These attacks are not just financially motivated; they also have profound implications for the affected businesses. Beyond the immediate financial losses incurred through ransom payments, organizations must also contend with reputational damage and operational disruptions that can have far-reaching consequences.

Additionally, it is crucial to highlight the profound impact ransomware attacks can have on individuals, especially those working in vital sectors such as healthcare and critical infrastructure. These attacks pose potentially life-threatening consequences for organizations, underscoring the urgent need for robust cybersecurity measures.

The Evolution of Ransomware 

Ransomware, once considered a relatively straightforward cyber threat, has evolved into a complex and adaptive menace that poses significant risks to businesses worldwide. Over the years, ransomware operators have demonstrated remarkable ingenuity in refining their tactics, making them increasingly difficult for businesses to defend against. 

Initially, ransomware attacks relied heavily on indiscriminate phishing emails and exploit kits to infect victims’ systems. However, as cybersecurity measures improved and awareness of these tactics grew, ransomware operators pivoted towards more sophisticated methods. For instance, they began targeting high-value entities such as hospitals, schools, and government agencies through carefully planned and executed attacks. 

These targeted campaigns often involve extensive reconnaissance and social engineering, allowing attackers to maximize their impact and demand larger ransom payments. Another notable evolution in ransomware tactics is the rise of supply chain attacks and zero-day exploits. 

By targeting trusted third-party vendors or exploiting previously unknown vulnerabilities in popular software, ransomware operators can infect large numbers of victims with relative ease. The Clop group’s supply chain attack, which exploited a zero-day vulnerability in a widely used file-sharing platform, exemplifies this trend. Such attacks not only increase the likelihood of success but also make it more challenging for businesses to defend against ransomware effectively. 

Furthermore, the emergence of ransomware-as-a-service (RaaS) models has democratized ransomware operations, enabling even non-technical individuals to launch sophisticated attacks. RaaS platforms provide aspiring cybercriminals with ready-made ransomware tools and infrastructure, lowering the barrier to entry and fueling a surge in ransomware attacks worldwide. 

The Escalating Threat Landscape 

One notable example of the evolving tactics employed by ransomware groups is the aforementioned supply chain attack by the Clop group, which exploited a zero-day vulnerability in a popular file-sharing platform. By encrypting servers and exfiltrating sensitive data, the group was able to extort over $100 million in ransom payments, demonstrating the financial impact and sophistication of modern ransomware campaigns. 

This incident underscores the need for businesses to remain vigilant and proactive in their cybersecurity efforts, as cybercriminals continue to find new ways to exploit vulnerabilities and evade detection. The statistics are alarming: over 70% of ransom payments in 2023 exceeded $1 million, highlighting the substantial sums at stake for businesses that fall victim to these attacks. 

Moreover, with the number of successful ransomware attacks against U.S. targets reaching record levels in 2023, and the proliferation of new ransomware variants posing unique challenges to cybersecurity professionals, the threat landscape shows no signs of abating. In this environment, businesses must prioritize cybersecurity as a core aspect of their operations, investing in robust defenses, conducting regular employee training, and staying informed about emerging threats and best practices for mitigation. 

The Human Element of Cybercrime 

Behind these attacks are a relatively small but highly skilled cadre of cybercriminals, numbering no more than a few hundred individuals. These individuals form the backbone of ransomware APTs (Advanced Persistent Threats), leveraging their expertise to orchestrate attacks with devastating consequences for businesses and individuals alike. 

Despite the efforts of law enforcement agencies to thwart specific ransomware campaigns, cybercriminals continue to adapt and exploit new opportunities within the broader cybercrime ecosystem.

Challenges persist in disrupting these operations, as cybercriminals rapidly respond to changing circumstances. Additionally, the impact of ransomware attacks on institutions like hospitals and critical infrastructure providers can have grave consequences, highlighting the importance of proactive cybersecurity measures.

To effectively combat this threat, businesses must prioritize a comprehensive approach to cybersecurity that combines technological defenses with employee training and awareness. By staying vigilant and taking proactive steps, organizations can better protect themselves against the ever-evolving landscape of cybercrime.

Protecting Your Business in an Evolving Threat Landscape 

The data presented paints a stark picture of the escalating threat posed by ransomware to businesses of all sizes. With cybercriminals becoming increasingly sophisticated and relentless in their attacks, no organization is immune from the risk of falling victim to ransomware. 

As business owners, it’s crucial to recognize the urgency of this threat and take proactive steps to safeguard our operations, our data, and our livelihoods. 

