Increasing specialisation and outsourcing of malware capabilities is bolstering the underground economy and advancing the sophistication and frequency of cyber-attacks – but commonalities in the code, one security specialist believes, provide new hope for security teams that face a ransomware onslaught during the upcoming holiday slowdown.
That onslaught was likely to pick up steam as security staff increasingly go on their end-of-year holidays – leaving security operations centres running on skeleton crews and response teams unable to investigate any but the most severe incidents.
In such a climate, Carbon Black co-founder and chief technology officer Mike Viscuso told CSO Australia, cybercriminals were likely to spend even more time launching scattershot attacks then poking and prodding the vulnerable systems they discover.
Many attack kits only decide what sort of attack to launch once they have gained access to the target network – maximise financial return with ransomware, or use powerful systems for bitcoin mining. It’s a reflection of the multi-modal attacks being launched, frequently with the help of widely-available attack kits, by increasingly professional organisations focused entirely on the bottom line.
“Every year we have seen a surge in attacker behaviour around the same time,” he explained. “And while the media and uninformed decision-makers view cyberattacks as single people operating in a basement, this hasn’t been the case for a long time. These groups of people are spending their entire existence focused on one part of the problem. The result is a far more sophisticated capability that can be very hard to defend against.”
Not only is the landscape being filled out with specialist malware authors, but those capabilities are being assembled into full-fledged attack campaigns by increasingly professional, profit-minded conglomerates that “if you look holistically, start to look like the businesses that we operate on a daily basis,” Viscuso said.
Those criminal enterprises are increasingly targeting other businesses – recent Symantec figures suggested that businesses accounted for 42 percent of all ransomware infections in the first half of the year – with attacks that evaluate potential targets for financial return. While a high-value healthcare database might be subjected to an expensive ransomware lock, for example, the infection of a high-performance computer might be handed over to a cryptocurrency-mining tool.
Cause for hope. While attack capabilities may be continually refined, their methods of delivery are often more predictable – tapping into any of a large number of known exploits that are often left unfixed due to suboptimal patching practices.
This reality offers hope for companies that may be able to defend against new attacks simply by taking steps to patch or block existing vulnerabilities. “You can be relatively certain that an opportunistic Web based attack against your organisation will likely rely on these vulnerabilities,” Viscuso said.
“And because most attacks are not really targeted – just opportunistic – you are likely to be able to thwart an attack that is based on a purchased Web attack kit. By mitigating those weaknesses, when these attackers come knocking on your door, you won’t have any weaknesses they know how to exploit. This is one of the things that gives us a bit of hope.”
In the meantime, however, cybercriminals are continuing their successful run of attacks, with ransomware in particular being flagged as an ongoing significant risk in 2018 and beyond.
Transformative ransomware attacks like this year’s WannaCry, NotPetya and Bad Rabbit set “disturbing high-water marks for the number of users and companies around the world whose data was maliciously encrypted in one campaign,” ESET senior research fellow Nick FitzGerald said in a statement, noting that both attacks were not “real ransomware… there were no effective mechanisms in place for the cybercriminals behind the campaigns to receive payments and supply the necessary decryption keys to the victims.”
That characteristic has led many to conclude that the new attacks in fact represent a new form of wanton, malicious damage that created nine-figure damage bills for a number of companies that suffered global business interruptions after WannaCry and NotPetya exploded.
With significant regulatory changes tightening the screws in 2018, this year’s attacks have produced one significant benefit: they have, Viscuso said, given IT and security teams “a common language to work from” around cybersecurity.
“Ransomware is the first attack type whose impact is so obvious,” he explained. “As 2018 becomes another year of ransomware hijacks, this ransomware epidemic will be a catalyst for better IT security across the globe because there is finally a common cause that IT and security can join forces to solve.”