A Deep Dive Into Ransomware | Part 1 August 24, 2021 by Paul Byrne Ecommerce Security The days of fun and games on the internet are over Out are the days of easy hacking and in are the days of security software. Hacking has come a long way since the early days of the internet. Many companies and merchants think that it’ll be easy to maintain security and customer confidentiality but are up against a constant tsunami of hackers and haters that have evolved alongside the technology world. The biggest challenge is to first see things from the mind of a hacker to identify weaknesses in your current cybersecurity approach. Recently, I had a series of important discussions with a very high-level data scientist in one of the world’s top cybersecurity companies. The actuality of knowing someone within the business was purely coincidental. If I had tried to approach this company or another directly, without the connection, I would have most likely been turned away because cybersecurity analysts, by necessity, are a rather tight-lipped group. At the forefront of this conversation was the recent ransomware attacks of the Colonial Pipeline and other large operating companies. From this discussion, I realized that I, myself, had come to many similar conclusions, but from his observations, in addition to the ones I already was aware of, it started to sound alarm bells in my head that I couldn’t seem to shut off. Almost exactly four years back, I published the first article on cybersecurity and have followed up with several in the meantime. It’s worth noting that both the attack vectors and frequency of attacks are multiplying at a rapid pace. So, let’s begin our deep dive into the mind of a hacker by first looking at some of the main objectives and goals of a 21st century hacker. Progression of Hacking Objectives Phase 1 - Identity Theft - the good ‘ol days Ah yes, the good old days when hackers were primarily interested in identity-theft. Identity theft occurs when someone uses another person’s personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. Typically for financial gain. With the increased difficulty in hacking, this kind of small game is only sought-after by the least-talented and most desperate hackers, but they still do exist, as we will occasionally encounter them while performing site reviews. For example, Razoyo recently performed a routine Technical Site Review for a multi-channel retailer and while digging through the code, we found an extremely hidden and clever data exfiltration mechanism that a hacker was using to store over 30,000 credit card numbers. With good security practices, these types of hacks are relatively easy to uncover and simple to protect against. Due to the growth of two-factor authentication (2FA) and AI security with card-issuers, the value of PII on the dark web has decreased drastically. To some hackers identity theft is considered loose change & low hanging fruit. Especially devious hackers evolve to find more cruel and unusual ways of siphoning money out of organizations without them ever knowing. Phase 2 - Cryptocurrency Mining Cryptocurrency Mining is legal and many technically savvy people have the capability to set up a computer with the correct processing capacity and start reeling in the dough. It’s apparently so easy that even Grade School students are able to set up a system and reel in over $32,000 per month in Frisco, TX. (See the article here). The caveat here is that these kids are crypto mining legally with servers that they are building and maintaining. Unfortunately, there are types of hacking that start off legal and quickly dive downhill. In the late 2010’s, Professional hackers started preferring cryptocurrency mining to other hacking techniques. The beauty of this type of hack is its scalability, because fundamentally all a hacker would have to do is gain access to a server and install a mining software. To do this, no knowledge of any front-end software is required and it is unlikely to be thwarted by version control. The vulnerability that companies face when it comes to crypto mining is a hacker’s ability to access a company’s server, (or servers that aren’t their own), in order to provide themselves with enough processing capacity to hack and mine undetected. Cryptocurrency Mining Hackers choose this option because they aren’t responsible for maintaining servers and infrastructure associated with the hardware. They simply plug in and make sure their scheme doesn’t interrupt or trip any red flags in the company applications and CPU time. Hacks like this can go unnoticed for years if remained unchecked. Cryptocurrency Mining has become less popular because of the increased difficulty of gaining root access to a server, and more companies moving their applications to a cloud based server system managed by Google, Microsoft, or Amazon (who have the tools to detect and protect against mining software attacks). Now that these techniques have been divulged for the better part of a decade, plus the volatility and instability of cryptocurrency values, hackers are less interested in cryptocurrency mining attacks and have moved their eyes to a bigger prize. Phase 3 - Extortion and Espionage Hackers have evolved to find where the big money is and how to get it; Politics, Government, and Global Organizations. Step 1) Gain access to pertinent information that another party wants. Step 2) Sell it anonymously (or not) to the highest bidder on the black market / dark web OR back to the same organization securely. A.K.A. Ransomware. We recently saw this happen with the Colonial Pipeline in April of 2021. (Read more about the attack here). But to hackers, this type of attack has much greater potential than a fuel pipeline payout of $4.4 Million. The software security expert and data scientist, as referred to earlier, made the statement, “What people don’t understand is that we [The United States] are at war with China…” and to this point, I would add that we are also at war with Russia. It’s simple, both parties use the same techniques of hacking and coercion to gain access to US intelligence and technological infrastructure. Hackers from The Chinese Communist Party The Communist Party of China has enormous hacking resources with 2 goals: steal intellectual property and control over individuals. China exerts immense pressure on their own citizens to gather information on its behalf and to compromise the systems of companies where they work. They have managed to exert the same pressures on anyone who does business in their country as well. For example, General Electric’s (GE) wind-energy business in China was forcibly taken over by the Chinese Government in 2003. GE’s CEO had no choice but to comply with the take over or it would mean their medical device business would also be commandeered by the Chinese Government. (Read about this common theme here) It is no secret that China has also taken control of it’s media, messaging, and information sources to its citizens. Even going so far as to coerce forced messaging from United States celebrities, billionaires, and politicians to ensure their power, underlying tactics, and corruption isn’t in the public eye. For Example, John Cena’s shameful and misguided apology for mistaking Taiwan as its own independent Country, and Elon Musk claiming that China is far ahead of the US in implementing renewable energy which was proved to be demonstrably false. People around the world, especially those with money and influence, are especially prone to having both their public and private communications hacked if they do not comply with China’s requests. Hackers from Russia Attacks emanating from Russia are designed to generate big profits for the attackers and Russian government officials. The number of ransomware attacks originating in Russia and Belarus is staggering. Hackers from that side of the world (Russia and China) all use surprisingly similar techniques and software. The Russian state-complicit hackers phish for information, get a foothold in a network, exploit network relationships (including firmware and software vulnerabilities). This is where businesses need to pay close attention to all aspects of their cyber security and sensitive information, because something as ridiculous as an unsecured digital thermometer in a fish tank can leave a digital door wide open to your whole business. Yep, you read that right… a fish tank. You can read about that whole scandal here. “Ransomware attacks on small and medium-sized businesses are common.” While small or medium sized businesses may not be an immediate target for state-sponsored hackers from Russia or China, professional hackers around the world have targets of all shapes and sizes. As time goes on these criminals use evolved resources and their attacks get quicker, smarter, and harder to detect. So, how can a business determine their current level of vulnerability? How can businesses detect these attacks and what can be done about it when they happen? Step 1) Get a technical site review done by our experts at Razoyo to guide you through securing your business. Step 2) Read Part 2 of this blog where we let you know what can be done to defeat and defend against these relentless hackers once and for all.