Step 1: Phish. Trick an exec to click on a credible-looking phishing email to log in to one of their accounts.
Step 2: Infect. Use the execs email to send a malware attachment to an IT admin.
Step 3: Cash in. Let the malware encrypt all systems and wait for ransom from the victims.
Hackers use this common technique to infiltrate, exploit, and cash in on their victims. Some attacks are more sophisticated and targeted; others work by mere chance. What they all have in common is this: at one point or another, a user is tricked into giving away access, usually in the form of a password or another MFA-protected credential.
But how do these attacks actually work? Let's use the example above and break down each point to better understand the type of threat landscape we're dealing with and how we make our systems and data better protected.
As the first line of attack, hackers typically deploy phishing campaigns en-masse to make sure they trick as many users as possible and increase the number of targets they have the potential to demand ransom from. The fundamental idea behind most phishing campaigns is that it doesn't matter who gets caught or what organization they're coming from. Their effectiveness is typically enforced by a variety of stress tactics, where the victim is made to believe they must take action or something bad will happen otherwise: ironically, often a threat of breach is used as a way to motivate users to, e.g., update their password or perhaps download a document with instructions on how to update an anti-virus on their device.
Phishing campaigns typically have one of two goals, which can be split up into sub-goals depending on the specific strategy the adversary decided to employ:
The technical goal of ransom-based attacks is typically to get hold of and/or encrypt sensitive or business-critical information. To do that, hackers need to get hold of accounts with high privileges that can view and alter sensitive data. They can then either:
The threat of data leakage or loss is communicated as part of an offer by the adversary with a demand of payment typically around $1 million, where the victims, on average, paid $870.000 in value in Q3, 2023, typically paid in Bitcoin or other "hard-to-trace" store of value. The total cost of a breach for small and mid-size enterprises is typically around $3 million.*
To make things even worse, the transaction in no way guarantees the promised result. Once payment is made, adversaries often decide to leak the data anyway or not provide a functioning decryption key that the victim needs to access the data. In many cases, even when a decryption key is provided, it doesn't function properly to restore all of the data that has been encrypted by the attack.
In either case, the direct and indirect financial damage is typically in the millions, is always disruptive to an organization's ability to function normally, and to small to mid-size enterprises is often devastating.
Unfortunately, given the geopolitical landscape and the state-of-the-art capabilities of law enforcement where hackers are dealt the better cards, organizations and individuals have no choice but to invest in better protection capabilities to mitigate the most prominent and destructive hacking techniques, which ransomware is spearheading.
Here are a few things businesses should do to protect their data and systems better:
Here are a few that are important to look into if you're managing systems/applications of your own:
You can improve your organization's ability to defend itself from hackers in many other ways. It is, for example, good practice to have an incident response plan since no security is absolute: if s**t hits the fan, you want a step-by-step plan to execute in case of a breach. It's also better to train employees than not, even if it's not the most effective. So, where do we focus our resources?
Do a cost-benefit analysis to know where there's most room to effectively improve your organization's defenses with the least total effort and invest there. Cybersecurity is an investment, so treat it like one.
*Cost of a Data Breach Report 2023, IBM
As the CEO and co-founder at Peig, David helps organizations get rid of passwords and up their cyber game with passwordless access security. Before this, David was a Digital Identity Director at ADUCID, where he co-designed citizen-centric identity solutions and helped develop federal and private partnerships.
As a frequent speaker at security conferences, David is a vivid promoter of human-centric security architectures that leave passwords in the dust.