Between 2009 and 2010, Iran’s nuclear program was the target of a devastating cyber attack. A virus took control of centrifuge controls in facilities across the country, causing thousands of machines to break. The hackers weren’t satisfied yet, though. To add insult to injury, they reportedly hijacked the facilities' workstations and used them to play AC/DC … loudly.
Ondrej Krehel, CEO and founder of LIFARS, LLC, referenced this bizarre hack attack in his virtual session at the 31st Annual ACFE Global Fraud Conference. While the case itself has colorful commentary, it’s indicative of a darker, more insidious threat that’s prevalent today: ransomware. And what is the vehicle that enables ransomware and computer hacking into enterprises and corporate devices?
“The answer sometimes lies in DaVinci,” Krehel said. “And no, not the DaVinci code that you know of. But a computer code. And it’s all about breaking the code. Human talent and engineering creates computer programs. But human talent and engineering also breaks into that code in very vicious ways that perhaps the code was not designed to resist.”
Cyber professionals like Krehel see various vulnerabilities in platforms, operating systems, web-based interfaces and APIs. “The threat actor is exploiting and leveraging to gain a foothold into your enterprise,” he said. “Computer code is very critical. The various processes that ensure computer code is safe and secure aren’t as safe and secure as we’d like with the current state of program releases.” Krehel explained that it’s almost impossible to conduct a completely clean quality assurance process across so many different varieties of computer operating systems, programs and software.
And, unfortunately, hacking-for-hire isn’t as expensive as you would think. According to Krehel, a “digital death” only costs a few hundred dollars, and digital botnets can execute a DDoS attack on an enterprise — resulting in millions of dollars of damages — for the low price of only a few thousand bucks.
This might all sound scary, so understanding ransomware is a great first step in inoculating your organization against these low-paid threat actors. Ransomware, according to Krehel, is a malicious program that encrypts your files. The threat actor then demands payment for the key to decrypt your device.
Ransomware is generally spread through deception. Victims receive malicious Word, Excel or PowerPoint documents as attachments or malicious links that download and execute code on systems. More sophisticated actors actively search for and abuse vulnerabilities in common desktop applications or they come through external devices or third parties that don’t have the same level of detection and monitoring as your corporation.
Krehel shared a LIFARS video with virtual attendees that showed a ransomware document and what happens to the code when a user clicks a bad link in the document. Just the one click started a process that created a communication to the threat actor outside of the network. Icons on the desktop were changed and renamed. When the “user” opened a readable piece of content, the content information for the threat actors was prominently displayed so that the victim could contact them to pay for the decryption key.
So, what should you do if you’ve been hacked?
“If you were already an ‘almost-victim’ of ransomware — meaning ransomware was deployed but not successful — at some point in time you will get a cyber sickness,” he said. “You just don’t know if it’s a cyber cold, a cyber flu or if it’s cyber cancer. None of us can tell the extent in which the network and your end systems are going to be probed by threat actors. … Stay calm. There are many reasons a network has been compromised and you won’t be able to solve it in a day or two.”
Krehel recommended strong prevention controls and remediation responses. Implement comprehensive business continuity programs (like offline backups and consistent testing), access control, and endpoint and network behavior detection (like monitoring and blocking).
Minimizing your cyber risk requires the right tools, deployed in a cyclical and repeating process:
Respond: Have an incident response plan, and use ransomware and digital forensics.
Protect: Use security assessment programs, penetration testing and threat assessment tests.
Detect: Deploy managed response and security, threat intelligence and monitoring.
Analyze: Implement security awareness training.
Tribal knowledge is a key to successful remediation, he said. Every organization should have actionable resources documented that all members and staff can access and should know. “Cybersecurity isn’t a magic pill — it’s a repeatable, recurring process,” Krehel said. “Good cyber hygiene and resiliency should be built into organizational processes. Leadership has to show a path of how proper documentation can be augmented with more solid policies, procedures and actionable tasks.”