BitDepth #1382

MARK LYNDERSAY

IN A CONVERSATION with IT professionals on November 2, Marcelo Ardiles, cybersecurity consultant at Hitatchi Systems, explained what he described as the cyberkill chain of a ransomware attack.

Between 2021 and 2022, ransomware attacks rose from 22 per cent of all companies to 35 per cent and are now the greatest threat to companies and organisations.

The term comes from Lockheed-Martin's adaptation of the military breakdown of a successful attack.

Lockheed-Martin breaks out the cybersecurity equivalent of a killchain into seven distinct phases, reconnaissance, weaponisation, delivery, exploitation, installation and action on objective.

During reconnaissance, hackers are looking for information that can be used to break into computer systems.

Techniques include harvesting e-mail addresses and personal information from press releases, contracts, conference attendee lists, reviewing breached and leaked data and through discovery of the company's servers on the internet.

Once an entry point is identified, it is weaponised, usually with an attempt to deliver a decoy document with software embedded in it that will instal a malware payload in the intended target.

Cleverly written and designed phishing e-mail are favoured, an attack vector that represents 70 per cent of the risk associated with compromised systems (unpatched software is second at 56 per cent).

Malware can be hidden on a USB flash drive, and supply-chain attacks bring infected software components from external services and suppliers during a scheduled software update. Websites can also deliver malicious code during browsing, which downloads files to a computer.

While antivirus software will scan downloads, modern malware is often encrypted, and these tools cannot inspect it.

Social-engineering techniques, such as embedding malware in an official-looking document with an accompanying password, increase the confidence of the unwary while bypassing antivirus tools entirely.

Once the code is in the system, it establishes a connection to the infiltrator's computer and transmits information gathered from its initial beachhead.

The initial malware is normally a small package of code that instals a webshell on the computer to establish a back door for communication, which it uses to download a command-and-control tool that will take full control of the compromised computer. To establish persistence on the compromised system, the malware will instal code that launches it on startup and will masquerade as part of a standard operating system installation.

With the command-and-control tool in place, the infiltration will attempt to increase access to more of the computer network.

As it gains greater access, it moves laterally through the network, collecting and exfiltrating data, destroying systems and corrupting or overwriting data.

The end goal of most ransomware attacks is double extortion: first downloading company data, corrupting or deleting available backups, and then locking access for a fe