Throughout the last few years, cyber security risk appears to have been given a permanent position on many executive and board meeting agendas. We are constantly flooded with statistics that make our skin crawl.
“95% of global cyberattacks occur through social engineering”.
“Nearly one billion emails were exposed in 2022, affecting one in five internet users”.
“Data breaches cost businesses an average of $4.35 million in 2022”.
It never seems to stop.
With October being Cyber Security Awareness Month, we will undoubtedly be informed by our security teams and the internet of even more frightening statistics, leading many people to ask why? Why have things gotten so dire? Why do I no longer feel safe to go online? How long will the age of the cyber-villain last? Unfortunately, I do not have an answer to most of these questions. However, I can provide some insight into the sophistication of social engineering tactics and why we need to discuss cyber security now more than ever.
The business of malware
Often, we hear in the media that an organisation was taken down by a sophisticated cyberattack when in fact, the method used by the threat actor was straightforward. An employee clicked on a link and downloaded malware; someone used the same password across their personal and business accounts, and a threat actor got lucky after finding the password in a data breach; or someone added a new application on the network and did not think to patch it, so threat actors were able to exploit the vulnerability.
None of these attacks seem overly sophisticated, and that is because they are not. However, what is happening behind the scenes in terms of sophistication has changed exponentially. Over the last twenty years, cybercrime has developed and grown. No longer are organisations targeted by single individuals who have developed malware and have somehow chosen your organisation as the target. Do not get me wrong, this type of threat actor still exists. However, we also see more sophisticated attacks from threat actors that operate the same way a standard software company would. Yes, cybercriminals have adopted business models with 24/7 support and a team ready to negotiate ransom payments on their customers behalf.
Like all businesses, the business of malware and ransomware-as-a-service has grown, and in 2021 the world was given a glance into the business model of one of the most notorious ransomware gangs, Conti, after the internal chat logs of the organisation were leaked.
Ransomware-as-a-service business model
The Conti internal chat logs provided some insight as to why the business of ransomware has grown so much over the last few years and why ransomware and malware now sit on every organisation's risk register. Conti had been set up like a legitimate business model and even had a Human Resources department in charge of hiring, performance reviews, bonus plans and career progression. Note I say ‘had’ and not ‘have’ as they have shut down their doors since the chat logs were leaked. You could not make this stuff up!
Conti had over one-hundred employees that served a customer base of 300+. Conti, like all ransomware and malware-as-a-service organisations, developed their ransomware like any other software company to be used by their customers. Conti then offered 24/7 support, including staff, to help customers negotiate the best possible outcome from their ransom demands. Conti received 25% of the total profit their customers (also known as affiliates) made from the ransomware. In 2021 it is believed that Conti made approximately $180 million for their affiliates, with 25% going to Conti as their fee.
It is hard to believe anyone would be willing to work for an organisation that developed ransomware, and from what the Conti logs tell us, often employees were hired unaware of the type of organisation they were working for. Once discovered, a pay bump usually makes the job sticky. It is tough to say no to a job that pays above market value and offers you bonuses for doing a good job when the job market is so thin. Although Conti was based in Russia, it is not the only nation-state where this activity continues. The Lazarus Group, one of the most sophisticated cyber-villains of all time, is an arm of the North Korean government that made approximately $1.7 billion through cybercrimes in 2022.
It is not just big business that these organisations are targeting either, it is just the big names we see in the newspapers. Anyone is a target from large to small organisations, businesspeople, the elderly and even our children.
Where does this lead us?
Cybercrime is not going anywhere anytime soon. It is big business for entrepreneurs and governments. Because of this, we must ensure we have controls to help protect our organisations, customers, and ourselves.
This month, take the opportunity to talk with your family and friends about cybercrime. Ensure that those less cyber-aware than us understand what a phishing email is and that if they receive a text message or phone call from their bank, the tax office, or parcel delivery, the probability of it being a scam is 99.9%. Now is also the perfect time to circle back to our kids for a refresher on that online stranger danger talk. As we start to see more scams targeting our children on socials like WhatsApp, Discord, and Instagram.
Looking internally into our organisations, we need to make sure they are ready for a cyber incident, just in case. I have said it before, and I will say it again, make sure you have an incident response policy and procedure in place that has been tested with your IT team, crisis team and executives.
Ensure you know where all your confidential and sensitive data is stored and that adequate controls are in place to protect that data. Lastly, ensure you are having conversations internally to ensure that cyber security is front of mind for all employees, reducing the likelihood of a successful social engineering attack.
The future may look grim, but like any business, ransomware and malware-as-a-service business models can only survive if they generate income. By talking about cyber security and ensuring it is front of mind, we can help reduce the profitability of criminal organisations and slow down the threat of cybercrime to a much more manageable level.
