Ransom and extortion motivated attacks

14:00 | 09/10/2017 Information Technology

(VEN) - In a digital climate in which avoiding downtime is a competitive advantage, ransom-motivated attacks can be a nightmare for network security teams. Ransomware is malicious software designed to infect a vulnerable computer system and encrypt its files so that an attacker can demand a sum of money to unlock them.

There are two main types of cyber-attacks companies face today that involve ransom and extortion: Ransom attack: Attackers encrypt the files on an organization’s network with ransomware, effectively holding the data hostage and refusing to unlock the files unless a ransom fee is paid; DDoS extortion attack: Attackers threaten an organization with a DDoS attack unless a fee is paid. DDoS extortion has been a problem for security teams for many years, and it remains a primary motivator for DDoS attacks.

Two recent global ransomware attacks, WannaCry and NotPetya, have increased public visibility into the devastating effects that ransomware can have on an organization’s critical assets. The WannaCry ransomware attack affected more than 300,000 computers in more than 150 countries. The NotPetya ransomware attack was more destructive. It spread faster than the WannaCry ransomware and caused “permanent and irreversible damage” to a computer’s hard drive. One report shows that in 2016 almost half of United States-based companies experienced a ransomware incident.

DDoS attacks and ransomware attacks are damaging enough when used separately to cripple an organization’s network. However, cybercriminals are becoming more sophisticated and are combining DDoS attacks and ransomware for greater impact. In one published attack, there was a ransomware variant that held the organization’s machine and data hostage until the ransom was paid. While the attackers waited for the ransom payment, they used the organization’s machines as botnets to launch DDoS attacks on another unsuspecting victim.

Domain Name System (DNS) controls can play an important role in helping to identify and protect users from malware and ransomware attacks. When DNS resolvers utilize security risk information feeds, such information can be leveraged to set up filters to proactively analyze and identify Command and Control connection mechanisms. Such filters can help to stop the encryption process leveraged by many ransomware strains.

Minh Duyen