Ransomware-as-a-Service: The Threat That’s Making Cyber Resilience More Important Than Ever
In late 2023, we covered the topic of cyber-attacks through a very detailed interview with Ram Elboim, CEO of Sygnia. As seen from that interview, the subject is dynamic, susceptible, and requires quite a lot of technical knowledge. The recent cyber-attack suffered by the British Library in London is a concrete example.
Due to ransomware – a program that, once installed, renders a system inaccessible – library services are unavailable, and sensitive user and employee data, including names, e-mails, and phone numbers, have been stolen. Usually, groups that carry such attacks demand a financial ransom to make the data accessible again.
Together with Sygnia and two of its leading figures, such as CEO Ram Elboim and UK and Northern Europe Manager Director Azeem Aleem, we will try to build on this example to understand other aspects of this complex and dangerous world.
The attack suffered by the British Library in London shocked everyone for several reasons. What happened? Who carried out the attack? Why does this attack represent such a big problem?
Azeem: “The cyber-attack on the British Library highlights how ransomware gangs, are leaving no stone unturned, attacking not only businesses of all sectors that have high-value data, but now academia too. It also shows the brutal nature of triple extortion attack methods – crippling business operations and stealing data, before putting it up for ransom and publishing the data. Academic environments typically have fewer security protocols, with under-invested security teams, and are riddled with unpatched software and apps, that when combined, create the perfect playing field for hackers.
The British Library is a national treasure with a collection that holds some of the World’s most prized manuscripts, music scores, sound recordings, and first-edition books, including William Shakespeare’s plays. In this case, the Rhysida gang, a relatively new but substantial ransomware group, shut down the British Library’s website, phone systems, and other onsite services, causing an outage before stealing user data and employee details – almost 500,000 files amounting to 573GB. Within a matter of weeks, the gang had threatened to put that data up for sale if a ransom of 20 Bitcoins, which is approximately $760,000, was not paid. Rhysida also shared proof of their access by leaking low-resolution screenshots of ID scans stolen from the library’s compromised systems.
Since the British Library had refused to pay the ransom, within a week, the gang had made almost 90% of that data available for anyone on the Dark Web to download.”
Ram: “Rhysida is among a new class of cybercriminal gangs that are using modern approaches in how they operate – offering proprietary ransomware infrastructure and tools for hire, also known as Ransomware-as-a-Service (RaaS), in a profit-sharing model that splits payments between the group and its ecosystem of affiliates.
Ransomware is costing UK businesses many millions of pounds each year in downtime and ransom payments. We are seeing more attacks on national infrastructure, healthcare organizations, and educational institutions than ever before – with consequences that in some cases, can gravely impact the lives of their victims.”
It was said last time that the decision to pay or not to pay is up to the business owners, who must consider the actual risk to the business and the ability to restore operations safely. Considering this, the choice made by the British Library in London is even more striking. How can their choice be explained?
Azeem: “Based on what we can gather, the threat actors had gained access to the British Library’s IT environment for a few weeks, if not more, before being discovered. At this point, data had already been extracted. Since the British Library is a national asset, agreeing to a ransom could have set the precedence for more attacks. The British Library Cyber Security team may have also believed that their remediation strategy would be effective in outweighing the risks of paying the ransom.
However, we now know from reports that this is not the case, and it will now perhaps cost the British Library almost £5-7 million and many months to recover from the attack.
This underscores two neglected spheres within many organizations. The crucial aspect is not only the breach itself, but rather minimizing the BET (breach exposure time), swiftly transitioning from attacker presence to detection. It necessitates a comprehensive grasp of your critical assets (crown jewels) and a proactive remediation plan in the event of compromise.”
Ram: “We must remember that paying a ransom is no easy decision. Organizations that are under attack face a catch-22 situation: to pay the attacker and enable them to continue their malicious activity, or resist paying, and risk system outages and their data being leaked. Threat actors know this and often play tricks to place additional pressure on their victims, using shorter deadlines and delay tactics in responding to messages, to create more fear and panic.
Upon receiving the first message from the attacker, organizations should seek counsel from experienced experts who will assess the likelihood that they have been breached, see what they may not be seeing, and help mitigate the effects.
Ransomware negotiation could have provided the British Library with more intelligence to immobilize the attack. For example, our trained ransomware negotiators are not necessarily enlisted to just negotiate the financial transaction but more importantly to support the team by gathering vital intelligence on the breach. They play along with the attackers’ game while finding the source of the ‘entry point,’ helping to contain the threat so no further leaks can take place, and identify what data may have been taken, if assets have been stolen at all, so that we can determine the actual value of the data and work quickly to help the organization get back online.
By using several strategies to speak with the attackers, negotiators can help organizations to delay or reduce the ransom, or not pay it at all because we have already immobilized the attack.”
