It’s Monday morning. Coffee is just kicking in. You’re starting your week and launching your applications and software. But nothing happens.
It’s all systems down. Even your website is offline. Panic. You’re losing money by the minute. If that wasn’t enough, you receive a demand for a ransom to get your systems back up. This is how a ransomware attack works.
It is critical to highlight that ransomware attacks don’t discriminate, and happen regardless of business size or industry. If you think your business is safe, think twice.
Ransomware is not a new concept, but incidents of this nature have drastically increased in the last few months, especially Ransomware DDoS (RDDoS) attacks. How do I know? I work closely with a team that monitors and mitigates this type of attack, and in the past three to six months, we’ve been fighting three to five times the volume of RDDoS attacks we usually would. And Australia isn’t the lucky country in the cyberattack realm, with recent major outages being the consequence of DDoS activity.
So what should a business held to ransom do? Here are some of my tips to help navigate these events.
What’s a RDDoS attack?
Traditional ransomware is a form of malicious software that encrypts files within computers and networks and makes them useless until they are decrypted. They can even damage essential data.
DDoS attacks are attacks where malicious actors unleash a digital swarm of bogus traffic designed to completely take down websites, and potentially internal corporate networks.
A RDDoS attack is the combination of both, where malicious actors takedown systems thanks to an initial DDoS attack, demonstrating their potential to inflict harm, before threatening to launch more attacks and rampaging networks until a ransom is paid. Other malicious actors may also drip feed an attack by requesting ransom in cryptocurrency and slowly take over small parts of your corporate network across a few days - like denied access to your desktop or partially disabling keyboards - before a full scale takeover where anything connected to the internet cannot operate or be resolved during an attack.
The organisations that are most commonly behind this type of attack are Fancy Lazarus, Fancy Bear, Cozy Bear, the Lazarus Group, and the Armada Collective.
Hackers don’t pick and choose specific businesses to target. They scan the Internet to identify vulnerable networks to penetrate and trigger the attack. The whole process is automated. Therefore businesses thinking they’re safe because of their industry, size or location are wrong. As long as you have systems online, you are a target.
If you’re under a RDDoS attack, think twice.
Don’t panic. Panic makes decision-making and clear-thinking difficult. Attackers usually give companies “some” time to pay the ransom. Your action in this timeframe is critical.
Seek help. In Australia, businesses victim of ransomware should contact the Australian Cyber Security Centre (ACSC) on their 24/7 Hotline on 1300 CYBER1 (1300 292 371). The ACSC will be able to help you only to a certain extent. It is also important to remember that general maintenance and optimisation of an IT infrastructure and dealing with highly sophisticated cyber attacks require very different skills - skills that your IT team may or may not have. In fact, many cybersecurity organisations have launched “rescue” services dedicated to helping businesses that are under attack in record times, and prevent any damage from RDDoS attacks.
Don’t pay the ransom. There’s no guarantee hackers won’t target you again once you have paid. If it worked once, they may actually keep threatening you. Furthermore, anything you pay is unlikely to be retrieved in the future, as malicious actors are good at covering their financial tracks.
Investigate, patch and strengthen. Don’t let it happen again and have a proactive plan in place. If attackers found a vulnerability, they’re likely to find it again. You have to understand the weaknesses attackers were able to leverage and fix them. The most common weaknesses we identified in recent times are attacks on VPN, which usage has boomed with the pandemic, or systems where two-factor authentication is not enabled. As a more long-term remediation strategy, you may want to consider network-as-a-service solutions, where your whole traffic and network are protected and processed 24/7 by a third party specialised in mitigating these large threats and optimising networks.
Ransomware and RDDoS are on the rise and the threat will only keep increasing. A whole ecosystem is building behind them, and they are innovating constantly. Any criminal can now rent ransomware from malicious actors for their own benefits, a model called ransomware-as-a-service. It takes away the need for technical skills and having to build their own attacks. The “good” side has to respond appropriately to the speed with which hackers are innovating, and I encourage any business to seriously consider how they can increase their cybersecurity standards.