The services industry has traditionally included sectors ranging from social assistance and health care to transportation and scientific services. However, it doesn’t end there, because the human talent for innovation can turn almost anything into a service.
We also find – rather less top-of-mind for most people – the offer of hitmen-as-a-service, usually associated, at least in Hollywood, with large and well-muscled men in expensive suits and sunglasses. A few years ago, this area of business moved into the cyber arena as well.
And so we present: ransomware-as-a-service.
Today, one of its latest offerings is a ‘triple threat’ that turns Distributed Denial of Service (DDoS) attacks into an even more lethal cyber weapon against organisations.
Carole Hildebrand, Senior Strategic Marketing Writer at NETSCOUT, calls it ‘the rise of ransomware gangs’.
She explains: “Like any smart entrepreneur, threat actors know that their business is only as successful as their latest innovation. And when it comes to parting unsecured organisations from their money, those innovations never stop.
“The latest involves integrating attacks into a ransomware-as-a-service (RaaS) portfolio to create the so-called triple cyberextortion attack. It’s a little bit ransom, a little bit DDoS extortion, and a lot of trouble.”
NETSCOUT is a leading global provider of service assurance, security and business analytics, distributed throughout Africa by Networks Unlimited. In its ‘2020 2H Threat Intelligence Report: DDoS in a time of pandemic’, NETSCOUT observed a huge upsurge in DDoS attacks over the past year or so, including multiple record-breaking events such as the most DDoS attacks in a single year (more than 10 million).
“The pandemic period to date has certainly facilitated the emergence of an increasingly complex threat landscape,” comments Risna Steenkamp, General Manager: ESM Division at Networks Unlimited. “DDoS attacks are an attempt to exhaust the resources available to a network, application or service so that genuine users cannot gain access and the business accordingly cannot deliver the services it offers. Today, the purported ‘triple threat’ adds in two other factors on top of a DDoS threat.”
As outlined by Hildebrand, cybercriminals are now adding file encryption and data theft into DDoS attacks, creating a potent mix for a threat attacker’s new modus operandi. The triple threat works as follows:
File Encryption
In a traditional ransomware attack method, cybercriminals breach a network and encrypt valuable data, making the data, and sometimes the entire system, unavailable to the victim organisation. The attackers then demand payment in return for a decryption key.
In 2017, the Wannacry ransomware worm spread rapidly across computer networks, infecting core system processes and encrypting data files. In the end, this attack affected more than 200,000 computers across 150 countries.
Data Theft
Here, cybercriminals steal the data before locking the victim out. They then threaten to publicly expose and/or sell the stolen data unless they are paid. This second level of extortion makes it harder for victims to ignore ransomware threats because even those who can use backups to restore data remain at risk of data exposure.
Examples of massive data breaches of global companies include the following: creative, marketing and document management company Adobe (October 2013; 153 million user records stolen); Equifax, one of the largest credit bureaux in the United States (July 2017; 147.9 million customers); professional networking site LinkedIn (2012 and 2016; 165 million users); the hotel group Marriot International (2014 to 2018; 500 million customers); social media site MySpace (2013; 360 million customers), and search engine Yahoo (2013 to 2014; three billion user accounts and the biggest data breach ever), to name just a few.
DDoS Attacks
Such attacks have been commonly used as a standalone extortion method. Now, adding this attack methodology into the RaaS operations adds further pressure onto the victim, as maintaining business operability and availability places further strain onto the cybersecurity teams already dealing with the first two events, namely the data theft and data encryption.
At the end of August 2020, a series of cyberattacks on the New Zealand Stock Exchange over five consecutive days forced it to halt trading for a number of hours for four out of those five days. This was part of a global DDoS extortion campaign that went on over a number of months to target other organisations around the world.
Hildebrand explains, “By combining file encryption, data theft, and DDoS attacks, cybercriminals have essentially hit a ransomware trifecta designed to increase the possibility of payment. According to Bleeping Computer, SunCrypt and Ragnor Locker were early users of this tactic. Since then, other ransomware operators have jumped aboard, including Avaddon and Darkside, the perpetrator of the Colonial Pipeline incident.”
The cyberattack on the American Colonial Pipeline Company in May 2021 instigated a shutdown of the almost 9,000-kilometre long pipeline that carries 45% of the fuel used on America’s East Coast. It caused a rise in petrol prices, as well as the panic buying of petrol across the American Southeast region, and closures of thousands of petrol stations.
Hildebrand notes that, because DDoS attacks are inexpensive and easy to launch, and likely to increase the chance that a victim will pay the required ransom, it is a ‘smart business move’ to add these attacks to a list of ransomware services on offer.
“The bottom line is that increasing pressure tactics ups the likelihood of a payoff, making ransomware an increasingly disruptive form of cybercrime that affects not only companies but also governments, schools, and public infrastructure,” she explains.
Companies, therefore, need to adhere to some fundamental protections, such as trying to avoid a network breach; returning to basics like backing up valuable data, running vulnerability assessments, patching and updating computer systems to avoid compromise; staying up-to-date with the latest threat intelligence; and using proper DDoS protection against the current trends, in which DDoS attacks are increasing in size, frequency and complexity.
“A business needs to protect itself against all types of potential DDoS threats,” notes Steenkamp, “and also implement the necessary protection against network breaches involving both encryption of data as well as data theft, in order to avoid a triple extortion attack. If at all possible, you don’t want your organisation to land upon any kind of list of companies that have suffered noteworthy data breaches – that is always the wrong kind of news and the worst possible publicity. Rather be on the ‘front foot’ with your defences against the threat attackers that are now offering ransomware-as-a-service.”
Please contact Janco Taljaard at janco.taljaard@nu.co.za for more information.
By Staff Writer.