[BreachExchange] Are All Ransom Attacks Considered Ransomware?

[Audrey McNeil]

http://www.huffingtonpost.co.uk/terry-ray/are-all-ransom-
attacks-co_b_17916084.html

Ransomware has loomed large in the news of late. The untraceability of
Bitcoin payments, coupled with new blackhat tools available to anyone at
little (if any) cost, means extortion attempts will continue to grab
headlines worldwide.

But is ransomware the only form of cybercrime extortion? People commonly
refer to any form of online extortion as ransomware, but it may have
nothing to do with ransomware in the strictest sense of the word.
Specifically, ransomware is a form of malware that encrypts files and
decrypts them once a ransom is paid. But illicit demands for payment--by
definition, a ransom--can be associated with other types of digital
extortion requests.

This matters when it comes to mitigating extortionary attacks; just because
a solution may detect ransomware, doesn't mean it protects against other
extortionary attacks. And we expect extortionary attacks to increase. To a
certain extent, the darkweb is saturated with PII for sale. This drives
down cybercriminal profits. It is likely many cybercriminals add
extortionary attacks as they attempt to optimise their profits.

Traditional Ransomware

Ransomware attacks take advantage of human, system, network, and/or
software vulnerabilities to infect a victim's device--which can be a
computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or
other endpoint. Ransomware can target either endpoints or file servers. It
doesn't need to be "local" to infect; ransomware that infects an endpoint
can encrypt a remote file share without having to run locally on that
remote file share.

There are several kinds of ransomware distribution techniques, but the most
common is email. An attacker sends an email--ostensibly from a trusted
source. When the victim clicks the attached link, visits a web page, or
installs a file, application, or a program that includes the malicious
code, the ransomware is covertly downloaded and installed.

Phishing attempts have become increasingly more sophisticated. Messages
usually appear to come from a large, well-known company or website, such as
Google. In the case of spear phishing, however, the apparent source of the
email is likely to be an individual within the recipient's own
company--generally someone in a position of authority--or from someone the
target knows personally."

Data Theft and Extortion

Dubbed extortionware (a.k.a., doxware), another common threat involves the
theft of personal or sensitive data coupled with a threat to openly release
it--perhaps to the internet at large--unless a ransom is paid. Author and
enterprise threats expert Nick Lewis describes extortionware as "...when a
cybercriminal threatens a person or organisation with some sort of harm by
exposing personal or sensitive information. For example, a criminal could
compromise a database with sensitive data and then tell the enterprise
[they] will post the sensitive data on the internet if [their] demands
aren't met."

Another type of ransom-related attack is akin to the threat above, but in
this case the enterprise doesn't retain access to its data. A recent widely
known example of this is when an entity calling itself The Dark Overlord,
earlier connected to a health care breach, claimed to have stolen several
new episodes of Netflix's popular Orange Is the New Black show and demanded
an unspecified ransom in exchange for their return.

Like a similar theft involving the BBC, Netflix confirmed that one of its
production vendors--also used by other studios--had been breached. The
Guardiansuggested that, "Pirated copies of the show could dent Netflix's
subscriber growth and the company's stock price."

What You Can Do

For any of these threats, it's back to basics: protect your systems and
data. The ransomware trend is expected to continue as incentives increase
and it becomes easier for cybercriminals to execute shakedowns armed with
new ransomware-as-a-service (RaaS) tools, BYOD user vulnerabilities,
improved encryption methods and untraceable Bitcoin payoffs.

Good defence begins with running regular backups and always using accounts
having the fewest permissions. The ability to dynamically assign and, more
importantly, retract user permissions through machine learning and granular
data inspection is a solid best practice.

Ideally, you want to immediately detect ransomware behaviours and
quarantine impacted users before ransomware can spread to network file
servers. One approach is deception-based ransomware detection, which
consists of using strategically planted, hidden (decoy) files to identify
ransomware at the earliest stage of the attack. The decoy files are planted
at carefully planned file system locations in order to identify ransomware
encryption behaviours before they can touch legitimate files. Having
monitoring and blocking measures in place--in addition to admin alerts and
granular activity logging--would also help minimise the disruption to your
core business processes were a ransomware attack to occur.

When it comes to preventing DDoS attacks, organisations can also invest in
always-on DDoS protection that automatically detects and mitigates attacks
targeting websites and web applications, as well as protects against DDoS
attacks that directly target your network infrastructure.

Along with these measures, other basic defences such as business continuity
and disaster recovery planning should be part of any comprehensive
information security program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170908/0a5d3dce/attachment.html>