Using the dark web to predict and protect against RansomwareBlog
Ransomware attacks have recently emerged as the prominent cybersecurity threat. While this year’s high profile WannaCry and Petya ransomware attacks grabbed the headlines, the threat has been evolving for decades, albeit with increased speed in the last couple of years. According to one report, 49% of businesses fell victim to some form of cyber-ransom attack in 2016.
What’s more, ransomware is becoming more aggressive and is constantly evolving to exploit the weaknesses in businesses’ infrastructure. Mitigating this risk requires a proactive approach that hunts for the next likely threat before it wreaks enormous damage. And this can be done most effectively by meeting cybercriminals on their own turf: the dark web.
In this post, we will look at how security specialists can use the so-called ‘dark web’ to fight back against the threat posed by ransomware by using it to monitor criminal activity and predict and protect against future attacks.
Our new report, Ransomware: The Prevalent Business Disruptor, offers guidance on how to limit the risks posed by ransomware attacks. We would encourage you to download your free copy today.
What is the dark web?
If we think of the internet as an ocean, the websites that most of us access daily through public search engines amount only to the surface (approx. 4% of the world wide web)—hence why this has been called the ‘surface web’.
By contrast, the deep web refers to the rest of the world wide web which cannot be reached via public search engines and includes government databases, academic information and medical records.
The dark web, meanwhile, refers to areas within the deep web that have been purposefully hidden and can only be accessed through purpose-built browsers, such as Tor, which grant its users anonymity.
Because of its anonymity, the dark web has become a hotbed for black-market activity, such as the buying and selling of narcotics, weapons and indecent images. It is also used by cybercriminals to brag, exchange ideas and sell the “spoils of war”. These “spoils of war” often include credit card details and user accounts that are sold to the highest bidder. The dark web has also become the place to sell advanced exploits that enable a variety of activities:
- Access to specific and already compromised systems
- Lists of software patches that have been compromised
- Pre-packaged ransomware
Access to these dark web pages is rarely granted to the public. Membership is vetted, controlled and access withheld. For example, a new visitor might need to demonstrate that they have hacked an organisation or sold an illegal item before being granted access to the content on these websites.
But what if you could find out what is being discussed in the dark web without compromising your identity and organisation? You could then use this information to mitigate the security risks posed by future attacks.
Predicting the next attack
The main benefit of taking an approach like this is that it helps predict attacks before they happen – international law enforcement agencies like the FBI and Europol are already doing something similar. Businesses would be one step ahead of cybercriminals, proactively hunting for threats rather than reactively responding to them once it is already too late:
- They would be able to tell what type of exploits are being traded and install the relevant patches to protect against these attacks.
- If, by monitoring dark web ‘chatter’, organisations realised they were perceived as a specific target, they would have advance warning and take the relevant security measures.
- If an attack had already been instigated, victims could have a clearer understanding of exactly what the attack was and how to fight it off.
The ultimate goal here would be to predict and prevent ‘headline-grabbing’ attacks like WannaCry and Petya. There are several ways to predict major attacks on the dark web:
- Zero in on the nature of the conversations taking place. An attack is highly likely if a new exploit has been found and there are a lot of “buyers” for the exploit.
- Monitor and measure the number of times the same exploit is mentioned in different message boards. For the Petya ransomware, we found that chatter regarding an exploit had increased greatly before it struck.
The need for a new approach
The WannaCry and Petya attacks caused large-scale damage, affecting human lives on an unprecedented scale—a critical infrastructure shutdown of Ukraine’s Chernobyl nuclear plant, cancellations of surgery appointments on the UK’s NHS and disruption to speed cameras in Melbourne. Some reports predict that the global cost of ransomware attacks in 2017 will be as high as $5 billion.
Dr. Paulo Shakarian of Arizona State University, who studies the developing threat posed by ransomware, explains:
“Lately the criminal hacking community seems set on finding exploits for vulnerabilities that are exposed to a large number of systems. If they can launch their attack in a timely manner against enterprises who are slow to patch, they can still cause large-scale damage and potentially gain long-term access in these systems.”
While patching is the most effective way to counter these attacks, it is reactive rather than proactive and predictive. Worse still, in some cases, such as legacy systems, patching may not be possible. The good news is, even if we could not roll out the patches in time, there are many other mitigation methods. For example:
- Configuring WAF to “virtually” patch all devices;
- Creating an IPS signature to block the traffic;
- Placing the monitoring team on high alert for an attack, while paying extra attention to critical systems; and
- Preparing the operations and PR team for an eventual cyberattack.
The value of dark web monitoring against threats like ransomware cannot be underestimated. By understanding what the enemy are doing, organisations can be better prepared to defend against attacks and potentially save considerable sums of money and their reputations.
To find out more about protecting your organisation from ransomware attacks, download our whitepaper here.