Rampant Nation-State Ransomware Attacks Spark Renewed Emphasis on Identity Security

Incredibly clever and destructive ransomware attacks are now so common that a recent CBS report was presented by Bill Whitaker on 60 Minutes. The report explained that long-established Russian gangs, like BlackCat, offer their services — including the latest malware and experience negotiating ransoms and laundering money — to affiliate hacking groups, like Scattered Spider. If a victim pays a ransom, the funds are split. This highlights why enterprises need to be acutely aware of today’s increased risk of attacks. The report also highlights how social engineering among hackers has gotten better, smarter and far more successful – making the need for the proper identity security tools that much more vital. 

MGM reportedly lost more than $100 million and was forced to spend millions more to get back to business as usual. And that’s just an example of a ransomware attack that was reported. Many more attacks go unreported, and the ransom is simply paid to restore business activities. We are seeing huge efforts by nation-state actors to impact businesses of all types – and these potential victims need to change the culture within their organization to focus more heavily on what is certainly the #1 cybersecurity risk today. By gaining the needed visibility into the actions of all identities within an enterprise, the organization is dramatically reducing the chances of becoming the next ransomware victim.

The Pooling of Resources Among Crooks

Cybercriminal gangs are increasingly pooling their resources and expertise together to execute more sophisticated and effective attacks. By collaborating, these criminal groups can share advanced tools, exploit kits, and detailed intelligence about vulnerabilities, making their operations more potent and difficult to defend against. This collective approach allows them to orchestrate large-scale coordinated ransomware attacks, with greater precision and impact. The pooling of resources also enables these gangs to diversify their skill sets, from social engineering to hacking, money laundering and monetization of stolen data. 

The report explains that today the most successful Russian gangs are run like financial businesses with easy-to-navigate online platforms. The report explains that in the case of the MGM ransomware attack, Russian hackers have teamed up with the young native-English speaking hackers of Scattered Spider. Bryan Vorndran, the FBI's top cyber official, calls it an evolution of cybercrime. “No sector, company, or type of organization is off limits to hackers. There are estimates that global losses from ransom payments exceed $1 billion a year” he says.

Spotlighting the actions of the young and infamous Scattered Spider group and their collaboration with the Russian BlackCat ransomware gang, the report lays out how recent ransomware attacks have resulted in gigantic disruptions and financial losses. The partnership illustrates the effectiveness of what has become known as ransomware-as-a-service – a now prevalent model that makes an attack that much more streamlined. Under the arrangement, the gangs provide their many years of knowledge and time-tested tools to people such as those in Scattered Spider who bring the needed local touch. This model not only facilitates the proliferation of attacks but also complicates efforts to apprehend the offenders.

The Art of Convincing

The recent MGM incident is indeed a perfect example of social engineering. It turns out that hackers r impersonated an MGM employee calling to reset their credentials. They then exploited these credentials to gain access to the company’s network. Sadly, that’s far too common. It’s this act of social engineering  that’s getting better and better. There is no doubt that effective social engineering can open the door for more attacks that can easily result in disruptions to essential services, harm critical infrastructure, undermine public trust, and inflict significant losses in unforeseen ways.

Of course, minimizing the chances of social engineering attempts is the first layer of defense. Employee training and the deployment of procedures to validate the employee identity are obviously required. But it’s what the bad guys do after they’ve successfully gotten in, that also needs to be addressed. And this is where the huge gap in cybersecurity exists today. Malicious activities executed by compromised identities are clearly the top cybersecurity risk. Even though endless identity and access control investments have been made, by the most discerning enterprises and organizations in the world, if they don’t have the full visibility into what an identity in their organization is doing after that initial network access, how can they ever shut an attack down before it is too late?

And an “identity” isn’t just a person. It can be a non-human identity as well. Knowing what an identity is doing in your network, at all times, regardless of where that activity is taking place, is crucial to identifying an identity-related threat and immediately remediating it. At the very least, the impact from the unauthorized impact can be minimized if it’s found in time.

The Answer: Consistent, Comprehensive Observability

Identifying identity-related threats can’t rely on data from just Active Directory or even multiple Identity and Access Management (IAM) tools. To gain a comprehensive understanding, organizations need solutions such as the AuthMind platform that aggregate and analyze identity system events, network and cloud flow logs, and remote access logs to provide deep contextual insights into identity access activities. AuthMind can achieve this without burdening data collection efforts, as it can utilize existing logs available in SIEM systems or leverage AuthMind Collectors without requiring additional agents.

Identity Security Is Key

There is increasing recognition of the pivotal role played by identity teams in minimizing the risk exposure. Effective identity security involves proactively identifying blind spots, such as the use of local accounts, absence of multi-factor authentication (MFA), weak password hygiene, circumvention of critical identity systems, and inactive service accounts. While adhering to best practices from identity providers is a solid starting point, it’s not going to suffice given the complexity of most environments. Hence, identity teams are exploring identity security posture management solutions like AuthMind to uncover and address identity vulnerabilities.

It's also evident that effective identity security necessitates improved teamwork between identity and SecOp personnel to identify vulnerabilities proactively and respond promptly to real-time identity-based attacks. Solutions like AuthMind enable this cooperation with much needed comprehensive identity observability.

To set up a call to learn more on how AuthMind can detect and alert on any unauthorized third party activity, click here.