The US State Department said the Conti strain of ransomware was the most-costly in terms of payments made by victims as of January 2022. Conti, a Ransomware-as-a-Service RaaS program, is one of the most notorious ransomware groups and has been responsible for infecting hundreds of servers with malware to gain corporate data or digital damage systems, essentially spreading misery to individuals and hospitals, businesses, government agencies and more all over the world.
See: https://redskyalliance.org/xindustry/resurgence-of-conti-ransomware
Most ransomware variants can spread fast and encrypt files within short time frames, Conti ransomware has demonstrated unmatched speed by which it can access victims' systems.
Tactics like running a port scan or cracking default passwords, application vulnerability, phishing emails, or ransomware campaigns, every hacker has different reasons for infiltrating target systems. It may be to determine why certain individuals and companies are targeted because of their software or hardware weaknesses, while others affected do not have this vulnerability due to planning and barriers put in place.
But what characteristics do companies possess that tend to attract cyberattacks, and why do hackers target them? If you knew your company was a likely target, would it make sense for you to be wary of the many ways your information could be compromised?
What Motivates a Hacker?
Money
One of the most common motivations for breaking into a system is monetary gain. Many hackers may try to steal your passwords or bank accounts to make money by taking off with your hard-earned cash. Your customer information wouldn't be safe if hackers made off with it as they could use this data in several ways, perhaps by blackmailing you or even selling it on the black market or deep web.
The average cost of a data breach was $3.86 million in 2004, according to IBM, and that number has since risen to $4.24 million as of 2021. It is even expected to increase to new levels in 2022.
Hack + Activism aka Hacktivism
Some people look at hacking to start political and social revolutions, although the majority are interested in expressing their opinions and human rights or creating awareness over certain issues. However, they can target anyone they like including terrorist organizations, white supremacist groups, or local government representatives.
Hacktivists, aka 'Anonymous,' normally target terror groups like ISIS or white supremacist organizations, but they have also targeted local government groups. In January 2016, an attack on the Hurley Medical Center in Flint, Michigan, led to the leak of thousands of documents and records. The organization claimed responsibility with a video promising "justice" for the city's ongoing water crisis that resulted in 12 deaths over time. Whether it's a single hacker or a simple online gang, the primary weapons of hacktivists include Distributed Denial of Service (DDoS) tools and vulnerability scanners proven to cause financial losses for well-known corporations. Remember when donations to WikiLeaks were halted, and Anonymous continued their DDoS attacks?
Insider Threats
Insider threats can come from anywhere (like the inside), but they are viewed as one of the organizations' greatest cyber security threats. Many threats can come from your employees, vendors, contractors, or a partner, making them even more dangerous.
If someone within your organization is helping a threat become a reality. Almost all of your employees, vendors, contractors, and partners are technically internal to the organization. One major weakness enterprises have their core systems of protection; the firewalls and anti-virus programs are easily bypassed by whoever has access to these programs at any one time.
When the next wave of cyberattacks comes, who better than someone you have always trusted with key security access, damage control measures need to be implemented to prevent a repeat of a situation as catastrophic as Sony's hack in 2014 (possibly perpetuated by its own employee).
Revenge
If you have an unruly employee looking for a way to get revenge on your company, they will more than likely take the time to think of a good attack, leaving you thinking twice about dismissing them.
If they have access to your system, you can be sure that they will try to find any way possible to use their privileged status to get back at you even after leaving the company. One way of doing this is by accessing databases and accounts that require logins and passwords. In other cases, disgruntled workers might even sell vital information in exchange for money and more favorable job opportunities only to mess with your organization's infrastructure.
Attack Vectors
Cybercriminals are utilizing a wide range of attack vectors so that they can infiltrate your system or take custody of it by using ransomware attacks like IP address spoofing, phishing, email attachments, and hard drive encryption.
Phishing
The most common way to spread ransomware is through phishing emails. Hackers send carefully prepared emails to trick a victim into opening an attachment or clicking on a link containing malicious software.
There are many file formats malware can be delivered: PDF, BMP, MOV, or DOC.
Once hackers take control over your company's network, ransomware malware has a good chance of getting into your system, encrypting information, and taking hostage all the data stored on your devices.
Remote Desktop Protocol (RDP)
Running over port 3389, RDP is short for Remote Desktop Protocol, allowing IT administrators to remotely access machines and configure them or merely use their resources for various reasons such as running maintenance.
The hacker begins by running a port scan on machines over the internet that have port 3389 open. 3389 is for SMB, or Server Message Block, which allows for basic file sharing between Windows computers and is often turned on in the early days of internet usage.
Once a hacker has gained access to open machines on port 3389, they often brute-force the password so they can log into them as an administrator. Then hackers can get into your machine(s) and initiate the encryption operation to lock down your data by purposefully slowing or stopping critical processes.
Attacks on Unpatched Software
A weakness in the software is one of the most promising methods of attack deployment in today's environment. In some cases, when software is not fully up to date or patched, attackers can enter networks without having to harvest credentials. This is easy to fix, patch and update as soon as notifications arrive.
Cyber hackers can now do just as much analyzing and evaluating as security teams for their products. They have the same or even more tools to scan any given system, so it's practical to be able to foresee their motivation and profiles. With hackers becoming more sophisticated, it is on top priority to have proactive cybersecurity mechanisms and daily cyber threat intelligence to maintain the cyber health of your business.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Article: TR-22-161-001.pdf
Comments