Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 25th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by guest commentator Brett Callow, Canadian-based cyber threat analyst at Emsisoft, to talk about ransomware. But first a look back at some of the news from the past seven days:
Governments and providers of critical infrastructure in Canada, the U.S. and Europe are watching for signs of cyber attacks from Russian government agencies or sympathetic hackers after Russia was hit by increased economic sanctions for its invasion of Ukraine. Security researchers at Sophos said the standard IT strategy of defence-in-depth for any cyber attack is especially important now. It’s also vital to watch for signs of unusual network activity.
An expert interviewed by SecurityWeek noted a Russian attempt in 2016 to infect Ukrainian computers through tax software escaped into the world in the NotPetya worm attack. That accident could happen again. However, he believes Russia will bend over backwards to ensure a cyberattack against Ukraine this time won’t have international effects.
Ransomware was the biggest attack type seen by threat researchers at IBM last year, the company reported. Another interesting factoid: Employees clicking on phishing links in messages accounted for 41 per cent of compromises IBM investigated.
Ontario will become the first Canadian province to introduce proposed legislation requiring employers with 25 or more staff to tell their workers if they are being monitored electronically. Companies will have to post a written electronic monitoring policy explaining how and why monitoring is done. Details of the proposed law weren’t immediately available.
Administrators who oversee Microsoft SQL Server databases are being warned to lock down those servers. This comes after security researchers at a South Korean company discovered a threat actor is targeting SQL Servers to install malware.
And Linux administrators are being warned to watch for signs of a backdoor. The Bleeping Computer news service quoted Chinese cybersecurity researchers saying its been around since 2013 but rarely detected.
(The following is an edited transcript. To hear the full conversation play the podcast)
Howard: I now want to welcome Brett Callow, Canadian-based threat analyst with Emsisoft. Brett specializes in researching ransomware and ransomware groups, which is today’s theme. Let’s start by setting the table: How would you describe the ransomware landscape today?
Brett Callow: The landscape is much as it has ever been. We haven’t seen significant changes for a couple of years in terms of volume. The number of attacks has remained fairly consistent. What we have however seen is an increase in the size of companies and organizations being hit, and a transition away from small businesses to larger organizations as well as public sector bodies.
Howard: Why is ransomware so attractive to attackers?
Brett: Simply because it is extremely profitable with a minimal chance of the perpetrators ever being prosecuted.
Howard: So why do organizations fall for ransomware?
Brett: Attacks are often presented as being highly sophisticated, but they’re generally really not. Most attacks succeed because of fairly basic security failings: Unpatched systems, multifactor authentication not being used everywhere that it should be used, and so on and so forth. That isn’t necessarily a criticism of organizations that do get successfully Attacked. It’s hard to maintain a good security posture.
Howard: Isn’t it fair to say that the same defenses against ransomware will protect against most cyber attacks? There’s nothing special about defending against ransomware.
Brett: No, there isn’t. The single most important thing that any organization can do to boost its defences against ransomware and other cyber threats. Is enabling multifactor authentication everywhere it can and should be enabled.
Howard: Which begs the question why don’t companies do it?
Brett: That is the million-dollar question, possibly literally and figuratively. I really don’t have a good answer.
Howard: Are public and private sector organizations getting better at defending against ransonware?
Brett: Based on the fact that attacks are continuing at much the same rate as ever, the answer to that seems to be no.
Howard: Do ransomware gangs differ in their techniques and tactics?
Brett: Yes. There’s an important distinction here between ransomware gangs who create the ransomware and the affiliates who use that ransomware to carry out attacks. They’re often very different individuals. And affiliates can have their own preferred [intrusion] methods and strategies. some will lever phishing quite heavily whilst others will exploit RDP, for example.
Howard: I know that there more recently there are groups that employ double extortion and triple extortion. Can you talk a bit about that?
