Greetings from Kartikay on the cyber team. Ransomware attacks have become a scourge in recent months—causing gas shortages on the East Coast, interfering with hospital networks and even disrupting Americans’ burger supply chains. But in most cases, ransoms are paid quietly, and few details ever leak to the public. That’s even though the practice was a $350 million enterprise in 2020, according to research firm Chainalysis.
All the secrecy means that the mechanics of ransomware attacks are poorly understood. Here, a primer on the major players in the surprisingly specialized world of hacking for profit:
- The hackers: The first step in a ransomware attack is the hack. Using stolen passwords or specialized intrusion software, hackers establish access to a company’s network. But they’re not always the ones who actually carry out the attack. After getting in, these hackers frequently sell their keys to attackers eager to continue the exploitation.
- The operators: There’s a whole sub-economy of what I’ll call “operators,” groups that develop software to unleash ransomware attacks. Sometimes these groups will carry it out themselves, other times they just sell the ransom software: a practice that amounts to ransomware-as-a-service. Cybercrime groups like Maze and Netwalker have pioneered this business model.
- The infectors: After getting access from hackers and obtaining the ransomware software, these criminals will enter the victim’s network and begin the process of network reconnaissance. (Infectors can be the hackers or operators, or an entirely separate criminal group.) They’ll take anywhere from a few days to a few months to identify and steal the most lucrative data in the network. Then, they’ll execute the ransomware to lock (or encrypt) the network. Victims are then blocked from regaining access without a new set of keys, known as a decryptor, which they hold ransom.
- The muscle: If a company doesn’t pay up right away, hackers might hire a separate group to intimidate victims. Tactics include blasting emails to employees and calling the victims’ partner companies with additional threats.
- The lawyers: A victim’s first step after being hacked is often its legal team. They’ll huddle to determine who needs to be informed of the breach, if payment to the attackers will violate federal sanctions rules and the legal cost of violating those rules.
- The backup: Victims can hire security services from companies like Mandiant Corp., CrowdStrike and Microsoft Corp. These firms will help victims determine the original source of the compromise, stave off re-entry and can sometimes product a solution that lets them avoid paying at all.
- The insurers: If a company decides it needs to pay a ransom, cyber insurance policies often cover the cost. The biggest enterprises frequently stack policies to ensure they’re covered for ransom demands that can reach into the tens of millions of dollars. Cyber insurers include general insurers like Beazley PLC and AXA SA and dedicated cyber companies like Coalition Inc. Ransomware has become so pervasive recently that this has been a bad business to be in.
- The mixers: Once a price is set, the victim is then directed to transfer the ransom to a cryptocurrency wallet. The criminals then launder that cryptocurrency by funneling it through a mixer who blends the currency with other digital coins to obfuscate its source.
- The decrypters: Once a payment is made, victims receive a digital key to regain access to their network. However, coming back online can be like walking into your home after being robbed. Files aren’t where they used to be and software doesn’t always work quite right. Decryption companies try to help ensure the decryption key does what it’s supposed to do.
That’s the simplified version of how these hacks work. As ransoms balloon, and both hackers and cybersecurity firms grow in sophistication, this booming cottage industry is likely expand even further. Expect the problem to get worse before it gets better. —Kartikay Mehrotra
No comments:
Post a Comment