FortiGuard Labs Perspectives
Not all heroes wear capes. Many work quietly and diligently behind the scenes, amassing evidence and uncovering clues until there’s enough to go on to take the enemy down. Just like detective work, cybercrime defenders use similar tactics to chase cybercriminals, getting into their minds and following their actions to beat them at their own game.
We are seeing an increase in effective and destructive cyberattacks affecting thousands of organizations in a single incident creating an important inflection point for the war on cybercrime. In the case of ransomware, some operators are shifting their strategy away from email-initiated payloads to focusing on gaining and selling initial access into corporate networks further showing the continued evolution of Ransomware-as-a-Service (RaaS) fueling cybercrime. This means even ransomware is about much more than just ransom, it can also be about access. In fact, recent data from Fortinet’s FortiGuard Labs shows that the average weekly ransomware activity in June 2021 was more than 10x higher than one year ago. This shows us a consistent and overall significant increase over a one-year period. According to Fortinet’s State of Ransomware survey, it has become the top threat concern for many organizations today.
Attacks have targeted the supply chains of many organizations, including governments, impacted our daily lives and productivity, and have hurt commerce more than ever before. This is no longer a fight for just IT teams, chief information security officers, and others in the cybersecurity field—this is personal. With much of the workforce working remotely as well as continued virtual learning, each and every one of us is now a conduit for an attack. For organizations of all sizes down to individual end users like you, cybercrime remains a clear and present danger. But it’s not as bleak as it might seem; law enforcement and cyber defenders are collaborating and working diligently behind the scenes to detect and respond to all kinds of threats, but we need your help. Now is the time for everyone to roll up their sleeves and join the fight against cybercrime.
Cybercrime has become big business, replete with call centers that assist their victims to pay ransoms, tech support, affiliates who move and launder money, and those who manage forums on the Dark Web to create and sell code. Take for example ransomware-as-a-service (RaaS), a subscription-based model that allows partners (affiliates) to use ransomware tools that have already been developed by someone else to execute attacks. The affiliates earn a percentage of the profits sometimes up to 80% if the attack is successful, and everybody else gets their cut. The booming cybercrime ecosystem has therefore grown into its own supply chain, generating more than a trillion dollars of revenue every year. And that supply chain is growing as well, because the bad actors are getting better funded, they are using new elements and service models, and they keep changing their tactics and upping the game.
This has led to an increase in cyberattacks that affect thousands of organizations in a single incident. The result is that we are now at an important inflection point for the war on cybercrime. Now more than ever, each one of us has a critical role to play in strengthening the cyber kill chain, to thwart efforts at each step: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions. For every individual player on the wrong side, we need a defender on the right side to spot them.
In most sophisticated ecosystems, multiple people and functions work together. It works the same way now in cybercrime. In the cybercrime supply chain, the suppliers create and produce things like malware and zero-code exploits, then they license, sell, and share their technology with distributors and affiliates, who then sell their solutions to clients who target those solutions at victims—they use their supply chain to better infiltrate their victims’ supply chains.
And the entire ecosystem has been created with one end goal in mind: profit. There are people behind the scenes who manage transactions, secure the funds, launder the money, and distribute the payouts. Just as in any corporation, they may work with account managers who coordinate the sale. And then there are the money mules who move the money so it can’t be traced.
The good news is that we are already onto them. Threat hunters and researchers follow these criminals’ moves and study their tactics and playbooks to replicate and detonate their attacks. We use heat maps to uncover recent techniques, so we know what they are thinking and what they have implemented which is key—their heat maps turn into roadmaps that lead us in the right direction. Because many cybercriminal organizations operate like a business, we defenders can use their own tactics, real time data, high resolution intelligence, against them by disrupting their supply chain, making it more expensive for them to operate and thereby forcing them to shift tactics.
Our efforts are also starting to pay off. Several events thus far in 2021 count as wins for the defenders. Take TrickBot, for example—its original developer was arraigned on several charges in June. And the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, as well as actions to disrupt ransomware operations, such as Egregor and NetWalker. These wins signify the momentum of cyber defenders, including collaboration among global governments and law enforcement. The US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate who walked away with $28M—one of the first times that law enforcement has gone after the business partner and not just the developer. This needs to happen more often; if the affiliates are in danger of prosecution, they might not be as apt to participate. The amount of attention that some of these takedowns have garnered has forced a few ransomware operators to announce that they were ceasing operations altogether.
Anybody can be a cyber champion and join the fight against cybercrime. By educating ourselves on best-practice cyber hygiene, collaborating with other defenders, and leveraging tools like artificial intelligence (AI) to detect and implement countermeasures, we can stay one step ahead of the bad guys. Reacting to a security breach is one thing, but stopping it before it can do any damage is another. Automated threat detection and AI are critical tools in enabling organizations to address attacks in real time and to mitigate attacks at speed and at scale especially across individual endpoints. Zero Trust approaches need to implemented to enable secure access for remote work and learning. In addition, cybersecurity user-awareness training is as important as ever, with home workers and students, not just organizations, being targets of cyberattacks. Everyone could use some instruction and education on best practices to keep individuals and organizations secure.
An easy way to garner some powerful cybersecurity knowledge is through Fortinet’s NSE Training Institute’s (NSE) extensive training and education programs as part of Fortinet’s Training Advancement Agenda (TAA), which offer free courses for anyone interested in learning about cybersecurity, as well as more-advanced programs for cybersecurity professionals. Learning some basic ins and outs of cyberwarfare can only help all of us to fortify against attacks. Password protection and managers can help guard your personal information; learning what to look out for in phishing emails and malvertising scams (a malicious cyber tactic that attempts to distribute malware through online advertisements) can embolden you to not fall for these social engineering ploys that use psychology to manipulate us into divulging confidential information.
Aligning forces through collaboration should also be a priority in disrupting cybercriminal supply chains. The more we share data and threat intelligence, the more effective and coordinated our responses will be. Continued cybersecurity awareness training as well as AI-powered prevention, detection, and response technologies integrated everywhere—across endpoints, networks, and in the cloud—continue to be fundamental tools in the war on cybercrime.
It’s safe to say that cybercrime isn’t going away any time soon, but as cybercriminals become more sophisticated and creative, so do we, in lockstep. The collaboration and sharing of threat intelligence among enterprises, law enforcement, and government entities helps to shine a light on the bad actors. And when they are taken down, it’s taking them longer to recover. Some affiliates are abandoning their criminal organizations altogether because they too have become targets of law enforcement. So we have seen promising dips in threat activity that validate our efforts, but there is still work to do. We are at a critical inflection point when it comes to combatting cybercrime, and you are going to want to be on the right side of history.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.