eBook - ePub
Ransomware and Cybercrime
Andrew Jenkinson
This is a test
Share book
- 182 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Ransomware and Cybercrime
Andrew Jenkinson
Book details
Book preview
Table of contents
Citations
About This Book
In May 2021, Jim Gosler, known as the Godfather and commander of US agencies' cyber offensive capability, said, ''Either the Intelligence Community (IC) would grow and adapt, or the Internet would eat us alive.'' Mr Gosler was speaking at his retirement only several months before the terrorist attacks of 9/11. He possibly did not realise the catalyst or the tsunami that he and his tens of thousands of US IC offensive website operatives had created and commenced.
Over the last two decades, what Mr Gosler and his army of Internet keyboard warriors created would become the modus operandi for every faceless, nameless, state-sponsored or individual cybercriminal to replicate against an unwary, ill-protected, and ignorant group of executives and security professionals who knew little to nothing about the clandestine methods of infiltration and weaponisation of the Internet that the US and UK agencies led, all in the name of security.
This book covers many cyber and ransomware attacks and events, including how we have gotten to the point of massive digital utilisation, particularly during the global lockdown and COVID-19 pandemic, to online spending that will see twice the monetary amount lost to cybercrime than what is spent online.
There is little to no attribution, and with the IC themselves suffering cyberattacks, they are all blamed on being sophisticated ones, of course. We are witnessing the undermining of our entire way of life, our economies, and even our liberties. The IC has lots to answer for and unequivocally created the disastrous situation we are currently in. They currently have little to no answer. We needâno, we must demandâchange. That change must start by ensuring the Internet and all connections to it are secure and no longer allow easy access and exfiltration for both the ICs and cybercriminals.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Ransomware and Cybercrime an online PDF/ePUB?
Yes, you can access Ransomware and Cybercrime by Andrew Jenkinson in PDF and/or ePUB format, as well as other popular books in Commerce & Management. We have over one million books available in our catalogue for you to explore.
Information
1Stuxnet to Sunburst and Ransomware Developmentâ
DOI: 10.1201/9781003278214-1
My previous book, Stuxnet to Sunburst, 20 Years of Digital Exploitation and Cyberwarfare, took the reader on a journey and looked at numerous specific cyberattacks and the first use of digital code for warfare in the form of Stuxnet. Stuxnet used digital certificates laced with malicious code (Stuxnet). It went in depth about many attacks and concluded with the similarities of the SolarWinds breach that started in early 2020 and surfaced in December 2020, affecting thousands of clients including the US government. What made this ironic is SolarWinds is an American company that develops software to help manage clientsâ networks, infosec, and infrastructure. As a well-known and highly utilised US government supplier, SolarWinds could not have been better placed to be breached and cause maximum infiltration, disruption, and unfettered access. What made it a double whammy, in many ways, was the fact that once Domain Administration Access had been achieved via a hijacking a legacy, insecure subdomain, the adversaries laced SolarWindsâ own digital certificates, which were distributed and used to update customersâ versions, with Sunburst, the name given to the code. Furthermore, the delay of 13 days from update acceptance, often without any intervention, was an identical timeframe as used in Stuxnet was set before Sunburst was activated. Is that just a coincidence with Stuxnetâs own 13-day delay from infiltration? We think not.
Both Stuxnet and Sunburst were cyberattacks with a specific purpose. The first was to destabilise, slow down, or even halt the Iranian nuclear program, the second to cause major disruption and infiltrate the US government, including the Treasury. This can only be a bad thing as the United States, indeed all organisations and governments, do not have proper controls or know what their enterprise contains; chances are they contain much more now, along with data exfiltration.
Over the last few years, organised crime has watched, and learned, from how simply, and anonymously similar attacks can be utilised as part of their overall illegal business plans. In fact, they are so easy that digital cyberattacks have overtaken and surpassed all other forms of crime and are so successful as organised crime, they are in fact much better organised than the people charged with ensuring security. It is also not unreasonable to confirm that the good guys have to secure 100% and the bad guys find a single access point. This situation was further exacerbated by revelations in 2013 by Edward Snowden and others who confirmed the access points and tools used to infiltrate organisations and governments to gain digital access and exfiltrate information and data. The harvesting of this data gave control and power; however, once it fell into the wrong hands, the birth and early iterations of Ransomware were spawned, and the global market and economy would change foreverâŚ
What is Ransomware? In the simplest of terms, Ransomware is the name given to a type of Malware from crypto virology that typically threatens to publish the victimsâ data or block access to it unless a ransom is paid. As we know, a person being held hostage and not released until a ransom is paid is highly illegal. In the digital world, it is seemingly tolerated, even accepted, which is why organisations like Darkside, who hit Colonial recently, have received an estimated $90 million over the last several monthsâŚ
Ransomware has evolved over the last few years, even more so over the last year or so, and now it typically means cybercriminals exfiltrate data to then demonstrate to the victim the data is in their possession and to prove they have been able to remove it. They offer to sell it back at a premium, and so the next attack commences. Let us look at this closer, as it is an area that even some of the biggest and best leaders in security donât fully understand. In or around 2013/2014, Google and others wanted to move from the weak HTTP (Hypertext Transfer Protocol) to HTTPS to ensure better and stronger security for website visitors. The S part of HTTPS effectively stood for security and meant all data would be encrypted as opposed to being kept in plaintext form. Plaintext form is text as you are reading here, hopefully easily understood for everyone. You will be familiar with various emails and communication Apps such as Whatsapp, Signal, and so on. These have all been designed with the same purpose in mind, to ensure messages are encrypted and enable only decryption by the recipient, or that was at least their desired business plan at the outset.
