Posted on February 3, 2022 at 9:31 AM
As technology keeps evolving, ransomware gangs keep developing and improving their attacking tools to exploit organizations more effectively. In the past, threat actors use basic encryption tools to deny access and demand ransom. But they have now gone past this stage, moving to something far more severe.
Initially, ransomware was used to plant bugs in systems to extort blackmail payments from the general public. These payments are usually made in Bitcoin or other cryptocurrencies. However, the threat actors have become more sophisticated, launching more severe attacks on high-value targets for bigger payouts. They are looking to infect critical organizations that provide vital services to the public. They are now more conformable to attack large enterprise firms, hospitals, utilities, and major supply chain players.
The attackers are more patient to develop a highly technical tool that can be used to launch ransomware campaigns on larger organizations. Although it may take a little longer to penetrate the networks of these larger organizations, once they are successful the attacks have the hope of landing millions of dollars.
The attack on Colonial Pipelines, one of the most sophisticated cyberattacks in history, is an example of how good the threat actors have become. The ransomware gang hijacked the company’s systems, affecting the supply of fuel in the U.S.
Colonial Pipeline had no option but to succumb to the ransom demand of the attackers. The company finally ended up paying $4.4 million to restore its systems and continue serving the public. However, the damage was already done before the restoration because it led to fuel shortages and panic buying across the United States.
Ransomware Gangs Are Getting More Sophisticated
Ransomware gangs are also developing more tools they can use to gain access to complicated systems. According to Cisco Secure, the hackers now use the “one-two-punch” extortion method to steal confidential data before encrypting it. Once they have hidden the files from the owner, they go on to demand ransom or release the file to the public if the victim refuses to meet their demands.
These ransomware operators are also managing darknet sites online where they dump the stolen data. Thousands of people and organizations have become victims of this type of extortion technique. Within 12 months, more than 1,300 organizations from the industrial sector, infrastructure, and critical services sector have been impacted. According to Mandiant Threat Intelligence, these threat actors have associations among themselves and have online communities where all types of hacking tools and techniques are discussed. Most of these communities have strict guidelines for entrance.
Mandiant got samples for its research from victims of leveraged operational technologies (OT). The researchers discovered some of the sophisticated methods used by the threat actors, including operator panels, information on partner vendors, as well as engineering diagrams.
From the samples collected, the researchers saw stolen employee credentials, visualizations, spreadsheets, process documents, project files, product diagrams, legal documents, and vendor agreements. The details also include the proprietary source code of a satellite vehicle tracker’s GPS platform.
Organizations Asked To Improve Data Security
The researchers added that one out of every seven data breaches from organizations on darknet sites is likely to expose sensitive OT documentation. When the threat actors have access to this type of data, it can enable them to identify areas where they will meet the least resistance. It can also enable the threat actors to understand an industrial environment and subsequently launch cyber attacks on the organization in the future.
Additionally, the exposed OT records can give the threat actors an idea of the organization’s finances, staffing, intellectual property, research, production processes, and the organization’s entire culture. Once they have all this information, it will be easier for the threat actors to arrange themselves to launch an attack.
As a result, the researchers have advised organizations in these critical sectors to beef up their security network. They should make data protection their priority to avoid being on the receiving end of a hacking incident. Additionally, the organizations should set up robust data handling policies for subcontractors and employees to protect the internal technical documentation.
Senior technical analysis manager at Mandiant, Kapellmann Zafra, stated that it is very vital for critical organizations that provide services to thousands of people to take the security of their network very seriously. According to him, the cost of securing a network will always be far lower than the reputational damage and financial cost of a ransomware attack.
Those whose documents have been leaked or extorted should access the value of the leaked data. They should find out whether additional security measures are necessary to decrease the risk of being attacked using the stolen data in the future.