SINGAPORE: Imagine being in a large, dark house - there are cameras, but you can't see in all the corners.
This is how Mr Eric Nagel, general manager for APAC at cybersecurity firm Cybereason, characterises the way the company hunted down a ransomware attack in a high-end Asian manufacturing company.
In a ransomware attack, hackers - or threat actors - use malicious software to encrypt files on a device, then demand ransom, typically in cryptocurrency, to undo their work.
The first signs of suspicion in this attack came from some abnormal communication between machines. Aware that something was wrong, but not knowing why, the company reached out for help.
Working like snipers, Cybereason threat hunters searched for the ransomware, while sales engineers and technical consultants mapped the enterprise’s ecology, pinning down the servers, workstations, laptops and operating systems.
Then they deployed the latest cybersecurity solution - an endpoint detection and response tool, also known as EDR.
The EDR tools works "a little bit like putting on all the lights and shining a spotlight everywhere in your house. So if something’s hidden in the corner, you'll find it,” said Mr Nagel.
Within a few days, an image of the attack had started to form.
READ: US, Russia at odds as UN Council confronts threat of cyberattacks
READ: 200 businesses hit by ransomware after breach at Florida IT firm
The team discovered that the manufacturing company had been hacked over a number of months - most attacks last for six. The hackers had moved laterally within the organisation and escalated their privileges to give themselves more access within the network.
Although the manufacturing company was only in the beginning stages of an attack, some of its assets had already been subjected to ransomware. Some files and computers had already been encrypted.
“In this particular case, it was more targeted and the company was never at systemic risk, but they were able to bring in services and technology quickly to mitigate, before it gets out of hand.”
Taking swift action to isolate the infected assets, the team was able to prevent the company from having to pay the ransom.
WHAT IS RANSOMWARE?
The attack on the manufacturing company is part of an increasing trend of ransomware incidents occurring globally.
This year, there have been some high-profile ransomware hacks. In July, a hit on US IT company Kaseya affected up to 1,500 businesses in 17 countries and paralysed hundreds of Swedish supermarkets. The perpetrators demanded S$70 million in bitcoin.
READ: Ransomware gang REvil goes offline, prompting questions
READ: Up to 1,500 firms hit in Kaseya ransomware attack
Two months before, a ransomware attack on Colonial Pipeline, a US energy company, forced it to temporarily halt all its operations on a major pipeline that delivers nearly half of all fuel consumed on the US’s east coast.
Singapore has not been spared from similar high-profile attacks. In February, a ransomware group stole the personal data of about 129,000 Singtel customers after they breached a third-party file-sharing system.
The hackers stole information including names, addresses, phone numbers, identification numbers and dates of birth, as well as the bank account details of 28 former Singtel employees.
READ: Singtel third-party vendor hacked, customer information 'may have been compromised'
READ: Cybercrime made up 43% of overall crime in 2020; more online threats linked to COVID-19
Earlier this month, the Cyber Security Agency of Singapore (CSA) released its annual report on Singapore’s cyber landscape. There were 89 ransomware cases reported in 2020, a 154 per cent rise from the 35 cases reported in the previous year.
“Based on the reported ransomware cases, these local incidents were likely related to, and a consequence of, the global ransomware outbreak,” wrote CSA in its report.
“The pervasiveness of ransomware was never more pronounced than in 2020, as ransomware cartels innovated their tactics at an accelerating pace to ride on the pandemic wave.”
According to the report, global ransomware incidents increased 715 per cent year-on-year in the first half of 2020. By the third quarter of the year, there was a 50 per cent increase in the daily average of ransomware attacks compared to the first half of the year.
Average ransom payments also increased, as criminals targeted larger enterprises.
On its website, CSA noted that ransomware commonly spreads through phishing emails with malicious links or attachments. When victims click on those links or attachments, they will download ransomware from an external server.
Other methods of installing ransomware include malicious advertisements online, exploiting remote computer connections, unpatched Virtual Private Networks (VPNs) and spam campaigns.
