The war on cybercrime and ransomware: are you ready?

Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs writes about cybercrime being a business and how to take action against it.

We are seeing an increase in effective and destructive cyberattacks affecting thousands of organizations in a single incident creating an important inflection point for the war on cybercrime. In the case of ransomware, some operators are shifting their strategy away from email-initiated payloads to focusing on gaining and selling initial access into corporate networks further showing the continued evolution of Ransomware-as-a-Service (RaaS) fueling cybercrime. This means even ransomware is about much more than just ransom, it can also be about access.  In fact, recent data from Fortinet’s FortiGuard Labs shows that the average weekly ransomware activity in June 2021 was more than 10x higher than one year ago. According to Fortinet’s State of Ransomware survey, it has become the top threat concern for many organizations today.

Attacks have crippled the supply chains of many organizations, impacted our daily lives and productivity, and have hurt commerce more than ever before. With much of the workforce working remotely as well as continued virtual learning, every one of us is now a conduit for an attack. But it’s not as bleak as it might seem; law enforcement and cyber defenders are collaborating and working diligently behind the scenes to detect and respond to all kinds of threats. Now is the time for everyone to join the fight against cybercrime.

Cybercrime Is a Business Too

Cybercrime has become big business, replete with call centers that assist their victims to pay ransoms, tech support, affiliates who move and launder money, and those who manage forums on the Dark Web to create and sell code. Take for example ransomware-as-a-service (RaaS), a subscription-based model that allows partners (affiliates) to use ransomware tools that have already been developed by someone else to execute attacks. The affiliates earn a percentage of the profits sometimes up to 80% if the attack is successful, and everybody else gets their cut. The booming cybercrime ecosystem generating more than a trillion dollars of revenue every year. And that supply chain is growing as well, because the bad actors are getting better funded, they are using new elements and service models, and they keep changing their tactics and upping the game.

This has led to an increase in cyberattacks. The result is that we are now at an important inflection point for the war on cybercrime. Now more than ever, each one of us has a critical role to play in strengthening the cyber kill chain, to thwart efforts at each step: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions.

How does the cybercrime supply chain work?

In most sophisticated ecosystems, multiple people and functions work together. It works the same way now in cybercrime. In the cybercrime supply chain, the suppliers create and produce things like malware and zero-code exploits, then they license, sell, and share their technology with distributors and affiliates, who then sell their solutions to clients who target those solutions at victims—they use their supply chain to better infiltrate their victims’ supply chains.

And they have one goal in mind: profit. There are people behind the scenes who manage transactions, secure the funds, launder the money, and distribute the payouts. Just as in any corporation, they may work with account managers who coordinate the sale. And then there are the money mules who move the money so it can’t be traced.

Disrupt their supply chain

Threat hunters and researchers follow these criminals’ moves and study their tactics and playbooks to replicate and detonate their attacks. We use heat maps to uncover recent techniques, so we know what they are thinking and what they have implemented which is key—their heat maps turn into roadmaps that lead us in the right direction. Because many cybercriminal organizations operate like a business, we defenders can use their own tactics, real time data, high resolution intelligence, against them by disrupting their supply chain, making it more expensive for them to operate and thereby forcing them to shift tactics.

Our efforts are also starting to pay off. Several events thus far in 2021 count as wins for the defenders. Take TrickBot, for example—its original developer was arraigned on several charges in June. And the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, as well as actions to disrupt ransomware operations, such as Egregor and NetWalker. These wins signify the momentum of cyber defenders, including collaboration among global governments and law enforcement. The US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate who walked away with $28M—one of the first times that law enforcement has gone after the business partner and not just the developer. This needs to happen more often; if the affiliates are in danger of prosecution, they might not be as apt to participate. The amount of attention that some of these takedowns have garnered has forced a few ransomware operators to announce that they were ceasing operations altogether.

Educate Yourself and Take Action

By educating ourselves on best-practice cyber hygiene, collaborating with other defenders, and leveraging tools like artificial intelligence (AI) to detect and implement countermeasures, we can stay one step ahead of the bad guys. Reacting to a security breach is one thing, but stopping it before it can do any damage is another. Automated threat detection and AI are critical tools in enabling organizations to address attacks in real time and to mitigate attacks at speed and at scale especially across individual endpoints. Zero Trust approaches need to implement to enable secure access for remote work and learning. In addition, cybersecurity user-awareness training is as important as ever, with home workers and students, not just organizations, being targets of cyberattacks.

An easy way to garner some powerful cybersecurity knowledge is through Fortinet’s NSE Training Institute’s (NSE) extensive training and education programs as part of Fortinet’s Training Advancement Agenda (TAA), which offer free courses for anyone interested in learning about cybersecurity, as well as more-advanced programs for cybersecurity professionals. Learning some basic ins and outs of cyberwarfare can only help all of us to fortify against attacks.

As cybercriminals become more sophisticated and creative, so do we, in lockstep. The collaboration and sharing of threat intelligence among enterprises, law enforcement, and government entities helps to shine a light on the bad actors. And when they are taken down, it’s taking them longer to recover. Some affiliates are abandoning their criminal organizations altogether because they too have become targets of law enforcement.