Brett: Up until the end of 2019 ransomware gangs simply encrypted their victim’s data. They still do that. But now before encrypting it they now steal a copy and use the threat of releasing mass information online as additional leverage to extort payment from their victims. In some cases they will release the data online should the victim not pay. In other cases they will. threaten to sell it to other cybercriminals. They will also in some cases contact third parties – customers or suppliers — named in the data and attempt to get them to pressure the targeted company into pay.
Howard: I’ve seen reports where there are ransomware gangs that even go a step further. They start spreading word of an attack against an organization through social media like Twitter or Facebook to embarrass and pressure the victim organization into paying.
Brett: There are multiple gangs that use social media. Social media companies are generally quite good at closing those accounts down. But, of course, it’s a game of whack-a-mole very often. The criminals will also contact customers put the organization — or parents in the case of school districts that are attacked — and they will ask those people to ask the company or the school district to pay to prevent their information from being released online.
Howard: And then I’ve heard one of the latest tactics is for a gang to break into a company and then message the company and say pay us a ransom or we’ll deploy ransomware and destroy your your your data. It’s sort of a preemptive ‘Pay us or else.’
Brett: I’ve heard anecdotal reports of that but I haven’t encountered any actual cases and it would seem to be a rather poor strategy because it would be giving the organizations time to respond to the attack before any damage was done.
Howard: There has been some progress in the past year or so against ransomware. Governments are co-operating more to fight gangs, the U.S. held an international counter-ransomware conference last year in order to gain international support from governments, the U.S. has sanctioned the Russian SUEX cryptocurrency exchange which is used by ransomware and criminal gangs to cash in, some members of the REvil ransomware gang have been arrested in Russia, European police disrupted a network believed to be responsible for the ransomware attack on NorskHydro, the Darkside ransomware group closed. That’s all good news, yes?
Brett: Absolutely. The conviction rate for cybercrime in the U.S. at one point was point zero five per cent or thereabouts. So cybercriminals were able to operate with almost complete impunity whilst making millions and millions of bucks, and that is the whole reason ransomware became so much of a problem. Combating it requires a multi-pronged approach that alters the risk-reward ratio for criminals — and the various mechanisms of government are now taking is starting to put more risk and less reward in that ratio. That’s really what governments need to be doing. They need to be co-operating and targeting every aspect of cybercriminal operations and the infrastructure they use to support those operations every which way they can. That is now what we’re starting to see happen. Unfortunately, though, ransomware is going to be a really hard problem to get rid of simply because it is so profitable. It would be a mistake to assume that we can get rid of the problem overnight. We’re certainly making progress but we still have a long hard battle in front of us.
Howard: You know a bit about the takedown of the Blackmatter group. Can you tell us about that?
Brett: Blackmatter has re-branded on multiple occasions. They were initially Darkside, the group that was responsible for the attack on Colonial Pipeline. They then came back as Blackmatter, and they are now back as ALPHV, also known as BlackCat. Emsisoft discovered a weakness in their encryption, which enabled us to help dozens of victims recover their days without needing to pay the ransom. We helped dozens of those victims.
Howard: But as you say this gang has come back. They’ve rebranded.
Brett: It is very hard to permanently knock down these ransomware gangs. As I said before the potential profits are so great that they’re not simply going to go away.
Howard: Certainly the country that’s the biggest target of ransomware is the United States
Brett: Absolutely, and it has been for several years now. And that makes sense: It’s home to a lot of very profitable companies. The companies are often quite well insured. And simply the size of the economy means most attacks are going to target that economy.
Howard: Let’s talk for a minute about ransomware in Canada. Ransomware-as-a service groups have affiliates who actually do the hacking of victim organizations before launching the ransomware they rent. How many affiliates do you think are here in Canada?
Brett: That is really impossible say. I don’t have any good indication of that we know there has been at least one: Sebastien Vachon-Desjardins. And it would be a mistake to assume he is the only one.
