network and that is easily deployable when called upon. Also, system hygiene is of utmost importance as exploiting known vulnerabilities is easy when people don’t patch. Misconfiguration such as open files shares, unknowingly exposed data to internet etc. is also easily avoided yet often exploited.