By investing in robust cybersecurity defenses, staying informed about emerging threats, and fostering a culture of cybersecurity awareness among our employees, we can mitigate the risk of ransomware attacks and ensure the resilience of our businesses in an ever-changing digital landscape.

The post Ransomware: A Billion-Dollar Threat to The Business World appeared first on JIG Technologies.

Viruses

What is a computer virus?

A computer virus is a type of computer program that replicates itself by inserting its own code into other computer programs. Computer viruses generally require a host program (unlike a worm, for instance). When the host program is executed, the virus is also executed thus causing infection and damage.

How does a computer virus work?

A computer virus must contain a ‘search routine’ that locates new files that are worthwhile targets. Once located, the virus must contain a routine to copy itself into the program.

A ‘Trigger’, also known as a ‘logic bomb’ is the ‘compiled version’ that can be activated any time within a host file/program that determines when the malicious ‘payload’ should be activated.

The ‘Payload’ refers to the actual data which carries out the malicious purpose of the virus. Virus hoax is non-destructive but distributive.

What are the phases of a computer virus?

Dormant phase – This is when the virus has infected a target computer but is idle until the ‘trigger’ event which instructs the virus to execute. (Not all viruses have this phase)

Propagation phase – The virus starts multiplying and replicating – it can still be ‘dormant’ as this point. It has only begun placing copies of itself into other programs on a target’s computer. At this point a virus can change to evade detection from anti-virus software.

Triggering phase – The virus, having propagated, is now activated and will perform the function it was designed for. The trigger can be caused by a count of the number of times a copy of the virus has been made, or time based among other things.

Execution phase – the payload will be released. It can start its destructive tasks.

Worm

What is a computer worm?

Unlike a virus, a worm does not need a host program to replicate itself and spread. The advantage to this is that a worm is not restricted by a host program and can run independently.

Worms are more infectious than traditional viruses. They can infect local computer, but also servers and clients on a network. They spread easily through emails, web pages and servers.

What are the types of computer worm?

Email worms create outbound messages to all addresses in a target’s contact list. These messages can contain malicious attachments that can cause all sorts of problems (ransomware and further infection) when opened. Phishing is a common deployment technique.

File-sharing worms are disguised as media files. They copy themselves into a shared folder most likely located on a local machine. It will place a copy of itself there with a harmless name and wait to be downloaded by a user on the same network.

Internet worms infect web pages or popular websites with poor security. They are completely autonomous and can infect a machine to scan the internet for other vulnerable machines.

Trojan Horse Virus

What is a Trojan Horse Virus?

You know and love this horse! Just like its namesake, the Trojan Horse virus downloads onto a target’s computer disguised as a legitimate program thereby gaining access to deliver its malicious payload.

How does a Trojan Horse virus work? 

Unlike viruses and worms, a trojan does not self-replicate and requires users to install it. However, that does not mean that an infected computer isn’t dangerous to other computers. The malicious software on the infected computer can be designed to turn that computer into a ‘zombie’, controlled by the hacker and used to have remote control of it. They can then use that computer to share malware across a network of devices (known as a botnet).

Trojans are often concealed in emails or ‘free-to-download’ files. Once installed it will execute the task it was designed to do which is often to gain backdoor access to a network, spy on users’ activity or steal sensitive data. Ransomware attacks are often carried out using a trojan.

Rootkits

What is a Rootkit Virus?

Usually this consists of a collection of software designed to give access to a computer by an unauthorized user. Rootkits are very good at masking their existence within a computer.

How do Rootkits work?

Rootkits can be installed through an automated process or can be installed by an attacker who has access to ‘root’ or administrator level access. Usually an attacker has gained this access exploiting a known vulnerability or password, both of which can be attained through other attacks. With this sort of access, the attacker can modify existing software (like antivirus) to remain undetected.

Removal of rootkits can be complicated to almost impossible and often reinstallation of the operating system is the only solution.

Kernel Mode – these run on the highest operating systems privileges by adding code or replacing portions of the core operating systems, including both kernel and associated device drivers.

Bootkits – A variant of kernel mode these can infect startup code like the master boot record, volume boot record or boot sector and can be used to attack full disk encryption systems.

Firmware and hardware –  These use a device or platform to create a constant malware presence in hardware (routers, network cards, hard drives, or system BIOS). Firmware is not usually inspected for code integrity so it’s a good place for a rootkit to hide. From here rootkits can seize data.

Backdoor Viruses

What is a Backdoor Virus?

Knock-knock.
Who’s there?
A malware that negates normal authentication procedures to access a system!

Backdoors are most often used to secure remote access to a computer or network by a cybercriminal. Backdoors can be delivered via rootkit, trojans, and worms. They can also be used to turn the target’s computer into a zombie or added to a botnet.

