I’m going to take a different view of this news, and concentrate on why this makes sense as a method of extracting money and what the attack logic is trying to achieve.
Examining attacker behaviour is key to defensive measures for the present, and then understanding and pre-empting the attacker’s next moves.
This is the one area where the defensive side has an advantage over the attacking side. The attacker needs to think of their next moves, then create and weaponise. This takes time.
The defensive side only needs to think.
It is the lack of this pre-emptive thinking that is putting the defensive team behind the eight-ball.
It is also a turkey shoot for the attacker. There are many potential victims, so your likelihood of getting hit early is statistically low. This also provides time for the defensive side.
The defensive side needs to be using this time effectively, not sitting on their backsides, hoping they won’t be next.
Because this attack vector is working, it will attract every criminal into the market. The vultures are coming. What is currently being conducted by a handful of individuals, is shortly (and I mean months) to be conducted by criminals in their thousands.
What benefits does this give an attacker?
Let’s assume that the attack was a cyberweapon test. A new cyber weapon has been created and we need somewhere to test it.
The attacker may have found a common flaw in an application used by all of the victims.
Or a common interconnect that they use.
The attacker would have spent a considerable amount of time sat hidden on these various networks. The fact that this was not spotted points to lots of monitoring type issues on the victim’s network, but let’s assume they don’t have any.
The attacker then grew their attack surface over time, like a fungus underground, invisible to everyone above ground. Once the attacker was ready to launch, it became a mushroom season, with all the mushrooms popping up on the same trigger, at the same time.
Calling for the Cavalry
When a ransomware attack occurs, there are generally two sets of people triggered in response. Firstly, some form of external cybersecurity expert support. Secondly, the Feds. Some form of law enforcement.
Generally speaking, these two sets of people descend on the victim in large numbers, trying to sort out the issue and to catch the bad guy.
Now both of these resource pools are finite. There are only so many Feds in a State that understand one end of a ransomware attack from another.
Even though the numbers are far higher, there are only a finite number of cyber specialists available as well.
The group of cyber specialists that have a contract with the Feds for incidents like this, where the Feds can call on help, is even smaller.
Divide and Conquer
So this attack, whether it meant to or not, has just reduced the total team available to each victim by a factor of 20. These specialists are spread out all over the place, and whilst there is a lot of benefit in a co-ordinated response that can be given, it will be an incident management nightmare.
Co-ordinating the incident across 20-odd incident teams requires a team in its own right and it will be 24/7.
I don’t know the physical distribution of attacks across Texas, but it’s a big place. You can’t just get a guy to jump in a car and get to anywhere quickly. If a number of the victims all use the same IT/Security support, you have resource contention issues here also. 20 organisations all waiting for the same backup guy sounds like a nightmare.
The attacker can also start counting the cash. One authority @ $500K, like in Florida? Over 20 authorities in Texas sounds like $10 million. Is there a premium to be added for knocking out an entire State? Is paying the ransom more likely due to projected recovery time across an entire State? Can an entire State wait for the poor backup guy to recover everything?
So what can we learn here?
- The US Government needs to create a central team to deal with these as specialists. They may be swamped also if multiple actors target multiple states at the same time. If you are a fungus quietly growing under California and someone attacks New York, maybe triggering your mushrooms now makes sense in California? Divide and conquer. The more you can split up the defensive side, the more chance of success you have as the attacker.
- Have a plan. This is no longer a surprise if you are a US Government department. You are most probably a fungus already growing. Ensure that the plan can be effective if the entire State is under attack, not just your department.
- You need to be sweeping your network for fungus. The spores may already be there. Find them. This attack takes time to grow. If you are sweeping constantly, you may catch this before it erupts.
- The first 48 hours will be the worst. The attacker has a plan for that 48 hours. If you do not, it will be chaos. People will not know what to do and that will be compounded exponentially if multiple organisations are under simultaneous attack.
- Don’t ignore events on your network. That huge log that nobody looks at because they don’t have time. Tune your event alerting to pick up on known inject points.
- Look for file changes that are indicators of known ransomware attacks. Make these events stand out and investigate them.
- Make sure your backups work. Spend a lot of time and money making sure that you can recover everything if you need to. This needs a dedicated recovery plan. A Crisis Management Plan is expecting the loss of a data centre or a building. Not the loss of every single machine you have. You may need spare equipment, you may need a cleanse facility to be stood up to clean all of your machines before they are recovered. Think about it and do it.
This is Not a Drill
This is Real. The US Government departments are heading for a very busy Thanksgiving period. Take action now before it is too late. And good luck.