Howard: He was sentenced to six years and eight months in prison just a few weeks ago by a Canadian judge for his role and as an affiliate of the NetWalker ransomware gang. He helped attacks on 17 0anadian organizations. The judge in sentencing him said he was “excellent” at what he did. In fact, he was so good that between 10 and 15 individuals hired him to teach them his hacking methods.
Brett: It would be a mistake to assume that there are not more ransomware affiliates in Canada and the U.S. and other countries. We tend to think that they are all based in Russia or eastern Europe, but may well not be the case. We certainly have no shortage of talent [in Canada]. We have no shortage of criminals and therefore we probably have no shortage of talented criminals.
Howard: You said at the top that ransomware gangs are increasingly going after large organizations, but that doesn’t mean that small and medium-sized companies aren’t being targeted. In reports that I’ve come across about companies named by ransomware gangs on their data breach websites a number of them in Canada are small and medium-sized companies. Do these companies in Canada not take seriously the fact that they can and will be targets?
Brett: First, the overwhelming majority of ransomware victims are still smaller businesses and they don’t make the headlines in the same way that attacks on Colonial Pipeline and other critical infrastructure and very large businesses do, but they are still very frequently victimized. And, yeah, I think they probably do take their security very seriously. It’s just very hard to. And sure your organization is secure when you have limited resources.
Howard: One way to choke off ransomware is to go after the infrastructure that supports gangs. Another way is to go after cryptocurrency exchanges where the gangs cash in on any cryptocurrency they’ve gained. But a third way is for governments to forbid organizations from paying ransoms. Is that a good strategy?
Brett: That would certainly be the most effective strategy. Ransomware exists simply because companies continue to pay. If no companies paid there’d be no more ransomware. It would cease to be a problem. That said, it’s very easy to say that companies shouldn’t pay when it isn’t your data that is actually on the line.
Howard: What should governments be doing to fight ransomware? I mean there are Canadian, U.S. and U.K. government websites with lots of really good advice that IT departments can go to. And as we said before a number of governments around the world are co-operating more and sharing intelligence
Brett: There is no silver bullet to the ransomware problem. It is a matter of governments and law enforcement agencies doing a combination of measures to try and combat the problem that includes boosting the security of organizations at home, co-operating internationally with law enforcement agencies to take co-ordinated actions against the group, possibly legislating to make our public sectors more secure than they currently are and targeting cryptocurrency exchanges. It’s a matter of using a whole bunch of strategies to try and bring the problem under control.
Howard: When you talk to IT leaders or I T security leaders what do they tell you about the problems within their organizations in getting management and employees to take. ransomware seriously.
Brett: The answers they come back with seems to vary massively from organization to organization. In the case of public sector bodies, a lack of budget seems to be an ongoing issue and that is something that federal governments possibly need to look at ways of addressing.
Howard: So what are the top 3 or 5 things that IT and security leaders should be doing to lower the odds that their organization will be victimized by ransomware?
Brett: It’s really a matter of paying attention to the basics — the exact same things that the security industry has been banging on about for years: Using multifactor authentication everywhere it can be used; ensuring systems are patched in a timely manner; and something that maybe often isn’t discussed enough — knowing what your environment looks like and what is normal within it. If your server within your DMZ is initiating outgoing communications that may well be a sign that you have a problem. It’s a classic symptom of communication with a C2 server.
Howard: What’s your forecast for ransomware in the 12 months?
Brett: It depends in part whether governments maintain their current level of effort against the ransomware gangs. And it may also depend on how the situation with Russia and Ukraine plays out in the coming weeks.
Howard: Are you expecting an increase in ransomware attacks by Russian-based groups against the west as a result of the situation in Ukraine?
Brett: I’m not expecting it but I also wouldn’t be entirely surprised if it were to happen. We know that certain ransomware gangs have relationships with the Russian government. We’re not sure just how deep those relationships may run and what control the Russian government may have over the gangs. That is something we could potentially get an answer to. In the coming weeks.