Backdoors are especially sinister because once the cybercriminal has gained access to the computer/network, and they’ve installed the backdoor, they will be able to keep accessing that device. So, even if the vulnerabilities are patched, the offending software removed, the backdoor remains untouched on the system.

Recently, given the COVID epidemic, criminals used fake Zoom installers (everyone working from home was installing all the various video conferencing apps) containing malware, one of which installed a backdoor that allowed bad actors to run routines remotely.

There are several type of backdoor intrusion techniques:

How do Backdoor Viruses Work?

Port binding – in a system without a firewall attackers can communicate with a computer port. Once the backdoor is bound to the port, attackers can freely communicate with the computer

Connect-back – With a firewall present, attackers can use a modified backdoor to check for available unprotected ports. They can then connect with a port that gives them remote access to the computer

Connection availability – Attackers can use backdoors to check for available connection and bypass intrusion detection systems.

Standard service protocol – They can use alternate protocols that aren’t typically detected like UDP instead of the more common TCP.

Keylogger Viruses

What is a Keylogger?

Is a type of spyware that tracks keystrokes on your keyboard. They record everything the target types, usually specifically trying to sniff out banking information. Otherwise, PIN codes, passwords, and other sensitive data are also up for grabs.

Many keyloggers have rootkit functionality meaning they hide very well in areas of the targets system where it can avoid detection.

There are many valid uses for keylogging technology. For instance organizations might use keyloggers to troubleshoot technical problems, families and business people might use them to monitor network usages without the users knowledge. Windows 10 has a built-in keylogger to improve typing and writing services.

How do Keyloggers work?

Software Keyloggers: This is a computer program designed to record input from a keyboard.

Hardware Keyloggers: Do not depend on software being installed as they exist on the hardware level. Examples of this are keyboard overlays, acoustic keyloggers, electromagnetic emissions, optical surveillance, physical evidence and more.

Mobile devices are also vulnerable to software keyloggers. These keyloggers are designed to take screengrab of emails, texts, logins.

Adware + Malvertising

What is Adware?

Adware generates online advertisements in the user interface of a particular software or on a screen presented to the user during that software’s installation process. This is a revenue generating process whereby the developer makes money by a) displaying the advertisement and b) a “pay-per-click” basis, if the user clicks on the advertisement.

What is Spyware?

Some of these advertisements also act as Spyware. The ad will collect and report data about the user, to be sold or used for targeted advertising or user profiling.

Some sources rate adware and spyware as nothing more than an irritant, while others indicate that it is as harmful as viruses and trojans.

What is Malvertising?

Malvertising and adware are two terms that are sometimes used interchangeably, though they are substantially different.

Unlike malvertising, which launches an attack via an infected ad, adware is a program that can be used to track a user’s web activity in order to display relevant or personalized ads.

All malvertising is considered malicious in nature, whereas some forms of adware are included in legitimate software packages. While adware often stokes concerns regarding data privacy and security, it does not allow cybercriminals to assume control of the system or alter, exfiltrate or delete data. Malvertising attacks may also execute an exploit kit, which is a form of malware that is designed to scan the system and exploit vulnerabilities or weaknesses within the system.

Though somewhat less common, it is possible to conduct a malvertising attack without having the user interact with the ad. These attacks include:

• A “drive-by download,” which exploits browser vulnerabilities to install infected files on the system while the user is passively viewing the ad.
• A forced redirect of the browser to a malicious site.
• Executing Javascript or Flash to display unwanted advertising or malicious content.

Bots/Botnets

What is a Bot/Botnet?

Malware bots are used to gain control over computers. Typically, malware bots are self-propagating and infect hosts with the intention of connecting to the threat actor’s server and letting them know another computer has been compromised.

When you have many bots serving one malicious purpose they are known as a botnet. A network of bots. Once the attacker has a large botnet at their service they can command the botnet to perform a malicious action such as launch a DoS attack, open back doors, data theft, malware distribution.

How do bot and botnets work?

There are some stages that help illuminate the functioning of a botnet.

Prep and expose – This is when the attacker exploits a vulnerability and exposes the target to malware.

Infect – The target is infected with malware and their device taken over

Activate – The attacker mobilizes infected devices to carry out attacks.

Mobile devices, wearable devices (smartwatches, fitness trackers .etc) and IoT devices (Internet of Things) can also become bots and be included in botnet attacks.

Botnet attacks are generally used to take down a targeted business’ website and then request payment for the attack to stop or simply to damage the business. Cyber activists use this method of attack to make a statement. Microsoft recently experienced a DDos attack against their Azure cloud network with bad actors trying to choke their network capacity.

