Ransomware attacks becoming more and more professional – and dangerous

Author
Michelle Gehri
Published
12. March 2021

The fact that ransomware attacks are taking place is now widely acknowledged, but even so, the attacks are not on the decline, in fact quite the opposite. Ryuk, Nephilim and co. have continued to generate a lot of commotion over the last few months. What's more, among hacker groups, our cyber security experts are noticing increasing industrialization and professionalization. This means that high security walls alone are no longer enough to keep them out. In our modern, digital society, data is being held hostage.

In this blog article, you will find out why it is so critical to rapidly detect and respond to an attack, the action our InfoGuard experts’ take in the event of an attack, the latest developments in ransomware, and tips on how to prevent attacks.

Cyber security is like sprinting and running a marathon at the same time, and that poses huge challenges for a lot of companies. The ransomware attacks that have hit numerous (Swiss) companies hard are currently in the news again, so it's important not just to be constantly monitoring the situation and optimising security measures, but also preparing for emergencies. A comprehensive security chain offers protection – but it can never be 100 percent.

A ransomware attack in Fast Forward

Our experts in the Cyber Defence Center (CDC) are currently observing that many attacks can be traced back to services with poorly secured access, such as RDP, Citrix or VPNs. Here, there is a direct link with the short-term shift to the home office and a range of IT security-related requirements that arose during the COVID 19 pandemic. On one hand, the IT infrastructure is often poorly designed for remote working, and on the other, staff have not been sufficiently made aware of all the risks. The human factor already plays a pivotal role here, with over 90 percent of all attacks being traceable to human “mis-interactions”. Multi-factor authentication is a necessity for the access services mentioned above, among other things to prevent brute-force attacks or to prevent the theft of legitimate access data.

If the attackers succeed in installing a backdoor using one of the numerous paths, they will gain permanent access to the company network and are able to communicate with their command and control (C2) server at any time. The core of the problem is that this manipulation often goes unnoticed because no appropriate detection measures are in place – and they are an indispensable link in the security chain. This lack allows the attackers to move laterally and unnoticed. More information is gathered about the target network, bridgeheads are built and finally, often in less than 48 hours, sensitive company data is stolen and the network and data have been encrypted. The final step, which is familiar from countless reports in the media, is when the attackers reveal their identity and the financial extortion is executed - often to the tune of millions, to be paid in a cryptocurrency. This kind of blackmail needs to be taken seriously. In order to generate pressure, attackers do not hesitate to publish data on the Dark Net for a brief period of time, as a kind of taster of what they could do with what for every company is its “crown jewels” – data.

Winfoguard-ransomware-infographic-preview-shadow-crossould you like to know exactly how a ransomware attack is designed? Our infographic shows you its structure and gives you numerous tips on ways to protect yourself. Click here for a free download:

Ransomware Infographic

State-of-the-art ransomware

As we stated at the beginning, there is increasing professionalization and industrialisation happening in the ransomware hacking community. Specifically, components like attack tools, “ready-made” ransomware (ransomware-as-a-service) or ready-made access to corporate networks are being sold by a range of suppliers on the Dark Net. There are even dedicated providers who handle the payment processes for the extortion, for a fee, obviously. This proliferation not only creates professionalization and industrialisation, it also makes it harder to catch the perpetrators.

Prevention is better than cure – why cyber defence needs to be part of the cyber security package

These days, technologies are developing at lightning speed. This not only benefits companies, but attackers too. The issue of cyber risks and cyber security is often lost in the “technology jungle”. New attack vectors emerge and companies are able to react only inadequately or too late. This fact is also reflected in the successful ransomware attacks that have taken place in recent months.

When it comes to serious incidents, there are hardly any companies that are able to avoid calling in the specialists, like our InfoGuard CSIRT (Computer Security Incident Response Team). Apart from the lack of in-house expertise and resources, other essential tasks need to be carried out, such as informing staff and the public, and here experience and tact are essential. After the attack has been dealt with, it is also important to quickly rebuild and restore production and business activities. After all, dealing with the attack, or the ransom demand if there is no other way out, are not the only expensive aspects. When it comes to downtime, “time is money” is the watchword.

Basics in successful cyber defence

To prevent this from happening, cyber defence needs to be part of every modern cyber security strategy – for example, in the form of specific Cyber Defence Services that monitor customers’ systems 24/7. But which specific processes are the most important for responding to threats?

Mathias Fuchs, Head of Investigation & Intelligence at InfoGuard, emphasizes the importance of using a combination of humans and machines to detect and respond. By doing so, the technical options can serve as “enablers” enabling cyber security analysts to react quickly and in a targeted manner. In the event of a critical alarm and depending on the customer and their specifications, specific components can be isolated so that the attack can be halted as quickly as possible. These options, including expertise, are often not available within the company, which is why cooperation with external specialists is so important, stresses Mathias Fuchs.

As well as the technical, defensive aspect, security awareness always needs to be remembered. For example, phishing e-mails remain a frequent way in for cyber criminals, and these incidents are avoidable. Here too, there are a great many opportunities for creating security awareness.

Detection and response – tackling incident response right now

Are you still looking for a reliable partner that can support you quickly and professionally in the event of cyber-attacks like ransomware attacks? With our Incident Response Retainer, you get all this and more:

  • Support from our experienced Computer Security Incident Response Team (CSIRT)
  • Attacker detection and isolation as rapidly as possible
  • Comprehensive damage analysis by security experts from our Swiss Cyber Defence Center (CDC)
  • Support with restoration of normal operations
  • Ensuring the obligation to report a security incident, as per GDPR, within 72 hours

Convinced? Here you can find further information and a contact form.

Incident Response RetainerYou can find other InfoGuard Incident Response Services here:

Incident Response Services

Share article