In our previous article on the GovCyberHub, we sat down with Richard Hummel, NETSCOUT’s ASERT Threat Research Lead, to discuss the evolution of cyberattacks from traditional single vectors to the increasingly pervasive triple extortion ransomware. Combining the elements of ransomware, data exfiltration and blackmail, and DDoS, triple extortion ransomware poses one of the most prescient threats in the cybersecurity industry today.
During our discussion, Hummel explained the history of ransomware attacks and explained how a veritable “arms race” between attackers and cybersecurity professionals gave rise to the triple extortion ransomware attack.
In the second half of our conversation, Hummel shared tips and best practices that government cybersecurity professionals can implement to both prepare for a triple extortion attack, and overcome successful triple extortion attacks.
GovCyberHub (GCH): Is it more difficult to defend against an attack that has three disparate elements to it? What can government agencies do to prepare and protect their networks against this type of attack?
Richard Hummel: The reality is that the defense against each [element of a triple extortion ransomware attack] has decent overlap. It comes down to preparation and making sure that organizations are following common best practices.
One key action to regularly take is to patch your systems. Many times, adversaries gain access to a system by using tried and true methods that remain effective in outdated systems. You also have the typical brute-forcing that succeeds, because some people still use really weak passwords or use systems that don’t care as much about adequate authentication, or you don’t have a security team monitoring for suspicious activity.
“Having a robust security policy, making sure it’s frequently updated, and that any known vulnerabilities are patched can prevent an organization from falling victim to many potential attacks.” – Richard Hummel
We know that anytime an IoT device goes online, within five minutes, it’s already getting brute force attempts by adversaries around the world. These attacks are very real. They’re happening, and the reality is that a lot of people still don’t employ common best practices.
Ultimately, cybersecurity people will always say that the best way to come together and defend against the lion’s share of attacks is to pay attention to the basic principles of cybersecurity. Having a robust security policy, making sure it’s frequently updated, and that any known vulnerabilities are patched can prevent an organization from falling victim to many potential attacks.
GCH: Since these attacks involve three or more separate vectors, let’s look at each of them individually. How can government agencies defend against the ransomware element of these attacks?
Richard Hummel: When we look at ransomware specifically, one of the best actions is to make sure that any single user – authorized or not – does not have access to the entire system. In a poorly maintained network, an adversary might be able to get access to the crown jewel in your organization and make any path to recovery much more difficult. However, if you can isolate and segment parts of the network then these attacks might not be crippling to your entire environment. It is especially important to have any backups secured offline because so long as you can trust your backups to be safe from the malware, your pathway to recovery is much simpler.
It boils down to preparing your organization for the security threats that we have seen and then educating your workforce about those threats. Do you have a really solid security awareness program? Are you constantly training your employees on what to look for in spam messages and spear phishing? These are the sort of questions that should be answered ‘yes’ if an organization is serious about preventing a triple extortion ransomware attack.
“That pre-work and prevention will cover you for about 80 percent of potential threats and is more of passive protection… as long as everything is working right, your security team just has to maintain the defense.” – Richard Hummel
Beyond preparation, an organization can also take advantage of controlled testing of their cybersecurity. We call it Red Teaming, and the idea is that an organization will employ people to go and poke and prod at your network to see how well it can withstand someone trying to get in.
If you’re concerned about ransomware, having a Red Testing team try to get into the organization and attempt to compromise you and deploy ransomware can really help an organization understand where their largest threats are, and make sure that you are defended against them.
GCH: What about the DDoS element of these attacks?
Richard Hummel: If you’re concerned about DDoS attacks, employ a Red Teaming test to launch DDoS attacks against your network properties so that you can be sure you can mitigate those properly. Preparation is key, but there is a lot of information that an organization won’t know until they have to deal with an attack.
It’s better to have it happen in a controlled manner rather than just waiting for an adversary to test it.
“Organizations [must] understand where their largest threats are, and make sure that you are defended against them.” – Richard Hummel
To return to your original question, so much of defending against triple extortion is the same as preventing and preparing for any sort of cyberattack. That pre-work and prevention will cover you for about 80 percent of potential threats and is more of passive protection. In other words, as long as everything is working right, your security team just has to maintain the defense.
The other 20 percent will require an organization to pivot and defend against innovation from the adversary. This more active approach to defense requires a top-notch cybersecurity team, people who are on top of the current threat landscape and know about some of the new tools adversaries are deploying so they can work to counter them.
That being said, organizations are not alone. If a security team is too small to handle the 20 percent, try outsourcing it. Internet service providers (ISPs) can have really good DDoS defense, and they might be able to cover a lot of the risk from that type of attack. Cloud providers can also offer some items that can benefit an organization, something as simple as email filtering to remove obvious spam and malicious links.
That 20 percent will always be a threat because innovation is the name of the game right now among adversaries. But as I said in the beginning, prevention and preparation are instrumental to avoiding cyberattacks, including triple extortion ransomware.