What Google possibly never realised is that not everyone would adopt this great new security position, and what took years to agree on, design, and develop for global increased security would in fact make it even easier to identify organisations that were not using the new variant of HTTPS and, as such, were maintaining data in plaintext form. It would become a cybercriminalâs staple diet to go to organisations who maintained HTTP and enable easy access, plaintext data enabling them to encrypt it and demand a ransom for the decryption capability properly. Google confirmed they would share details of those that ignored the upgraded HTTPS by showing a Not Secure text in the address bar. The list of organisations that have fallen foul of such oversight or negligence reads like a whoâs who of governments, Fortune 500, and FTSE 100 companies.
It gets worse. The HTTPS element refers to the digital certificate validity; that is, does have the correct certificate and is valid. It matches the domain and is it of the correct type. What it does not tell you is whether the domain is configured correctly or has other security vulnerabilities that are exploitable. Does it use a hosting provider, shared services, DNS (Domain Name System) or CDN (Content Delivery Network) third party content, and so on?
The self-inflicted challenge is rarely understood, and that shamelessly includes Captains of Industry and far too many Chief Security Information Officers. This is enough cause for concern, as although maintaining a Not Secure domain confirms a total lack of Internet security controls and management, it also highlights a lack of internal security by default. Furthermore, it also confirms that domains are being published, often using third-party content, hosting providers with shared responsibilities, or servers using older code written in HTTP which relegates the entire site to being Not Secure. Unauthenticated, lacking data integrity, and data often in plaintext: it is easy to see why 200,000 websites of the 1.2 billion each day are targeted and attacked and why successful attacks are costing the global economy $billions, ever $trillions annually.
In the last 12â24 months, my associates all around the world have been sending me details of local Ransomware attacks. From Healthcare in Australia, New Zealand, the United States, Ireland, the United Kingdom, and many more. It used to trickle through at the rate of around 4 or 5 per week; now it is that many daily. It would take a full-time analyst just to record all the Ransomware attacks alone, let alone the monies paid.
In 2019, a meeting of the US Senate Committee first agreed that paying Ransomware was unacceptable and would lead to further crimes, and they were not wrong. Further Bills have tried to be passed making Ransomware payments banned. It stops short of making it illegal, and even Insurance companies, until very recently, were willing to pay Ransomware as part of the overall policy and often would take an active role in negotiations. Now, call me crazy, but is this simply a blatant reshuffling of monies from A to B and allowing further crimes to manifest? Furthermore, every company we have researched that has been breached has sub optimal, insecure domains, making them exposed, vulnerable, and easily exploited. This fact alone should nullify their insurance coverage and policy, and yet in one example, University Hospital of New Jersey paid $675,000 whilst maintaining a Not Secure homepage, agreed to the payment of Ransomware with their Insurance providers and state, and remain Not Secure some nine months later. ⌠Their Not Secure position acted as a beacon for Cybercriminals, and they paid and continued to ignore the root cause.
Being very candid, most companies simply ignore basic security and then get breached. It is like smoking and ignoring the warnings on the side of the packet or driving blindfolded and expecting nothing to happen.
RTFs (Ransomware Task Forces) have recently been set up, which one would hope is a step forward, as is the EO (Executive Order) by the Biden Administration of ploughing a further $500 million into cyber security with the NSA being heavily focused upon. Our reservation, indeed, our concern, is that our two messages to the RTF have been ignored, even after sharing intelligence of their own, and their panelâs websites running Fs and 0s for Internet security. Their, and seemingly othersâ, focus is very much about Ransomware management and simply not enough about prevention; however, given their own security posture, I guess that speaks volumes. As for the NSA, it has long been known that since the terrorist attacks of 9/11, their focus has shifted immensely from data harvesting at a ratio of more than 1â100 of defensive resources to offensive. As such, Ransomware continues and indeed increases. As Paul Nakasone said to the Senate Committee, âOur adversaries do not fear usâ. Given our frequent research and findings, candy from a baby spring to mind.
