Financial services firm Liberty Holdings is fighting tooth and nail to prevent the release of clients’ personal information after its IT systems came under attack.
Given the information currently available, it appears to be a ransom-type hack, with hackers demanding payment to prevent the release of sensitive data. Liberty Group CEO David Munro has confirmed that “criminals” accessed an e-mail server and attachments of its core South African Liberty insurance business. Sadly, this is just one more incident amongst a barrage of nasty digital attacks on companies around the world.
Ransomware in particular is much bigger than people realise. In the old days of virus outbreaks it was reasonably easy to determine their spread and efficacy and people didn’t mind reporting on it. After all you were generally just an unwitting host to a small piece of code which was trying to send itself to your friends and associates.
My first experience with a virus, laughable now, was the Ping-Pong virus released in 1988. It occasionally created a little ball which bounced across your screen and made it difficult to get on with your work (or in my case play Kings Quest).
Ransomware is much more insidious and in my opinion massively under-reported. The General Data Protection Regulation (GDPR) has become effective in the EU and could mean serious penalties for businesses who don’t take data protection seriously. The same goes for the Protection of Personal Information (POPI) act in South Africa.
In this age of data sensitivity which business would therefore report that their data had been compromised and that an unknown hacker held the key? If this business didn’t have adequate backups would it admit it had to pay the hacker in Bitcoin to get the data back? Would internal IT teams confess they hadn’t done their job properly and allowed the infection in? Would IT support companies confess? The answer is no. Ransomware is like a sexually transmitted disease – you want it sorted out as quickly and quietly as possible.
Unlike STD’s, the Ransomware business is very profitable so I have long been saying that it will evolve and become more prevalent and this certainly seems to be the case.
New type of Ransomware
I believe, from now on, that whenever a vulnerability is discovered there will be a spate of Ransomware variants to follow. The WannaCry ransomware famously made use of the EternalBlue exploit which was allegedly discovered by the NSA.
The proven ransoms collected from WannaCry only added up to US$130,000 but the spread was enormous and the potential ransoms could’ve added up to billions of dollars. A lot of hackers sat up and took notice and are, in my opinion, busy working on their own versions of a ‘killer app’ as we speak.
The Liberty hack does not look like a Ransomware incident but there is a ransom and the hackers have gained accessto their network. This is simply an improvement to the hacker business model.
We are currently seeing a new type of Ransomware, on a daily basis, and it doesn’t rely on the ‘traditional’ method of delivery such as an email attachment or dodgy link. This new form is a targeted attack which is, at least initially, being carried out by bots scanning for open Remote Desktop (RDP) ports. Once they detect such a port they begin a ‘brute-force’ attack which means a constant stream of usernames and passwords.
If this attack works it looks like a human becomes involved and will access the network to deliver a ransomware payload (or payloads). What makes this much worse than a traditional ransomware attack is that this hacker, depending on how the network is configured, could delete backups, create a back door, or steal data in addition to delivering the ransomware.
We have observed numerous versions of ransomware being delivered in this way: SamSam, .Arrow and Decrypthelp@qq.com.
The good news is that this type of attack is quite easy to thwart. A simple change of the RDP port number could prevent it as could a very complicated password. Its effect could also be restricted if a network is setup with the ‘zero trust’ methodology.
However the fact remains that ransomware is a profitable business and like all profitable businesses in this age of disruption, it’ll adapt to survive.