2021-01-20

By Peter French, Synapsys Managing Director

Between $400 billion and $800 billion. That’s how large global cyber crime revenues are according to Acronis founder and CEO, Serguei “SB” Beloussov, speaking at the Acronis Global Cyber Summit 2020.

But this is just the tip of the iceberg when it comes to how sophisticated and formalised cyber criminals have become. If you still get the picture of a lone black hat hacker in a basement somewhere, you need to update this to extremely motivated, very smart, and most importantly, highly organised criminal teams. Think customer service chats via IM, collaboration tools, channel and affiliate programmes, discounts for early payment and B2B offerings, rather than a teenager earning beer money.

Automation – serving good and bad alike

Ironically, this increasing sophistication of cyber crime is being driven by the same digitalisation process that is not only driving our digital business evolution, but also creating the valuable data that attackers target. For instance, ransomware attacks became that much easier to pull off with impunity thanks to the anonymity of cyber currency. Criminals have also tapped into offering software on an as a service basis to extend their reach and earning potential. Malware as a service also makes it possible for third parties to launch attacks without needing to do any programming, making cyber crime that much more accessible.

Automation means criminals can quickly evolve their technology as victims start to defend themselves, as well as increase their attack frequency. And criminals are using bespoke technology to single out high value targets as well as specific file types, such as tax files. On top of this, the more criminals earn from successful attacks, the more they have available to spend on developing enhanced technology.

Now add in the complexities of 2020, with a rapid global shift to working from home during the pandemic, and you have a perfect storm for the rapid evolution of cyber crime in all its forms, and especially ransomware attacks.

New tactics, new twists

The Acronis Cyberthreats Report 2020 identifies ransomware as the number one cyber threat in 2020 and describes a new twist on the typical profile of an attack. Now, as well as encrypting data, criminals also exfiltrate it and, in a second stage of the attack, release confidential data to show the organisation the criminals mean business and increase their chance of a larger payout.

Much has already been written about the individual attacks that took place last year – you can read more in the report above, and also by following Acronis’s CPOC updates, which provide a wealth of information.

I thought it would be interesting to take a deeper dive into some of the new tactics cyber criminals are using during ransomware attacks – all of which point to the sheer level of organisation and professionalism they have achieved.

The carrot and the stick

At the outset of an attack, and as long as victims comply with requests, criminals turn on the charm, even offering discounts for speedy payment and offering technical support by chat. In an astonishing instant message exchange between travel company CWT and its hackers in mid-2020, published by Reuters, the criminals negotiated fairly amicably with the company representative, saying it was only business, and complementing the company on its professionalism. The hacker ensures the company representative has taken down the decryption details accurately, but offers to keep the chat open in case they have any technical difficulties.

But when companies don’t comply and start to restore data from backups, the criminals turn nasty very quickly. Some hire call centres to cold call companies and use threats to bully them into engaging with the hackers. Another tactic is to buy Facebook posts that publicly shame the company, accusing it of not caring about customer information. This happened to beverage company Campari Group when it refused to negotiate over demands for $15 million in Bitcoin in exchange for 2TB of its data.

And, as already mentioned, criminals attempt a double dip: first demanding a ransom to unlock your network, and then threatening to release private data they have already exfiltrated unless a second ransom is paid. A particularly nasty new version of this is to also threaten the individuals whose data it is, especially if it’s medical data, and demand payment for the data to be kept private. Of course, then you need to trust that criminals do in fact delete the data when they say they do. Another revenue stream for criminals is to auction off the data on leak sites on the dark Web.

To pay or not to pay

While paying (or not paying) a ransom is purely your decision, what should be clear from the above is that even if you do pay up, the damage has been done as soon as data is exfiltrated, even if you do get your systems back up and running within minimal disruption. If you choose to pay, be aware that you perpetuate ransomware attacks, fund criminals, and there is no guarantee you will get your data back intact, or even at all.

It is clear then that the first priority needs to be identifying and stopping attacks before your data can be stolen and your system locked out. And to do that, you need multi-layered cyber protection that taps into automation, AI and machine learning to outfox even the smartest, most organised, most professional cyber criminals.

Get in touch with us and start your #CyberFit journey today.

This article was first published on ITWeb on 20 January 2021