Cybercriminals have the capacity and resources to carry out mass-targeted attacks that can inflict a great deal of destruction on an organisation, writes Kevin Lancaster, General Manager of Security at IT infrastructure management firm Kaseya, the founder of ID Agent, a Kaseya company.
With these sophisticated skills and a growing number of solutions available to them, it is possible for criminals to create ransomware as a service, to ‘spin up’ email servers and blast out millions of emails and then ‘drop down’ and do it again.
Much of this remains indiscriminate, of course. We are seeing organised groups getting involved in these activities, ‘spray phishing’ for credentials and that is in itself leading to an increase in ransomware. A lot of this is non-discriminate targeting but even if just 0.02 per cent of recipients click on a mass email that will be enough to make it lucrative for cyber-criminals.
We are also seeing these kinds of threats proliferating during the COVID-19 pandemic. In the current crisis, criminals are increasingly mounting coronavirus-themed phishing and malware attacks to take advantage of the stress and anxiety of users and to add pressure on already hard-pressed systems and networks.
In addition, more sophisticated criminals are springing up that are targeting specific individuals. They might for example send an email to the CFO of an organisation asking them to transfer money. The emails are becoming increasingly well-crafted, and often knowledge gleaned from social media sites like LinkedIn and Facebook is used to personalise the message. In a lot of cases, criminals are taking their time to fine-tune their approach. The more targeted and realistic their output looks the better the chance their efforts will succeed and their rewards will be greater.
Of course, this personalisation of attacks is being made easier and also more effective by individuals blurring the boundaries between their personal and professional identities through shared social media and business profiles. Often people use the same password for their personal Facebook and Twitter profiles as they do for LinkedIn and Office 365 for example.
Many people have 50 to 60 applications, personal and business-related, on their smartphones. Many of these applications ask for the user’s email address to create a password, which when repeated across multiple applications, further adds to their vulnerability. They are effectively prioritising convenience over security.
That’s a particular issue when you consider cyber-criminals are becoming ever more ruthless. If they can exploit somebody’s personal identity, it is often not too difficult for them to follow up by exploiting that person’s business identity also – and we are seeing that happen more and more.
Changing the approach
It is not just the mode of attack but also the scale of the cyber-criminals’ activities that is ramping up. In the past, when ransomware hit, businesses could often get the data they had lost back if they paid up in bitcoin.
Over the past two years or so that has changed and we often see instances where organisations do pay in bitcoin, they still don’t get their data back. They are effectively ‘out both ways’. We are now seeing groups really focusing in on the exploitation and embarrassment of their victims. They may give a time deadline and then say that if the ransom is not paid they will start leaking the most salacious and well-guarded secrets held within the organisation. They may start publicly shaming the organisation concerned – and that is something that every business, no matter their sector of operation will want to avoid.
There has been a shift away from the ‘honour among thieves’ principle to a ‘devil may care, we want to create havoc’ approach. ‘Pay us or the ransom will go up until you get someone to pay us, or else we will leak your trade secrets’.
These are stark warnings. It is almost impossible for any organisation to guard against all these threats – but they can mitigate their level of risk. If you look at malware and ransomware and how individuals’ data is being extracted and exploited, a lot of the issues are avoidable.
So what’s the solution? Threat levels are rising and in the current crisis, they are ramping up even more as cybercriminals look to exploit what they see as new opportunities.
Partly it is a case of improved user education. Ensuring that users get better at identifying phishing emails and that they never click on links may be part of it. But it may also be about teaching staff about the dangers of using the same password for Facebook as for their work email log-in, and why to counter this they should be using randomised passwords.
Basic security awareness training can be a big help here. In the UK, the Government’s National Cyber Security Centre (NCSC) is a great source of cyber security guidance and support. But there are also some easy to use tools that can mitigate a significant proportion of these attacks. Businesses need to make certain staff have implemented multi-factor authentication on platforms they might log into. They can also implement anti-phishing technologies.
Unfortunately, security is often pushed to one side until something happens. At that point, it becomes exponentially more expensive because businesses must implement mitigation first and then implement solutions.
Yet, many don’t have the right solutions in place to prevent these attacks from happening in the first place and instead are investing too late once the attempt has already occurred. Businesses need to stop thinking of security as an expense and instead consider it as an investment that will pay dividends further down the line. The good news is, however, that with the right multi-factor platforms, easy to use tools and basic training, organisations can implement preventative solutions that detect and mitigate a significant portion of these attacks.