Cyber threats are evolving at a dynamic pace, and during the pandemic, the shift to working from home compounded the risks. Yet for the most sophisticated attacks, only a basic level of security is insufficient. Advanced persistent threats (APT threats), new types of ransomware or fileless attacks can only be warded off by more comprehensive, multi-layered protection – an endpoint detection and response (EDR) tool. ESET has it in its arsenal in the form of ESET Enterprise Inspector.
Ransomware evolves: ‘Pay up or we’ll release your data’
Ransomware used to be characterised by the attacker encrypting sensitive content, which the victim could only access after paying a ransom. Today, attackers keep a back door open in case the victim of an attack refuses to pay to access data they have backed up elsewhere. In order to extort money even in such a case, hackers copy the files in advance in order to blackmail them into making them public. This requires them to use sophisticated methods to snoop undetected for extended periods of time on the devices of compromised individuals or companies.
Many forms of ransomware
During its evolution since the late 1980s, ransomware has taken many forms. First, it attacked computers via infected floppy disks, where it hid directories and encrypted file names on the hard drive. The virus prompted the user to renew his license by sending $189 to a mailbox in Panama. There are also known cases where attackers have locked up entire devices without encrypting anything. Locking the screen or displaying pornographic material is no exception. The common denominator in all these unpleasant situations is the extortion of ransoms.
Blocking content from attackers is no longer enough
Many companies have learned from the attacks over the years. They have implemented protective technologies, created resilient backups, and are less and less willing to pay hackers to access their data. Attackers, however, are not willing to give up their revenue, and are therefore increasingly reaching for Plan B. They no longer rely solely on encryption and file blocking. Sensitive documents are copied outright. Victims are then threatened with publication if they do not pay up. This is not a new extortion technique, but as ESET’s Cybersecurity Trends 2021 report points out, these attacks are on the rise.
Such a procedure is more time-consuming and requires the attackers to have specific skills, but also a lot of patience. In fact, hackers need to get into the network quietly, and it is not enough to send out simple phishing emails and hope that an inattentive employee will let ransomware into the system. Vulnerabilities in remote access protocols, for example, attacks aimed at stealing access credentials, as well as traditional social engineering techniques, are also gateways for such attacks.
Once attackers manage to penetrate a corporate network, they must move through it unnoticed. At this stage, they collect information and other access credentials that ensure they remain in the system after the original access path has been cut. Mapping corporate documents is time-consuming. This is because hacking groups target data that is worth gold to companies. Attackers go after files whose blocking or disclosure would cause colossal damage to businesses. It is only when they secretly obtain them that the attack turns into an outright extortion racket.
Astronomical ransom
The need to fund more sophisticated tactics has also been reflected in the price lists of hacking groups. Meanwhile, the increase in the ransom demanded is astronomical. To illustrate, in 2018, the US city of Atlanta was hit by a traditional ransomware attack. Hackers encrypted the servers of key infrastructure and demanded 51 thousand dollars from the city. Atlanta responded correctly, refused to pay and rebuilt its infrastructure for $9.5 million. A year later, the attackers hit the cities of Lake City and Riviera Beach City in Florida, which decided to comply with the hackers and both paid $500 thousand and $600 thousand, respectively.
During a ransomware attack on one of America’s largest pipelines in May this year, cyber criminals crippled fuel delivery in the eastern US. Colonial Pipeline eventually paid up to $4.4 million to the attackers. Compared to that amount, the ransom demanded from Atlanta three years ago looks insignificant. However, all the indications are that the ransom increases will continue.
How to protect yourself?
Companies that choose to invest in prevention need not worry about the catastrophic scenario of being forced to pay out seven-figure sums. In fact, there is effective protection against sophisticated ransomware attacks, namely the Endpoint Detection and Response (EDR) tool. ESET is one step ahead of the attackers with its ESET Enterprise Inspector solution. This EDR tool can avert the very first hidden phase of a ransomware attack that is not detected by the underlying security software. ESET Enterprise Inspector enables detailed analysis of suspicious activity in the early stages of an attack, preventing hackers from getting deeper into the system. The EDR solution continuously monitors networks and activity on endpoint devices in real-time. It thus proactively searches for ransomware by early detection of hidden insider threats or phishing.
Keep up with fileless attacks as well
It’s no secret that cyber attackers seek to use techniques that make it difficult to detect and deter their nefarious activity. In doing so, they increasingly rely on compromising legitimate and trusted programs already installed by users. Since such attacks take place outside of files, the perpetrators leave only minimal traces behind. However, suspicious behavior that goes unnoticed by basic security software can still be detected by more sophisticated EDR tools.
More complex and targeted attacks
In recent years, we have seen the use of increasingly complex and precisely targeted attacks. In this context, security experts have long drawn attention to so-called fileless attacks, which take place through the operating system’s own tools. Attackers infiltrate pre-installed programs without introducing additional malicious files to the device. In doing so, the malware gets into legitimate applications through their vulnerabilities.
The trigger of fileless attacks is usually users. A common scenario is clicks on a compromised link in a phishing email. In order to display the content, the page launches Flash. Through its vulnerability, the malicious code gets to Powershell, which is a software component of Microsoft Windows and has unrestricted access to the operating system. In this way, the malware gets into pre-installed applications without alarming the underlying security software. Malicious activities are often executed from memory and leave almost no trace. Malware can operate on a network for long periods of time, giving the attacker progressively greater privileges. Once the necessary powers have been gained, there is nothing to stop the perpetrators from extracting the stolen data.
As these attacks are difficult to detect, hackers use them to increase the effectiveness of illegal activities in an attempt to remain invisible. These are not new forms of attacks, but experts expect them to grow in importance in the near future. According to ESET’s Cybersecurity Trends 2021 report, hacker groups will target critical infrastructure and the financial sector in particular.
More sophisticated protection is needed
As these sophisticated fileless attacks escape the radar of off-the-shelf security software, companies that rely only on basic protection are particularly at risk. On the other hand, companies that can monitor the entire threat lifecycle from the initial attempts of the perpetrator to penetrate the system have an advantage. Businesses should therefore consider deploying multi-layered protection to increase threat visibility.
Fortunately, security experts are keeping pace with the attackers. As with new forms of ransomware, fileless attacks can make a dent in hackers’ budgets with EDR technology, which is able to respond quickly in real time at the slightest hint of suspicious activity across the network. ESET Enterpise Inspector catches behaviour that looks dangerous from the start. It also analyzes incidents that could be part of a larger attack and isolates devices that may be infected.
The pandemic has accelerated digital transformation, which brings with it security challenges. It is therefore more crucial than ever for companies to be able to catch suspicious behaviour across the network early. After all, one wrong click by an inattentive employee at the home-office can trigger an avalanche of problems for the entire company.