Ransomware

What is Ransomware?

Ransomware is a form of malware (malicious software) that threatens to publish, block or delete a victim/s computer files, databases or applications. The threat actor will usually encrypt the victim’s data and demand a ransom fee in order to release the data back to the victim/s.

How does ransomware work?

The malware will encrypt or block the victim’s files using a randomly generated ‘asymmetric keys’. These are often called public-private keys. These encryption keys are uniquely generated for the victim and almost impossible to decrypt without the decryption key – which only the bad guy has. The bad guy only makes the decryption key available when the victim/s have paid up.
Types of Ransomware

Locker Ransomware blocks computer function all together. The target is denied access to anything on their computer but the good thing about locker malware is that it doesn’t target critical files.

Crypto Ransomware encrypts important data (documents, images, videos, databases etc.) Without payment, the attacker refuses to decrypt the files and the target (without adequate backups) faces losing all their data.

Cybersecurity firm Emsisoft estimates that ransomware attacks increased more than 80% in 2020, costing Canadians hundreds of millions of dollars.

Major Canadian companies like CAMH, Western were affected by a ransomware attack on Blackbaud, Molson Coors and TTC most recently have all been targets for ransomware attacks.

Learn more about the 6 phases of a ransomware attack here.

The post What is Malware and How Does it Work? appeared first on JIG Technologies.

The post What is Ransomware and How does it Work? appeared first on JIG Technologies.

6 Phases of a Ransomware Attack

Phase 1: Exploitation and Infection

The first step is to infect a victim’s computer with malware. This can be achieved by either:

1. Forcing or tricking the victim to download an infected attachment through email (most common).
2. A drive-by-download which refers to the distribution of software or malicious code without the user’s knowledge. This can be achieved through an advertising popup or other active portion of a web page. Clicking or even attempting to close a window can be interpreted as consent to download.
3. An exploit kit which may start as a website that has been compromised. The site will covertly redirect traffic to another landing page that will profile the victim’s device for vulnerable browser-based applications.
4. Exploiting weaknesses in RDP connections

Phase 2: Delivery and Exploitation

Once the malware has installed itself on the victim’s computer it will begin downloading a hidden executable (or .exe) file. When it is done delivering its malicious payload it will notify the cybercriminal

The criminal’s server (often referred to as ‘Command and Control’ – C2) is usually located in the dark web and works across anonymous networks.

The malware can also lay dormant for days or weeks and then spread itself out across networks and systems in an organization.

Phase 3: Privilege Escalation and Keys

Once the cybercriminal is inside the victim’s computer, they start to execute several privilege techniques to gain access to files. In the case of an organization, they will also start scanning the computer to discover corporate networks, or active directory domains.

They mask their activity as an already running process (PID) and then try to give themselves file ownership or increase their security within the folders. Once they have higher privileges such as write or modify they can then start replacing the files with encrypted versions.

They use the network drives and look for backups then piggy back onto those backups and encrypt them. Cold storage solutions are the only way to defeat these kind of attacks.

To ensure the cybercriminal’s stability in the machine, they will often implement ‘backdoor’ options by installing remote desktop software or using compromised credentials.

C2 creates two cryptographic keys. One key is kept on the victim’s computer and the other is stored on C2.

Phase 4: Encryption

Before this stage, things are still reversible if detected on time. However, by this phase, the cybercriminal is in complete control.

The ransomware begins encrypting files. It uploads the newly encrypted files and deletes the originals.

Different ransomware uses different encryption methods which can include anything from encrypting the master boot record (MBR) of a file system or encrypting individual files or entire virtual machines. Common file extensions such as Microsoft Office documents to .jpg and more are all targeted.

Backups may be deleted or encrypted to prevent, or delay recovery.

Phase 5: Extortion

At this point the victim/s will receive a lock screen detailing the situation, the fact that their files are all encrypted and information explaining how to pay to get their files back.

Of course, the cybercriminal requests a certain sum of money to be paid in bitcoin. The typical fee for individuals is between $300USD and $500USD

Corporation may pay in the hundreds of thousands, to the millions.

There is often a time limit associated with the payment window in order to motivate the victim to pay quickly and not search out alternative resolutions.

Phase 6: Payday

At this point, most victims and organization decide to pay since the cost of recovery or partial recovery may exceed the ransom request.

In some cases, with major infrastructure organizations, each minute ticking away can cost thousands of dollars, and possibly affect the safety of hundreds of people (as in the cases where hospitals were targeted). With this in mind, payouts are the most likely resolution.

The post 6 Phases of a Ransomware Attack appeared first on JIG Technologies.