Page 97 - Cyber Defense eMagazine August 2023
P. 97
The Business of Cybercrime
When you think about cybercrime, you really should think of it like you would any other business. CL0P
is best known as a “ransomware-as-a-service” provider, helping other threat actors create and deploy
their own ransomware campaigns. The end goal is almost always money, and in MOVEit’s case, CL0P
sought an undisclosed amount of money to prevent the distribution of the victim organization’s private
data. And like any growing business, CL0P has diversified its offerings to include complementary
capabilities such as access to a dedicated botnet as well as direct access to compromised networks as
a means to mint future victims (and revenue).
Every action a threat actor like CL0P carries out is intentional, including widely publicizing and threatening
the potential disclosure of the sensitive information it now controls through its ransomware capability.
The group’s intention is to create additional urgency in the hopes of forcing the affected company to act
quickly or suffer further embarrassment or even operational impact as more details are released.
Mitigating Ransomware Attacks
It’s no easy feat to protect a supply chain against determined threat actors who own a growing toolbox of
potential weapons, including ransomware. These threat actors may even work harder than vendors to
identify and leverage zero-day vulnerabilities, because your data is their payday. In a sense, companies
need to take a cue from groups like CL0P and understand how these cybercrime enterprises operate.
Since most attackers rely heavily on their own supply chains, one of the best defenses is to seek,
understand, and document potential bottlenecks in these adversarial supply chains - this information
represents low-hanging fruit where you (or the managed security provider who protects you) can gain the
biggest bang for the buck. For example, how does a typical ransomware attack arrive into a victim’s
environment? How does an infected laptop communicate back to the threat actor with its status? How
does a threat actor ultimately monetize its efforts? These are all questions that may be addressed with
skill sets on your extended team like threat intelligence and incident response, and technology solutions
such as network-based threat detection and response. To disrupt this chain, one needs to hone in on the
adversary’s business model and use it against them, much as we see in the martial art of jiu-jitsu.
Unfortunately for many companies, the approach after a ransomware attack is to focus on the primary
vulnerability, remedy it, and then go back to business as usual. In the case of MOVEit, there were new
and previously unannounced vulnerabilities still being announced more than six weeks after the first
vulnerability’s public announcement. It’s critical that affected companies remain proactive; where there is
one vulnerability, there are frequently others.
While companies should move forward with improved security measures to enhance the documentation,
monitoring and protection of their own supply chains, enlisting external help is almost always a suitable
option. Not only can these externally-based defenders help respond to or even prevent ransomware
attacks, they may also be explicitly involved in the takedown of threat actors. In January 2023, the U.S.
Department of Justice announced it had disrupted the actions of the ransomware-as-a-service group
Hive, which had targeted more than 1,500 victims. The disruption indicates that these groups aren’t
Cyber Defense eMagazine – August 2023 Edition 97
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
