Inside the mind of a hacker
I recently reviewed some information from our backup and replication partner – Veeam – in their document 5 Ransomware Protection Best Practices, which I thought provided a very useful to really get inside the mind of a hacker. The below passage should leave no-one in doubt as to the skillset and seriousness of the threat actors out there.
As a threat actor, I lurk in the shadows and patiently observe you to identify which systems are in use, if multiple environments are used, who’s using them and where potential access points are. The easiest way for me to enter your organization is if I can get help from the inside, by gaining unmarked, legitimate and active access credentials. To do this, I identify potential human targets that can supply me with a door to those access credentials, without actually needing to know the credentials themselves.
After I identify potential entry points, I start off with a (spear) phishing attack, because I just need one person in the organization to click that link and let my malware in. As soon as the malware feels comfortable and settled, I’m notified on my cloud-based webserver that remote access was successfully established.
Then, it’s time to use my fingerprinting tools to uncover hidden vulnerabilities, unpatched systems and open ports. Before I move forward, I’ll protect my access by setting up a redundant and highly available base of operations.
At this point, it’s too early in the process to make myself known, so I have to remain in stealth mode for now. I use my administrative console to quietly observe your online activity and plan my next course of action. After a few weeks or months of incubation (i.e., dwell time), it’s now safe to continue my journey. Now I’ll go for highvalue targets, like highly privileged accounts, organizational data caches and backup repositories.
Before you detect me, I will make sure to use orchestration and automation techniques to deploy the necessary tools, ransomware and management agents to all the machines at my disposal. This way I can respond quickly and at the right moment to fulfil my plan. Then, I will remove or disable your AV measures, routines will be altered, important documents will be deleted or blanked and backups will be purged or encrypted.
Now I’ll wait for an opportunity where I’m least likely to be discovered, often a Friday evening or a long weekend. I’ll need the encryption process to execute this thoroughly and without interruption.
I now hold the encryption key that controls whether or not you can recover from this ransomware attack. If I did my job successfully, I’ve removed any timely recovery possibilities to restore your operations to normal. But don’t be sad! Your data isn’t lost! I’ll make sure the payment process and speedy recovery of your data is as smooth as possible. I’ll even give you samples of your files on request as proof. It’s not personal, it’s just business (Including Ransomware as a Service)!
Systematic, sustained and patient – if you are not concerned about the ability of these people, then you should be!
And you should be talking to CTO about how to protect yourself from a ransomware attack through solutions and processes we can recommend.
Source: 5 Ransomware Protection Best Practices – Veeam’s definitive guide to data protection – 2021.