We Have All Heard This Story Before
It’s no doubt that ransomware is is the biggest threat in the modern cybersecurity landscape. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation. Blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020.
Defenders have all been hearing this story for years, and know how to secure against ransomware right? The most common initial access vector is phishing so staff training sessions educating our staff on how to spot a deceptive url is required to keep the bad guys out. Installing endpoint security products and keeping them updated, and of course keep bulletproof backups right?
Well, yes and no.
Threat Intel Points To A Novel Use-Case For Ransomware
News surfaced recently about a company that used a ransomware attack on itself to hide ongoing financial fraud. The actual incident happened several years ago, but in a recent interview Joseph Carson, chief security scientist and advisory CISO at security vendor Delinea shared his experience while consulting as an incident response analyst.
During his examination he uncovered that the ransomware attack was initiated from an internal source, essentially deployed by the staff themselves. This led Carson to take a step back and look at the bigger picture, and when he did he uncovered ongoing financial fraud at the company.
This clearly presents a different type of organizational risk than the traditional ransomware threat we have all come to know, where outside criminal organizations known as ransomware gangs are constantly trying to gain initial access to a company’s infrastructure, and then either encrypting unprotected data, exfiltrating sensitive data or both, known as a multi-extortion tactic.
How To Protect Your Company?
So wait, threat intelligence has uncovered a novel type of attack, with a goal of erasing financial data that a company wants to disappear. How should CISO and other C-level executives think about this novel use-case and how should a company protect itself from a ‘fake ransomware’ attack such as this one?
For starters, this curious case highlights some key administrative controls such as separation of duties (SOD), and mandatory vacations, as well as technical controls to ensure non-repudiation such as multi-factor authentication, and keeping air-gapped offsite back-ups.
SOD and mandatory vacations are designed to ensure oversight of vulnerable positions and departments where financial fraud such as embezzlement are most likely to happen. Keeping close tabs on these critical business operations ensures proper compliance with financial regulation.
The common perception of a desirable back-up solution is to want the lowest RTO and RPO possible for the allocated budget. But to mitigate a unique scenario like the one described above, its more important to have off-site air-gapped backups that cannot be accessed from the internal network. These backups are unlikely to be needed, but if and when they are, RTO and RPO will not have the critical impact that they would for a customer facing system such as a revenue generating e-commerce website data. In that case every minute of downtime could cost a company revenue and reputation, while in the case of internal financial records, a day or two of downtime is unlikely to decimate business operations.
Multi-factor authentication, which is usually thought of as being implemented to prevent outside attackers from accessing internal data can also serve to ensure that if an insider launches an attack on an organization, that attack can be traced in a way that provides non-repudiation. Digital evidence is logged to effectively verify the identify of the person initiating system processes.