With cybercriminals intent on exploiting organizations to regain access to critical data stores, Scott Jarkoff, Director, Strategic Threat Advisory Group, APJ and EMEA, CrowdStrike, tells us ransomware is the technique of choice for cybercriminals around the world.
As organizations across Asia Pacific struggle with the upheavals caused by the COVID-19 pandemic, it’s vital not to forget the threat that can cause massive disruption and loss: cybercrime.
While organizations have focused their attention on equipping staff for remote working and re-engineering business processes, cybercriminals have been busy perfecting their attack strategies and improving their weapons to take advantage of the expanded threat landscape that the remote workforce has provided.
Cybercriminal groups vary widely in size and technical prowess, but those that can cause most extensive damage to businesses fall into two categories – eCriminals and nation-states. eCriminals are often interested in financial gain while nation-state actors tend to take a longer and more targeted approach to gain access to intellectual property from within distinct industries, including companies operating in the telecommunications, financial and healthcare sectors.
Of all the types of cyberthreat activity across the region, it is eCrime that has seen a rapid increase since the virus first appeared earlier this year. Indeed, the CrowdStrike Threat Intelligence team has seen an increase in eCrime up over 330% since the start of the year versus in 2019.
The objectives of eCrime actors are shifting as well. Taking control of an organization’s IT infrastructure and then demanding payment for its release is now a primary tactic and in some cases threatening extortion.
The rising threat of ransomware
In the current threat landscape, ransomware continues to prove one of the biggest challenges for organizations across the region. Designed to bring organizations to a grinding halt so victims are forced to pay to regain access to critical data stores, it is a technique of choice for cybercriminals around the world.
If a victim refuses to make the demanded payment, the cybercriminal may threaten to make public some of the organization’s sensitive data. If payment is still not made, that data could then be posted to a site on the Dark Web where it can be accessed and potentially used by other parties.
A recent example of a criminal organization using ransomware is Smaug. This ‘Ransomware-as-a-Service’ threat allows criminals who lack the right technical skills to still mount an attack against a target. Users have to pay an upfront fee to use the service and then a certain percentage of any ransomware payments received.
The WastedLocker adversary group recently emerged and is designed to be tailored to work against specific target organizations. Operated by the cybercriminal group Evil Corp Gang, WastedLocker works by making a preliminary attempt at penetrating an IT infrastructure then collects information about the defenses in place and these are then taken into account before a second attack is mounted. Ransom demands received by victims so far have been very large, ranging from $500,000 to more than $10 million, payable in Bitcoin.
Key threat actors
CrowdStrike Intelligence has been observing the increasing sophistication of criminal organizations on a daily basis.
The adversary group Pinchy Spider, responsible for the now retired GandCrab ransomware, has developed a new Ransomware-as-a-Service variant known as REvil. This malicious code is offered as a service and CrowdStrike observed it to be the most widespread ransomware code during the second quarter of this year.
The Carbon Spider adversary group has also been created by sophisticated cybercriminals, who make use of DNS tunnelling to spread code. The code can also be distributed on devices such as USB keys in the hope that staff within a target organization will insert it into a networked PC. To date, the group has tended to target point-of-sale (POS) devices to extract details of credit cards.
More recently, Carbon Spider, a group primarily focused on attacking organizations using point-of-sale terminals, has been observed using the REvil ransomware from Pinchy Spider. This has allowed them to extract ransom payments in addition to their normal modus operandi of favoring large organizations that process high volumes of credit card transactions, including large retailers, hotels and casinos.
A third group, named Wizard Spider, previously used a family of ransomware code known as Ryuk until March this year. They have returned on the scene with Conti Softwarek, a code designed to identify and encrypt files on hosts within a local area network. The adversary leverages multiple, highly sophisticated techniques for attempting to deploy ransomware enterprise-wide, hoping for a huge payday.
Another recent group, Sprite Spider conducts low-volume, targeted big game hunting. It exclusively deploys Defray 777 ransomware in-memory on victim systems and because its actor footprint remains small, investigations have proven difficult post-ransom.
The wide variants of threat actors currently active in the market shows how quickly cybercrime, and ransomware in particular, is evolving. Many organizations that fall victim find they have little choice but to pay the ransom, thereby encouraging the groups to extend their activities even further.
Security in a COVID-19 environment
While the initial wave of attacks related to COVID-19 appears to have declined, it’s likely activity will rise again as interest grows in the potential vaccine candidates currently being developed around the world. Attackers are likely to mount phishing attacks using emails that appear to offer details about vaccines and how soon they could reach the market.
For this reason, it is now more important than ever for strong security measures to be in place across your organization. The CrowdStrike Asia Pacific and Japan State of Cybersecurity Report found that 74% of respondents across APAC believe that enhancement of their cybersecurity measures should be the top priority in coming months.
Accept the 1-10-60 challenge
Combating sophisticated adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. CrowdStrike urges organizations to pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyberthreats:
● Detect intrusions in under one minute
● Investigate and understand threats in under 10 minutes
● Contain and eliminate the adversary from the environment in under 60 minutes
Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.
Ultimately, consider how successful your existing protective measures are with a distributed workforce and put in place additional tools to increase defenses. It’s going to be many months before APAC returns to anything that resembles normal, but the threat of cybercrime will remain. Taking the time now to understand how threats are evolving will ensure you are best positioned to prevent an attack.Click below to share this article