In addition, when organisations supported by the DOD, DHS, RTF, MITRE CWE, and thousands of others happily maintain sub optimal security, they have not only made themselves a target but an easily exploitable one. We often advise clients when such situations occur, even though it may be uncomfortable: was the attack down to someone being complacent or complicit? Bitcoin and other digital currencies coupled with Blockchains enable a degree of anonymity and one simply cannot be sure who the good, and who the bad guys really are. Security is truly a choice, as is smoking, drinking, or being reckless. Domain security is critical and overlooked systemically and ignored across sector after sector. Ransomware and cyberattacks are a self-fulfilling prophecy. Ransomware is rarely sophisticated, as it is always termed to mask incompetence and complacency. It is time to call it as it is before it is simply too late.
There are two distinct ways to decrease the chances of being the victim of a cyberattack and Ransomware. The first is simply unthinkable in todayâs digital world, and that is to disconnect everything from the Internet and go back to pen, paper, and speaking directly with each other. Or making sure the organisation controls and manages Internet-facing and connected security. Ask yourself: why do most agencies take this area seriously and, in the main, have security at this critical area covered? They know all too well that this is the first access point from an adversary thousands of miles away; that thin cable with a connection will punish anyone who neglects their domain/server security. We explored several governments cyberattacks in the previous book due to insecurity, and we will look at several Ransomware attacks in this book, and by the end of it, you will be shocked, in disbelief, and possibly a tad paranoid about just what our governments initiated and are doing to prevent this downward spiral and trajectory they started 20 years agoâŚ
2Not Secure, F and OâŚ
DOI: 10.1201/9781003278214-2
We have over a hundred domains, we run bug scanning daily and fully appreciate the critical security issues and requirements of domains and security. We know some are literally holding pages with little to no data, we also know the top two dozen or so that we control and manage.(CISO of a US $billion cyber security firm 20 May 2021. after numerous cyberattacks, including SolarWinds)
So, I asked my vulnerabilities and research team to have a look. Within an hour, they sent me a dozen insecure domains belonging to the company. Even worse, Not Secure Login domains, domains with mismatching Transport Layer Security (TLS) certificates, TLS that had expired, and misconfigured domains.
As a matter of professional courtesy, I sent two screen shots to the CISO at 23:00 hrs my time in the United Kingdom to show them the findings. To the first, they responded, âThanks for that, luckily that is only a client demo siteâ, implying it had no data or security exposure. On the second, a company videoconferencing Not Secure domain used by hundreds of the companyâs staff constantly and totally open to a Man-in-the-Middle Attack, no comment was madeâŚ
We hear dozens of excuses or reasons maintaining Not Secure domains is an OK thing; it is simply not. Any domain with a company on it that has been allowed to fall into a situation of relying upon obsolete TLS certificates at the absolute best demonstrates to anyone looking that the company lacks Internet security controls and management. What is also overlooked is the fact that cyber criminals are scanning the Internet looking for F and 0 rated websites to add to their target list and launch attacks on. Put simply, a Not Secure website says a lot about a companyâs overall security position and capability. If it is insecurely connected to the Internet, chances are it is not much better on the inside. Equally, as the SolarWinds breach clearly showed the world, in a single domain hijacking and takeover, some lateral movement and you can lace digital certificates with Sunburst malicious code and breach thousands of companies⌠. It is not clear which part of digital open doors people fail to understand or secure; however, our research has discovered the same situation at leading global Insurance providers, including cyber insurance providers, financial service regulators, central banks, and even our own GCHQ and NCSC, and No. 10 Downing Street.
Let us consider physical premises for a moment. Let us say the same company, the previous cyber security company, had premises instead of domains. Would they have the same attitude of only making sure a couple dozen of their premises were secure, locked up, and alarmed, or would they say they only lock up a couple dozen? Of course, they would lock them all up, and yet when it comes to their digital, online, 24 Ă 7 domains, seemingly it does not matter. This poor view and complacency is exactly why cyberattacks are occurring constantly and are unchallenged.
In the address bar of every website, you will see www.example.com. In front of it, you will see either a padlock, confirming a valid TLS certificate and the fact it is using the latest HTTPS protocol. If it is not, it will display a Not Secure text instead. To complicate matters even more, even when a padlock is displayed, it does not mean the domain is secure and safe; it simply confirms the validity of the certificate. This confusion extends to numerous security professionals. Let me explain further. We recently informed many organisations of their overall insecure positions recently, including ...