“Ransomware attacks are disruptive to business operations as employees are unable to access the infected files,” said CSA. “It is difficult to recover infected files as each type of ransomware requires a unique decryptor, which may not be available for newer ransomware variants.”
Sensitive and proprietary information could be lost if the data was not backed up.
To pressure victims to pay the ransom, threat actors may also threaten to publish the data online.
EVOLUTION OF RANSOMWARE TACTICS
A key trend in ransomware is the increasing sophistication of threat actors and their tactics.
Previously, ransomware groups only encrypted data. They would provide a key to decrypt the locked data after victims paid the ransom, said Mr Yeo Siang Tiong, general manager for Southeast Asia at cybersecurity firm Kaspersky.
Since two years ago, Kaspersky has observed organised crime groups getting involved and carrying out more targeted attacks.
“What they do is they use ransomware as a tool,” said Mr Yeo. “They go in, they lock up, and before they lock it up, they exfiltrate data, they pull the data out.”
Then these groups start to extort.
“Previously it was … you don’t pay, okay you lose the file, you have to reconstruct (the data) from your backup. But now, they will release it to the web,” said Mr Yeo.
Citing the prolific ransomware group Maze, which shut down in 2020, Mr Yeo noted that it had a website where they would gradually release more information until their clients gave in.
“That is the worrisome thing,” said Mr Yeo. “(It) is not just ransomware alone, it’s also the data exfiltration and the extortion.”
There is also the tactic of double extortion. This is when criminals encrypt and steal data and demand ransoms twice - once for decrypting data and again to prevent the group from publishing the data online, explained Steven Ng, chief information officer and executive vice president at cybersecurity firm Ensign InfoSecurity,
Another trend that Ensign InfoSecurity has seen is the rise of ransomware attacks as a sophisticated, complex operation with various players involved. Ransomware operators partner with other associates, some of whom research the victims’ environment as well as their financial ability to pay. Someone else develops the ransomware, and there would be others who would work only on hacking into the network.
Said Mr Ng: “We are really looking at the growth of ransomware business as an organised crime business, and that has taken off significantly over the past few years, and particularly accelerated during our COVID-19 lockdown period.”
SINGAPORE AS A POTENTIAL TARGET
According to cybersecurity experts, Singapore is already an attractive target for ransomware groups.
Being a “highly digitalised society” with “very high” internet penetration, Singapore can expect a lot of ransomware attacks, said Mr Ng.
More digitalisation means that the “attack surfaces are always expanding to an attacker”, he added. As such, organisations need to pay attention to cybersecurity measures to protect themselves.
Singapore is also the Asia-Pacific headquarters for many companies, with “a concentration of data, a concentration of people”, said Mr Yeo. This makes the country a “sweet target” for ransomware groups.
In Mr Nagel’s assessment, Singapore is “vulnerable” to ransomware attacks. “Really, the only way to solve this is higher adoption of technology which exists today. If that takes place, then I think you reduce the risk, but we don’t see a high enough adoption rate yet.”
He found that many companies in Singapore, like in other countries, still use traditional antivirus technologies from Symantec and McAfee, “still protecting against the risks of old”.
According to Mr Yeo, favourite targets are banks and telecommunication companies. Although service providers - such as those who provide hosting or outsourcing services - are commonly overlooked, they are prime targets as well.
This is what happened in the Solarwinds hack last year. Hackers had gained access to US government and corporate networks by compromising Solarwinds’ systems. The company provides information technology management software, and its clients include US government agencies and large companies such as Microsoft, FireEye and Cisco Systems.
READ: SolarWinds hack was 'largest and most sophisticated attack' ever - Microsoft president
READ: ‘No indication’ that SolarWinds hack adversely affected Singapore, says Iswaran
With more adoption of technology and digital services, technology service providers become targets as they are able to “aggregate access” to many other enterprises, said Mr Ng.
