In their attempt to extort as much money as quickly as possible out of victims, ransomware gangs know some effective techniques to get the full attention of a firm’s management team. One of them is to specifically target the sensitive information stored on the computers used by a company’s top executives, in the hope of finding valuable data that can best pressure bosses into approving the payment of a sizeable ransom.
Although the technique of prioritizing the theft of data from managers’ PCs is not a new one, it has been highlighted by a report from ZDNet over the weekend.
In his report, ZDNet journalist Catalin Cimpanu describes a conversation he had last week with a company that paid millions of dollars following an attack by the Clop ransomware group.
“…in recent intrusions, a group that has often used the Clop ransomware strain has been specifically searching for workstations inside a breached company that are used by its top managers.” “The group sifts through a manager’s files and emails, and exfiltrates data that they think might be useful in threatening, embarrassing, or putting pressure on a company’s management — the same people who’d most likely be in charge of approving their ransom demand days later.”[1]
As the new year begins, new developments in different ransomware strains have emerged. Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications.Clop is a ransomware variant discovered by Jakub Kroustek. This malware is designed to encrypt data and rename each file by appending the “.Clop” extension. For instance, “sample.jpg” will be renamed as “sample.jpg.Clop.”
In recent years ransomware gangs have not just increasingly targeted large organizations in their attacks in preference to thousands of home users. They have also valued highly the prize of exfiltrating sensitive data such as business plans, financial details, and intellectual property that corporate victims would dread falling into the public domain or their commercial rivals. And where better to find such commercially sensitive information than on the workstation of a chief executive, chief financial officer, or communications director.
This may be a signal of something that is little understood outside of the security world the people hacking your network and exfiltrating your data may be different than those who created the ransomware.
Some of the most egregious ransomware operates as a service, with the malware developers leasing their malicious code to less-technically minded cybercriminal affiliates who may use them in attacks, or even hire other specialists in unauthorized network intrusion to infiltrate a company’s network to steal sensitive data and then do as much damage as possible. According to Abrams, when a corporate victim pays a ransom following such an attack the proceeds can be split three ways between the operators of the ransomware, the affiliate, and the intrusion group.
What should your company be doing to protect itself against ransomware attacks like this?
Organizations should still be making secure offsite backups, and running up-to-date security solutions, while ensuring that your computers are protected with the latest patches against newly-discovered vulnerabilities.
Staff members should be educated and made aware of the risks and methods used by cybercriminals, and made to use hard-to-crack, unique passwords to protect sensitive data and accounts as well as enabling multi-factor authentication. Sensitive data should be strongly encrypted wherever possible.
Company’s security team should consider where the firm’s most sensitive information is stored, and investigate how easy it might be for a hacker to access it. In short, you might uncover weaknesses in your business’s infrastructure if you attempt to hack your own company’s top executives rather than waiting for a malicious attacker to do the same.
Consider speaking with representatives from Cyrisma https://www.cyrisma.com about how to monitor data access and privileges for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
[1] https://www.zdnet.com/article/some-ransomware-gangs-are-going-after-top-execs-to-pressure-companies-into-paying/
Comments