How ransomware attacks are making the most of the COVID-19 crisis [Q&A]
Ransomware is a business that's thriving in the current climate, but what's behind this and what wider problems do attacks create for businesses?
We had a socially-distanced chat with Chris Morales, head of security analytics at network detection and response specialist Vectra to find out more.
BN: How has ransomware changed in recent years?
CM: When WannaCry happened, ransomware was highly automated. That means that somebody would find some type of exploit and then use a software package to go out there and exploit all these networks that were exposed to a vulnerability. In that case it was this server messaging vulnerability blue key from the NSA, they just put that together went out there, to encrypt things and tell people to pay for it. It was super opportunistic they just put it on the internet, it went on and in fact it still happens today, every now and then you see an attack. They didn't actually make a lot of money from it though.
In recent times ransomware has become more targeted. In trying to understand how it was so successful in 2019 and how do attackers quickly take over a network so no one knew about it, what we've learned is that these hacks were there for weeks if not months and ransomware was only deployed when the attacker was done with anything else they wanted. Or in some cases it was resold to somebody else as an already a compromised network.
BN: How are networks being accessed?
CM: Attackers are using things like Remote Desktop protocol exposed to the internet or using remote services, or compromising a machine and getting getting privileged accounts that they have access to and can run there. And what's happened is that attackers have stuck on these machines for a long time, kind of hanging out. As soon as things like this pandemic happen, they look at their stock, it's funny because this is very much a ROI thing. I know security people who are actually having to do Remote Desktop IT work right now and are overworked, they're not even able to focus on security as much as they weren't able to before, that creates a creates an opportunity while everybody's busy.
What's scary is the access you need to encrypt a network file is the exact same access you need to copy all the data and move it somewhere else. Because they've already been there for a long time they have been stealing the data over that time as well. So that when the ransom gets deployed, all the data has already been stolen.
BN: What methods are being used to deliver initial attacks?
CM: Social engineering is a major factor but we're also seeing some old methods resurfacing. There's been a huge increase in the use of infected Word docs all over again using macros, or phishing emails exploiting COVID-19.
Also what we found is that businesses weren't fully ready for this shift. They didn't have the VPN that can support whole workloads. We've got whole groups of people that never worked at home before. Administrators have started turning on services on their servers so they can manage remotely and opening themselves up to attacks. There's a scanner called Shodan that looks at internet connected systems shows open ports like Remote Desktop or SMB and tells you how many are vulnerable to Eternal Blue, Heartbleed and so on. Businesses can use this to check their systems but of course it's useful for attackers too.
BN: Why has the COVID-19 crisis boosted attacks?
CM: It's been quite an opportunity to exploit already compromised networks that the criminal gangs are already inside. Now's a great time to encrypt the data, because the belief is that the panic will be greater and there's a higher likelihood the victim will pay. In the last few months ransomware has become the top method of attack.
It's funny how you hear about people talking about VPN and how it secures you, when VPN isn’t actually secure at all, it's confidential. You've encrypted the communication between point A and point B but what attackers do now is they're starting to compromise home networks which are much weaker than work networks, home routers Wi-Fi things like that.
And once they're on those networks, they're just pivoting into people's laptops over the VPN. If people don't have work laptops they may be using their own systems which are less well protected. Attackers are using those home systems to get into network file shares, which isn't any different than they were doing, even when they're on site, because these are the high value targets.
BN: Do attacks create bigger issues for the businesses that are targeted?
CM: New legislation like GDPR means when it's personal information that's involved and things start to get put out there, you now as a company not only have to respond to having the business breached, but you have to now try to deal with all the policy and legal problems around a data breach.
BN: Presumably attacks are effective because people pay up?
CM: The last thing people want to do have their data leaked on the internet. What they're paying the ransom for now is not have data put on the Net it's not just about disrupting systems, so in general it's been working, yes.
The FBI always recommended not paying the ransom, but they've softened their message now, because things got complicated. They've started to acknowledge that there are scenarios where you probably should pay the ransom -- as much as you don't want to. The thought process is that every time you pay a ransom you're simply perpetuating and making it worse for the next guy, which I believe is true as well. It's like funding the organization and rewarding them for their behavior and yet, more and more people join in, I do believe it's a downward spiral, nobody wants to be a victim.