As organisations across the world struggle with the upheavals caused by the Covid-19 pandemic, it is vital not to forget the threats that can cause massive disruption and loss: cybercrime.
While organisations have focused their attention on equipping staff for remote working and reengineering business processes, cybercriminals have been busy perfecting their attack strategies and improving their weapons to take advantage of the expanded threat landscape that the remote workforce has provided.
Cybercriminal groups vary widely in size and technical prowess, but those that can cause the most extensive damage to businesses fall into two categories – eCriminals and nation-states.
eCriminals are often interested in financial gain while nation-state actors tend to take a longer and more targeted approach to gain access to intellectual property from within distinct industries, including companies operating in the telecommunications, financial and healthcare sectors.
Of all the types of cyber threat activity across the Middle East region, it is eCrime that has seen a rapid increase since the virus first appeared earlier this year. Indeed, globally the CrowdStrike Threat Intelligence team has seen an increase in eCrime up over 330% since the start of the year versus in 2019.
The objectives of eCrime actors are shifting as well. Taking control of an organisation’s IT infrastructure and then demanding payment for its release is now a primary tactic, and in some cases, threatening extortion.
In the current threat landscape, ransomware continues to prove one of the biggest challenges for organisations across the Middle East. Designed to bring organisations to a grinding halt so victims are forced to pay to regain access to critical data stores, it is a technique of choice for cybercriminals around the world.
If a victim refuses to make the payment, the cybercriminal may threaten to make public some of the organisation’s sensitive data. If payment is still not made, that data could then be posted to a site on the dark web where it can be accessed and potentially used by other parties.
Ransom demands received by victims so far have been very large, ranging from $500,000 to more than $10 million.
A recent example of a criminal organisation using ransomware is Smaug. This ransomware-as-a-service threat allows criminals who lack the right technical skills to still mount an attack against a target. Users have to pay an upfront fee to use the service and then a certain percentage of any ransomware payments received.
WastedLocker adversary group recently emerged and is designed to be tailored to work against specific target organisations. Operated by the cybercriminal group Evil Corp Gang, WastedLocker works by making a preliminary attempt at penetrating an IT infrastructure then collects information about the defences in place and these are then taken into account before a second attack is mounted.
Ransom demands received by victims so far have been very large, ranging from $500,000 to more than $10 million, payable in Bitcoin.
Key threat actors
CrowdStrike Intelligence has been observing the increasing sophistication of criminal organisations daily
The adversary group Pinchy Spider, responsible for the now-retired GandCrab ransomware, has developed a new ransomware-as-a-service variant known as REvil. This malicious code is offered as a service and CrowdStrike has observed it to be the most widespread ransomware code during the second quarter of this year.
The Carbon Spider adversary group has also been created by sophisticated cybercriminals, who make use of DNS tunnelling to spread code. The code can also be distributed on devices such as USB keys in the hope that staff within a target organisation will insert it into a networked PC. To date, the group has tended to target point-of-sale devices to extract details of credit cards.
More recently, Carbon Spider, a group primarily focused on attacking organisations using point-of-sale terminals, has been observed using the REvil ransomware from Pinchy Spider. This has allowed them to extract ransom payments in addition to their normal modus operandi of favouring large organisations that process high volumes of credit card transactions, including large retailers, hotels and casinos.
Variants of threat actors active in the market show how quickly cybercrime is evolving.
A third group, named Wizard Spider, previously used a family of ransomware code known as Ryuk until March this year, they have returned on the scene with Conti Softwarek, a code designed to identify and encrypt files on hosts within a local area network. The adversary leverages multiple, highly sophisticated techniques for attempting to deploy ransomware enterprise-wide, hoping for a huge payday.
Another recent group Sprite Spider conducts low-volume, targeted big game hunting. It exclusively deploys Defray 777 ransomware in-memory on victim systems and because its actor footprint remains small, investigations have proven difficult post-ransom.
Organisations that fall victim find little choice but to pay the ransom encouraging groups to extend their activities.
The wide variants of threat actors currently active in the market show how quickly cybercrime, and ransomware, in particular, is evolving. Many organisations that fall victim find they have little choice but to pay the ransom, thereby encouraging the groups to extend their activities even further.
While the initial wave of attacks related to Covid-19 appears to have declined, it is likely activity will rise again as interest grows in the potential vaccine candidates currently being developed around the world. Attackers are likely to mount phishing attacks using emails that appear to offer details about vaccines and how soon they could reach the market.
For this reason, it is now more important than ever for strong security measures to be in place across your organisation.
Accept the 1-10-60 challenge
Combating sophisticated adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. Organisations can pursue the 1-10-60 rule to effectively combat sophisticated cyberthreats:
- Detect intrusions in under one minute.
- Investigate and understand threats in under 10 minutes.
- Contain and eliminate the adversary from the environment in under 60 minutes.
Organisations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads from its initial entry point, minimising impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.
Organisations that meet 1-10-60 benchmark are more likely to eradicate the adversary before the attack spreads.
Ultimately, consider how successful your existing protective measures are with a distributed workforce and put in place additional tools to increase defences. It is going to be many months before many countries return to anything that resembles normal, but the threat of cybercrime will remain. Taking the time now to understand how threats are evolving will ensure you are best positioned to prevent an attack.
Globally the CrowdStrike Threat Intelligence team has seen an increase in eCrime of over 330% since the start of the year versus in 2019.