Perhaps the most nefarious, these attackers are driven almost exclusively by financial gain. These criminals typically target personal and corporate systems, and range in skill from Nigerian 419 phishers, to authors of advanced ransomware, software that takes over a computer and requires a ransom to be paid before the computer is unlocked.
The attacks these criminals use range from blackmail (think the Ashley Madison hacks) to ransomware to phishing and social engineering, to password attacks.
The Well-Funded Cyber Adversary
With very few ethical limitations behind them, these are some of the scariest types of attackers, since most of the time, anything goes. Even more frightening is that many of these criminals are very well funded as a result of their previous hacks, meaning they have the money to scale up their operations. It is not uncommon for these rings to have actual call centers in operation, staffed 24/7 by paid employees. Indeed, many pieces of ransomware and attack tools come with not only technical support, but a money back guarantee!
Threat Intelligence Made Easier
From a threat intelligence point of view, you can often gather good intel on a lot of these actors by joining some of the more active underground darknet forums and marketplaces on Tor and I2P. In a weird twist, many of these actors are easier to track since there are fewer cybercrime specific forums and marketplaces than there are for general attackers.
Twitter is also an excellent source of information, as many of the world’s top malware and hacker hunters routinely post breaking news and analysis of emerging threats. Monitoring your DNS traffic for traffic to known C2 networks can also give you early indications of compromise, allowing you to get in front of an incident before it gets out of control.
Planning Your Incident Response
If your organizations falls victim to ransomware, consult a malware professional before you consider paying out any cash. While most of the ransomware authors are very good about actually unlocking a system once a ransom has been paid, in many instances the malicious software can actually be defeated without you paying a penny to the hacker.
Obviously, the best way to avoid having your organization become a victim to these attackers is to educate your users to adopt good security practices:
- Don’t engage in online activity that could put you at risk. If you are going to go to sites which could open you up to blackmail, use a special throwaway email address (or better yet, think twice before visiting the site)
- Never download software from sites that are not trusted
- Be very wary of handing out personal information
- Ensure all users have current anti-virus software installed
- Aggressively and repeatedly test your employees for their vulnerability to phishing. So many attacks are launched needlessly by people clicking on links
- Enforce strong password security in your enterprise
- Keep your systems patched
- Always trust your instincts. If something feels shady or not legitimate, you’re probably right.
The last point is especially important, and needs to be driven home to most users. If they suspect something’s wrong, teach them to assume it is – even at the risk of annoying a customer. Make sure they never hesitate to contact InfoSec if they have the slightest suspicion something is wrong.
I can’t convey enough how many times this has proven to be a critical skill. Unfortunately, it’s a difficult one to instill in many people. As always, common sense should help guide users as to how to act online and respond to blackmail (think the Ashley Madison hacks) to ransomware to phishing and social engineering, to password attacks.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.