Azeem: “The attack on the British Library is also a stark reminder to all organizations on how ransomware gangs are operating and why being cyber-ready has grown in importance – from understanding your terrain and what your most valuable assets are, to how to best protect them from an attack.
We encourage organizations to simulate attacks and establish a ‘war room’ so that they can understand how their employees may react. This helps to figure out the process of escalating the attack to the right people within the company so that they can move offline, isolate the breach, run back up, etc., streamline their communications process to protect customers and stakeholders, and even implement methods to report to regulatory bodies so that they are more confident, assured, and prepared if an attack does occur.”
Regarding the stolen data, what will happen now? Will they be able to fully recover them? What happens to the privacy of the people involved?
Azeem: “Unfortunately, what the Rhysida group has already leaked is now out there and it is impossible to undo that. However, that being said, the British Library, like any other organization, can still protect other valuable data that hasn’t been stolen. When clients are notified that their data has been breached, they are advised to assess its importance and take measures to protect themselves. For example, credit cards, if taken, can be replaced, passwords can be changed, specific types of IDs can be updated, etc. to protect employees and customers.
Any recovery process will involve finding and deploying data backups to help restore what has been lost, building a robust resilience plan and protocols to limit future attacks, and tracing the digital footprints of the attack to find out how it spread through an organization’s IT system. It can be a painstaking process that will require investment, time, and effort.”
How are cyber attackers currently operating? Why is ransomware-as-a-service fast becoming the first-choice method for attackers?
Ram: “Ransomware threat actors have become far more organized in their operations, building entire ecosystems of affiliates and internal sales, HR, and payroll teams – much like any successful legitimate organization. These threat actors can now execute ransomware attacks against hundreds and thousands of world-wide and cross-sector businesses, making it extremely lucrative. To capitalize on this, those with the skills and means to establish solid infrastructures, have developed new business models, like the software-as-a-service (SaaS) model so that they can sell or lease their tools and services to others through Dark Web channels for meaningful shares of the ransom payments.
Ransomware-as-a-Service (RaaS) has grown in popularity to the point where there are now initial-access brokers (IABs) who play a significant role in the ransomware ecosystem by speeding and scaling up ransom operators’ access to targeted networks. IABs provide their services and products not only to other cybercrime threat actors but also to nation-state groups for financial gain.
Last year, we saw a significant shift in the ransomware landscape as some ransomware groups shifted away from encryption in favor of data exfiltration and extortion. This strategic swing, combined with the growth of RaaS, enables non-sophisticated threat actors to carry out data-theft attacks even if they don’t have access to high-quality ransomware encryptors. Traditional threat actors have opted for these low-cost and rapid intrusions rather than full-blown double-extortion attacks because they require less effort but are just as lucrative.
This shift, along with the new SEC regulations, emphasizes the need for organizations to make substantial adjustments in their ransomware readiness strategies. For example, organizing and provisioning the company’s sensitive data ahead of time allows for better detection, if and when, the data is exfiltrated, and knowing what data was actually obtained by the attackers enables a more informed response to ransom demands as well as to PR implications.”
According to experts, the technology trends of 2024 include cyber resilience. What is it? How does cyber resilience differ from the cyber security concept?
Ram: “While cyber security focuses mostly on trying to prevent the attack from happening, cyber resilience is a much broader concept that involves also detecting attacks in time, training, and simulation, and making actionable plans knowing the attack will come.
Business leaders are waking up to the growing cyber risks that their businesses face and the evolving threat landscape and have begun to invest and build security fundamentals like cyber resilience to recover quickly from a cyberattack with minimal disruption to business operations.”
Azeem: “Cyber resilience empowers the organization to proactively construct an environment that thwarts pre-emptive cyber-attacks, enabling the establishment of a robust foundation. This foundation aids in profiling cybercriminal behaviors, staying ahead of the curve. In the event of an attack, it ensures critical applications have a coherent backup and remediation plan, swiftly restoring online functionality.”
Have you read?
Study: These are the Most Popular Tourist Attractions of America.
Study: Wealthiest Americans of All Time.
Revealed: The Biggest Beer Companies in the World, 2023.
Ranked: Most Popular Dog Breeds in the U.S. of 2023.
Revealed: Countries With the Highest Suicide Rates, 2023.
Ranked: These Are The Most Dangerous Jobs in the World, 2023.
Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
This report/news/ranking/statistics has been prepared only for general guidance on matters of interest and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, CEOWORLD magazine does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Copyright 2024 The CEOWORLD magazine. All rights reserved. This material (and any extract from it) must not be copied, redistributed or placed on any website, without CEOWORLD magazine' prior written consent. For media queries, please contact: info@ceoworld.biz
SUBSCRIBE NEWSLETTER