GCH: For argument’s sake, let’s say that despite your best efforts, your organization has fallen victim to a triple extortion ransomware attack. What should you do? What can you do?
Richard Hummel: The very first thing I’d say is: do not pay the ransom. Doing so only incentivizes the adversary and other adversaries to continue carrying out these attacks. I – and other professionals like me – have been cautioning against paying for a while now because these actors are like the mouse you give a cookie to. If they are encouraged to continue, they will.
“Despite all the risks, my advice remains the same, do not pay the [ransomware].” – Richard Hummel
Beyond encouragement, there is another ramification too. The reality is that the adversary already got in once, and there is no guarantee that they won’t get in again once you’ve paid the ransom. They might have left any number of trojan programs behind that can re-encrypt your data and demand further payment. They might even just not allow you to decrypt your data no matter how much you pay. So, my first gut instinct always is not to pay.
Let me be clear, I understand that it is not always as black and white as paying or not paying. For instance, we’ve seen many hospitals be targeted by ransomware attacks where it can be a life or death situation unless the hospital can get their network back up and running. Despite all the risks, my advice remains the same, do not pay it, and it mostly comes down to the risk that you pay and instead of regaining access, you are still locked out and significantly less well off for the recovery process.
DDoS is a bit different because there is a recourse for organizations being targeted by a DDoS attack. Frequently these attacks are incredibly short-lived. The vast majority of them that we’ve seen at NETSCOUT last for 15 minutes or less. Now, these adversaries will often threaten to continue these attacks until they are paid, but organizations can reach out and find a cloud provider who can help their networks survive these attacks.
To put it simply, ransomware attacks with encrypted data will likely require you to pull from your deep storage back-ups and start fresh. With a DDoS attack, it comes down to mitigating the issues that arise during that attack which can be done relatively easily.
GCH: Alright, so moving away from the immediate implications of triple extortion ransomware threats, what does the future look like for this combination of attacks? Can we expect most future cyberattacks to be triple extortion or at least a combination of all three of the attacks we’ve discussed?
Richard Hummel: So, as of right now, adversaries are still experiencing a lot of success using just ransomware. So, I won’t say that the future is going to see all three of the triple extortion tactics become grouped as a standard.
“While we can’t completely prepare for what we don’t know, most cybersecurity professionals believe that the key to preparing for and preventing any attacks, now or in the future, are in the core principles [of cybersecurity].” – Richard Hummel
That being said, adversaries are seeing the value of adding the data exfiltration element and that is something that I believe will become more common. It is a very powerful one-two combo, and many adversaries know that organizations will buckle when faced with the prospect of losing a network and their data.
Now, keep in mind, for more sophisticated and well-rounded operations, DDoS will always be on the table. Like I said earlier, DDoS attacks are often short-lived, and with the evolutions we see in cybersecurity that can counter a DDoS attack, it will be only the most innovative operations that continue using it in any major capacity.
What concerns me is that there will be more innovation around additional capabilities that we might not be aware of yet, that is really where I see the future going. While we can’t completely prepare for what we don’t know, most cybersecurity professionals – myself included – believe that the key to preparing for and preventing any attacks, now or in the future, are in the core principles we discussed earlier.
GCH: So, what is making it easier for these malicious actors to execute more complex attacks? As you’ve said, innovation is really the driving force behind these new attack tactics but what role does education play, or the enterprise model that you referred to earlier?
Richard Hummel: To touch on the enterprise thing briefly, it really is where a lot of these innovation comes from because when you can outsource certain work to a specialized niche actor, they can really focus on their singular aspect of the malware. The more that you can segment these tasks the more you can offload them on to people with the expertise.
“Ultimately, the level of knowledge that more complex ransomware tactics require has gone down significantly… the unfortunate reality is that it’s never been easier to get into the business.” – Richard Hummel
It’s like bringing in third-party contractors to perform a task, where before an unskilled operator might not know how to exfiltrate data, now they can bring in someone who will provide their expertise and in exchange get a slice of the pie. This can significantly lower the barrier for entry when someone is looking to carry out something like triple extortion ransomware.
Something else is how payments can occur now. Between cryptocurrencies and VPNs, it is very easy to receive money and feel relativity sure you won’t be tracked. This removes another barrier to entry as anyone can open a dummy account or own a virtual wallet with no ties to their real identity.
Ultimately, the level of knowledge that more complex ransomware tactics require has gone down significantly. With the enterprise model creating experts, the unfortunate reality is that it’s never been easier to get into the business. Thankfully, NETSCOUT and other cybersecurity organizations have people like me whose whole job is to prevent that very work from impacting an organization. No matter what comes next, you can count on us to be there to help prevent and mitigate any damage to your network.
To learn more about how NETSCOUT is working to safeguard enterprises and organizations, click here.