Credit: GlobalSign
Introduction
My name, stolen. My ID, stolen. My student life, stolen. In April of 2021, my school was a victim of a severe ransomware attack that took over 7400 students’ data. In a matter of minutes, the years of my effort at school vanished before my eyes.
While many of us were fearful that our grades were wiped permanently, our school was hesitant to provide information regarding negotiations. This event occurred halfway through my junior year, which meant a multitude of issues regarding the college application process could arise. Personally, I didn’t fully understand why a cyberterrorist group would target an ordinary school like mine. Too many questions and not enough answers.
My quest to find answers began with the ransomware note displayed on the school site: “Ryuk, balance of the shadow universe.”
Who and Why?
Ryuk is considered to be one of the most prevalent ransomware organizations that affect institutions at every level. As Ryuk makes a larger impact and infects more institutions, their monetary demands have also increased. The invaluable information of healthcare, energy, food, or transportation organizations is suddenly at high risk of deletion unless Ryuk receives their payment. Largely, the reason behind these attacks by groups such as Ryuk “is financial; the motivation of Russia for allowing these groups to exist is partially political,” according to Alex Stamos, Chief Security Officer of Facebook.
However, according to the IT Governance of the UK, the predominant reason for committing cyber crimes may not actually be monetary; rather, cyber terrorists are motivated by publicity, power, and revenge. Sadly, the subsequent financial damage is tremendous, nearly $388 billion annually devoted to repairing cyberinfrastructure after attacks. But, how exactly do cyber terrorists feed on vulnerable systems?
How?
To demonstrate how ransomware organizations infect an institution’s system, I am going to use Ryuk’s process as an example...
The process starts the same: Trickbot malware first arrives through a phishing email. The email usually contains a malicious macro-enabled document, a document that allows you to record and then run tasks on Excel, which is downloaded onto the system.
Crucial data of a certain institution, a database containing patients’ data from a hospital, for example, is then directed out of the network to the perpetrator (specifically, this can be quite detrimental to hospitals because there is one more step that the perpetrator can take: manipulating stolen data. Now that the attacker has the medical information of several patients such as their allergies, prescriptions, etc., they have the opportunity to change the data, potentially affecting millions of lives).
The Trickbot malware then drops and implements the Ryuk virus throughout the network using Powershell (task automation language), PSEXEC (enables attackers to access the network remotely), and Group Policy (controls the working environment of the network).
After establishing Ryuk network-wide, the attackers delete backups and shadow copies. Once all of these steps are completed, Ryuk encrypts the system and creates a note demanding a cryptocurrency payment. Once the payment is made by the affected organization, Ryuk sends a decryption key providing access back to the stolen files.
RaaS
Another disturbing trend that has been on the rise is RaaS (Ransomware as a Service). Essentially, it “is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.” Usually, “affiliates” are only willing to participate in the service if it is offered by a reputable cyber-terrorist group such as Ryuk.
Specifically, this service is on the rise because perpetrators don’t need to be skilled or have much experience, which empowers beginner hackers “to execute highly sophisticated cyberattacks.” Through RaaS, cyberterrorism has moved from random attacks to a structured business plan. Though this may seem quite frightening, there are several ways institutions can go about preventing attacks.
Prevention and Recovery
The chain reaction is quite hard to stop once the Trickbot malware enters the network, but it is not impossible to minimize the effect or, better, prevent it in the first place. The Center of Internet Security has multiple methods to do this, one of which is to perform regular system backups. According to the CIS: “Ransomware is known to delete Volume Shadow Copies, so ensure that backups are created and stored off-site or out-of-band. Also, use a backup strategy that allows multiple iterations of the backups to be saved and stored, in case the backups include encrypted or infected files. Routinely test backups for data integrity and to ensure you can recover from them.” In addition, keeping your software up to date and “whitelisting technology on all assets to ensure that only authorized software executes,” are a few more ways to minimize risk.
Another important aspect to pay particular attention to is “what would most appeal to the bad actors—especially essential services supporting customers, employees, products, and services.” To predict whether you or another business could be the target of an attack, “you need to think like a criminal by looking for secondary systems that may not themselves house sensitive data or be an obvious target.” These “secondary systems” usually provide access to institutions that have valuable data and therefore deserve the same level of security.
If attacked, how do you recover? It is important to rebuild the vulnerable system through a backup. This is vital to mitigate further malicious activity because there could still be unidentified harmful files that remain in the system. To obtain full recovery, users should change their passwords in the system, something that our school required all of us to do to log in to the grade book system again.
Conclusion
It is quite disheartening that cybercrime has escalated over the past year, demonstrating the vulnerability of several institutions, even those of our government. Dependency on data stored in several, potentially at-risk, public networks has undoubtedly increased over the past decade, which only reinforces that we have to stay mindful of cyberthreats moving forward. I can only hope that in the future, cybersecurity integrated with AI can lead us on a path to stop cyberterrorism and help vulnerable public schools like mine stay safe.
تعليقات