Blog / Ransomware Update: Insiders and Unix Attacks
It’s no secret around the TRINUS offices that I’m not a fan of writing about ransomware. Don’t get me wrong, I could write a new ransomware update pretty much every week; it’s a massive cyber security topic with potentially massive consequences for those who don’t take it seriously. Unfortunately, it’s also hard not to come off as repetitive when you write about it as much as I have. You can only sound the alarm so many times before people start ignoring the sirens or tuning out the message.
That said, at the risk of sounding like a broken record, it’s time for (you guessed it), a new ransomware update! In our previous post on subject I talked about how a ransomware gang had started extorting clients or other individuals they could identify from stolen data. Unsurprisingly, that profitable tactic was quickly adopted by other gangs. Unfortunately, it’s happening again. Ransomware gangs are evolving their tactics and if they prove profitable others are certain to follow.
So what are these new tactics? First, some gangs have started to pay to get for access to networks (rather then breaking in themselves). Ransomware is a lucrative enterprise. A criminal one, to be sure, but an enterprise nonetheless. Gangs regularly reinvest in their tools and try to streamline costs, which makes purchasing access from brokers selling credentials is a no-brainer. For example, the Lockbit gang recently released version 2.0 of their Ransomware-as-a-Service software of the same name, but are also actively recruiting insiders of various organizations to provide access.
You might think that advertising for insiders would carry a hefty price tag, but when it comes to ransomware the offer is typically a cut of the profits rather than an upfront payment. I would also assume it comes with protection from being extorted by the data that’s going to get stolen as well. It’s impossible to know the specifics but even just 5% of the profits from ransoming a reasonably-sized organization’s data is substantially more than most people’s annual salary.
In addition to recruiting insiders, ransomware gangs have also started targeting the traditionally “safe” Unix-based servers. Unix-powered operating systems like Linux and Ubuntu aren’t usually targets of ransomware attacks because they require specialized expertise to use and simply aren’t as common as Windows, iOS, or Android, which severely limits the number of viable targets. However, it appears some ransomware gangs have realized many organizations have at least one Unix-based server in their network. Generally, it’s part of some obscure system tucked away in a forgotten room and running in some backwater portion of the network. The kicker is these servers tend to be forgotten and usually don’t have any sort of protection (and yes, anti-malware software does exist even for Unix systems). That makes them tempting targets. Furthermore, anyone who can compromise a server like that can easily establish a persistent presence in a network and install virtually anything they wanted to without detection. Since these servers are rarely monitored, the hacker can configure any tools they need to launch a full-scale attack on the rest of the network. Sometimes, even if their efforts in the main network are disrupted, it’s possible no one will notice a compromised Unix server, leaving the window open from the hacker to attack again.
The common theme behind both these new tactics is reduced effort. “Work smarter, not harder” is a common business refrain and truly valuable advice, but criminals also avoid putting in effort they don’t have to and that’s the best way to look at these new tactics. Ransomware gangs see themselves as businesses (albeit illegitimate ones) and investing profits back into your business to improve it is a standard business practice. Don’t make the mistake of assuming the bad guys don’t know what they’re doing just because they’re criminals. I assure you, they do. If you’d like to discuss how best to protect your business from these new ransomware tactics, contact a TRINUS cyber security specialist today.
A line from Henry V Act 1 seems appropriate for capping off this ransomware update: ”O! for a muse of fire, that would ascend the brightest heaven of invention.”
Be kind, courtesy your friendly neighbourhood cyber-man.