Attackers hunt for manufacturing companies as well. These companies are “very strained” over COVID-19-induced supply chain disruptions. With “a lot of emphasis on maintaining continuity in the way of life”, ransomware attackers saw this as a “fantastic opportunity”, he said.
“Because these entities will be keen to resume operations quickly and they will therefore be more willing to pay,” he added.
According to CSA’s report, small- and medium-enterprises (SMEs) comprised the majority of ransomware cases, even though ransomware operators were also looking for larger victims in the manufacturing, retail and healthcare sectors.
SMEs fall prey to ransomware more often as IT is probably not top of their concern, said Mr Yeo, adding that they might also feel that they are too small to be targeted.
But this is not true, he said. SMEs usually become victims to “spray and pray” tactics, where attackers send out as many spam messages, malicious emails or fake advertisements as possible to get users to download the ransomware.
“We always say that 90 per cent of the attacks are the run-of-the-mill attacks that tools can solve. So simple tools - antivirus tools, EDR tools, malware tools - as long as you install something, you put a perimeter, 90 per cent of the time, you won’t get it,” he said.
READ: Meatpacker JBS paid equivalent of US$11 million in ransomware attack, CEO says
SINGAPORE’S CRITICAL INFRASTRUCTURE
Companies are not the only organisations in hackers’ crosshairs. Globally, attackers have disrupted critical infrastructure and their actions have put lives at risk.
Last year, a ransomware attack caused IT systems at a German hospital to fail. A patient requiring urgent care had to be taken to another city, which delayed her treatment and led to her death.
In this month’s Singapore Parliament sitting, Communications and Information Minister Josephine Teo noted that ransomware attacks are no longer contained in the digital domain.
“They now spill over into the physical realm, with real-world consequences. We have seen this globally, with the recent uptick in international ransomware attacks.”
She cited the Colonial Pipeline incident, adding that the company’s week-long shutdown affected the supply of fuel to about 50 million customers. She also pointed to ransomware attacks on healthcare services in Ireland and New Zealand in May that caused a shutdown of the affected IT systems. As patient records became inaccessible, surgeries had to be postponed and outpatient services suspended.
READ: New Zealand health systems hackers release patient details to the media
“These events are stark reminders that we must all remain vigilant against ransomware attacks. This includes not just public agencies delivering essential services but private organisations as well, so long as they depend on IT systems for any part of their core business,” the minister said.
In response to CNA’s queries about attacks on critical infrastructure, CSA said that to date there has been no indication to suggest that Singapore has been targeted by any ransomware group.
“However, we are not letting our guard down,” its spokesperson said.
To date, Singapore has also not experienced any ransomware attacks of a massive and systemic nature, or any which have impacted its Critical Information Infrastructure (CII) operators.
In the Cybersecurity Act, CII is defined as a computer or a computer located wholly or partly in Singapore, necessary for the continuous delivery of an essential service. The loss or compromise of the computer or computer system will have a “debilitating effect” on the availability of essential service in Singapore.
The critical sectors include energy, water, banking and finance, healthcare, transport, government, infocomm, media and security and emergency services.
With the rise in global ransomware incidents, CSA said that it has taken “proactive steps” to safeguard the country’s CII and directed these sectors to “raise their cybersecurity posture” and implement the necessary measures to mitigate against ransomware threats.
Some of necessary measures include improving their detection of anomalous activity swiftly, backing up data regularly and keeping the backup offline and practising incident response and business continuity plans in case of a ransomware attack.
READ: New initiative to help manage cybersecurity risks in Singapore’s critical information infrastructure
READ: Personal data of about 30,000 e2i clients potentially exposed after malware attack on vendor’s employee
“These are on top of existing cyber resilience measures mandated for the CII sectors under the Cybersecurity Act,” said the spokesperson.
Cybereason’s Mr Nagel thinks that Singapore is “not very far away” from a high-profile attack on its systems.
According to him, Singapore’s EDR deployment is about 40 per cent, similar to the rest of the world.
“So the fact that most companies have still not deployed the newer breed of cyber solutions creates an opportunity for companies to get hit by ransomware or some other form of attack.”
