The LockBit attack on Toronto Children’s Hospital highlighted the ethical dilemmas faced by cyber attackers. Understanding the goals and behavior of cybercriminals is critical to developing effective defense strategies against the ever-evolving ransomware attacks.
Considered one of the biggest threats to cybersecurity today, ransomware attacks have intensified over the years capitalizing on increasingly aggressive methods such as exploiting zero-day vulnerabilities to exploit unpatched vulnerabilities, as well as multiple extortion schemes. It is even possible to get infected by simply browsing a harmless website! As a reminder, a ransomware attack combines encryption and data extraction in exchange for ransoms demanded from victims in order not to reveal the stolen data. Backup and disaster recovery systems are increasingly focused on complicating business recovery efforts and driving payments.
In the mind of a cyber criminal
An important issue that security teams must address now is understanding the goal, behavior and mindset of the attacker behind these ransomware attacks. When the goals are different, often uncorrelated, or if their moral or ethical constraints are different, the strategies and tactics used can vary drastically, making prediction and defense equally complex.
A notable example is the targeted attack Toronto Children’s Hospital, which was run by a branch linked to the LockBit cybercriminal group and operated via Ransomware-as-a-Service. Hackers infiltrated the hospital’s computer system, injected ransomware that encrypted the facility’s files and data, and demanded a ransom in exchange for the key. This incident highlighted the ethical dilemmas posed by targeting healthcare facilities where data and services essential to patients’ lives are put at risk. Interestingly, hackers from the LockBit group have finally released the corresponding encryption keys – along with them a word of apology for the actions of their branch – a surprising gesture that has sparked debate about the motivation and moral responsibility of cybercriminals. Yes, it is possible to get kicked out of a criminal organization if you hit the wrong targets or at least disobey the internal guidelines!
Cybersecurity strategies must therefore be adapted in a mirrored fashion to integrate this known understanding of hacker psychology and goals at the same level as the arsenal deployed. Not only to counter the constant sophistication of techniques and attack vectors, but also to put yourself in the shoes of cybercriminals by integrating original psychological and strategic aspects. An approach that must therefore be as agile as the threats to be neutralized.
Evolution of tools with AI
New weapons and AI tools, such as WormGPT, an evil clone of ChatGPT, are potentially usable for criminal purposes, especially for sophisticated attacks such as phishing or corporate identity theft. Using the large GPT-J language model, WormGPT is a confidential platform that offers unlimited characters, different AI models, code formatting and more. As it stands, the main “selling point” of this $300 service seems to be its “unlimited” nature. Without restrictions to prevent people from abusing the technology, as ChatGPT did, the tool really offers a myriad of criminal options. However, it’s not just dark web tools that are in the hacker catalog in 2024. It has been shown that “presumed safe” applications such as ChatGPT can be tricked into producing malicious code if the requests are made in an adequate way. As assistants, these AI tools therefore open wide the door to the world of cybercrime. With the increasing prevalence of double extortion ransomware, which combines encryption and the threat of publication, prompting organizations to establish access to files and prevent data leaks in an emergency, there is a significant escalation of ransomware attacks in today’s threat landscape.
Cyber insurance is not enough
As threats intensified, insurers raised policy prices and tightened payment requirements, which became increasingly difficult to meet. Additionally, cyber insurance only covers the financial impact of an attack without including reputational loss or production disruption.
Where possible, organizations should adopt ransomware detection strategies where data is generated through advanced analysis of incoming data streams, anomaly detection and techniques to trace the origin, method and exact nature of the attack. This proactive strategy will help mitigate risks before they escalate into a global crisis. However, disclosure is only one piece of the puzzle. There is always a weak link in the infection chain where ransomware can be destroyed. Therefore, it is critical that the security stack is as comprehensive as possible, ensuring that no component, especially the backup and recovery systems, becomes obsolete in order to maintain a robust defense. This approach must also include regular updates to address potentially exploitable vulnerabilities, as well as precise recovery checkpoints that will allow data to be quickly restored to its initial pre-attack state.
___________________
Per Siham Eiseleregional sales director, Zerocompany Hewlett Packard Enterprise