He used the 2018 SingHealth personal data breach as an example of a cyberattack. About 1.5 million SingHealth’s patients’ records were accessed and copied, while 160,000 of those had their outpatient dispensed medicines’ records taken.
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
The data taken included names, NRIC numbers, address, gender, race and date of birth.
He also cited Singtel’s data breach.
While he found that CSA has done a “very good job” at improving awareness, having discussions with the public and private sector as well as driving the cybersecurity agenda, organisations still need to adopt EDR solutions.
“I think there’s still work to be done in the adoption, and that will minimise the risk to critical infrastructure and big enterprise in Singapore,” he said.
High-profile and systemic attacks are unavoidable, said Mr Yeo, adding that it is only a matter of “when and how”.
“It’s not whether you get attacked. It’s how you defend, how you minimise if you get it,” he said.
SINGAPORE’S CYBERSECURITY POSTURE
Singapore is “one mark above” other countries, said Mr Yeo. “But that doesn’t mean that we should let our guards down.”
Regulatory pressure in Singapore is “well ahead”, he said, with CSA defining the country’s critical industry and who is supposed to regulate the industry, with regulations including data protection.
Singapore is also ahead in awareness, the pick up of technology and cyber skills. As a regional hub for many data centres and many Asia-Pacific offices, which means there is a “concentration of IT sophistication here”, including cybersecurity sophistication, said Mr Yeo.
What companies need to do better, however, is taking responsibility. According to Mr Yeo’s observations, companies will outsource services such as finance or human resources and then neglect cybersecurity in those areas.
“It is important that they understand that they don’t outsource the security,” he said. Companies should either do an audit of the service provider or buy the add-on security package if the service provider offers one.
In addition, individuals are not taking the necessary steps to secure their own home networks, especially with Singapore’s current work-from-home arrangements.
Singapore must continue to increase its vigilance and awareness about evolving threats, said Mr Ng, as attackers will continue to look for new vulnerabilities and exploit people’s weaknesses.
“When you can do so, you can help yourself to reduce your exposure to cyberattacks and being able to do so, you can discover your footprint, identify potential data compromises … potential vulnerabilities.
“It can help you to reduce your own risks, whether your own organisation, or third-party, or supply chain, before attackers can do so,” he said.
FOR COMPANIES HIT BY RANSOMWARE
In June, Cybereason released research findings that showed that more than 50 per cent of organisations globally have been victims of a ransomware attack.
Of the 100 companies surveyed in Singapore, Cybereason found that 90 per cent of businesses that chose to pay a ransom suffered a second ransomware attack, often at the hands of the same threat group.
So what should companies do, when falling victim to a ransomware attack? Kaspersky’s Mr Yeo has a simple word of advice: “Ask for help.”
“A lot of companies, they think they can solve it - they can’t. When they are hit by ransomware, it goes to show not just a ransomware problem. It goes to show that actually, the defence is a problem. That’s how they can get hit,” he said.
He added that even if companies solve the current problem, they have to do a “proper cleaning” and beef up their defences or they will get hit again.
HOW WORRIED SHOULD WE BE?
On whether Singapore should be worried about ransomware hacks, Mr Nagel said: “I think companies generally (are) not prepared enough.”
He added that companies should have contingency plans in case they get hit by ransomware and have a solution planned.
“The reality is a lot of companies still don’t have that, and then you can’t make those plans once you’re under attack. Because if it’s a systemic ransomware attack, you don’t even have access to your systems anymore, so you can’t even send emails to each other,” he said.
“Ransomware is a symptom. If you have the ransomware, it’s because you’ve already been hacked, and you’ve been hacked for a period of time. And if it’s systemically important to the organisation, as in putting them out of business or stopping the way they operate, then it’s already too late.”
Emphasising that hackers have moved from targeting SMEs to larger enterprises and critical infrastructure, he said: “The more pain you can inflict, the higher the likelihood is that someone will pay just to solve the issue immediately … So I think people should be worried, yeah.”