The total number of cases of ransomware has dropped since the peak of the global WannaCry outbreak in 2017, but the attacks are becoming more serious. The 2020 Threat Report released by Sophos mentioned that “ransomware attackers will continue to raise the stakes with automated, active attacks that turn organisations’ trusted management tools against them, evade security controls and disable backups to cause maximum impact in the shortest possible time.”
In Malaysia, ransomware is targeting businesses too, with over 30 cases already reported to CyberSecurity Malaysia’s Cyber999 Help Centre as of September this year, with many more cases remaining unreported, we’re sure. To get a better view of the ransomware threat landscape in Malaysia and how ransomware and other cyber threats are evolving, CSA landed an interview with Sophos Malaysia Country Manager, Wong Joon Hoong.
Right off the bat, Wong talked about the worrying trend of how cybercriminals are increasingly using new variants of ransomware to avoid detection.
“According to SophosLabs, every day we’re receiving over 400,000 unique, new “disposable” malware. So advanced detection has become important unlike in the olden days where they kept recycling some of the older threat technologies which were easily being picked up [by cybersecurity software],” he shared.
One of the factors that make today’s ransomware threats harder to detect is that cybercriminals are engaging into a lot of commercial and non-commercial “runtime packers”. Runtime packers are tools that can be used to compress, encrypt or modify the format of a malicious file, thereby decreasing the chance of detection. Wong explained that “non-commercial” runtime packers are those that are customised by the cybercriminals themselves to make the malware non-intrusive and easily replicated – all of which can be engaged by a remote access tool, awaiting execution.
Wong said this technique is used for two reasons, in order to bypass security software detection and to move laterally and get to as many devices and machines as possible and lie in wait for as long as possible before unleashing the full impact of the infection at the right moment. Staying dormant for a longer period of time would allow a ransomware variant, for instance, to be replicated into multiple generations of backup copies, which will ultimately hinder any restoration efforts by the affected organisation.
“The ransomware behaviour is getting trickier,” said Wong. He mentioned that there is now a rise in something called the “active adversary” type of threats, whereby a threat actor could instigate a number of different techniques and take advantage of different vectors and exploits in a single attack campaign to target multiple elements of an organisation’s infrastructure and applications.
There has also been a significant increase in the use of advanced exploit techniques, which Wong said has been quite under-discussed by many IT vendors. The thing about exploits is that they can be used to just bypass your security protections in order to run malicious code. The good news is that while there are thousands of vulnerabilities being discovered each day, there’s only a small number of ways in which cybercriminals can exploit those vulnerabilities – Wong said the number now stands at 26.
Preventing this smaller number of exploit techniques is not only much quicker than parsing through thousands of malware variants, but it also means that defenders are able to effectively stop attacks right in their tracks before they could cause any damage.
Phishing, carried out via email, is one of the most common ways that people are being infected with ransomware. “Recently we’re seeing more innovative ways of doing phishing, bundled with ransomware,” commented Wong, adding that the use of such human social engineering techniques is on the rise as they are more effective at getting people to download malicious files and giving out sensitive information, such as passwords or credentials.
In addition, he said cybercriminals are also using stolen certificates to bypass anti-malware protection and Ransomware-as-a-Service (which allows almost anyone – even those who are less technically-savvy to carry out ransomware attacks) is also becoming more popular.
According to a recent Sophos APJ-wide research, other than phishing and malware, one of the major threats facing organisations in the region is the upsurge of AI-based malware attacks – which involves a combination of human inventiveness with machine efficiency to devastating effect.
Note: Here at CSA, we have explored the possible ways that AI could be used by threat actors, with opinions from various experts in the cybersecurity arena. If you are interested to find out more, read our series on Nefarious AI and AI Based Cyber Attacks: Should We Be Afraid?
In terms of the preparedness of Malaysian organisations in dealing with the latest cyber threats, Wong shared some eye-opening stats from a recent Sophos survey:
32% of Malaysian organisations have experienced a breach in the past 12 months.
10% of Malaysian firms have no maturity in their cybersecurity approach (meaning everything is untested and done ad-hoc).
Half of the Malaysian respondents don’t think their cybersecurity team has proper investigation plans for data breaches.
72% struggle on recruiting skilled talent in this space.
60% have insufficient budget for cybersecurity.
83% observed that staying up to date with the latest cybersecurity technologies and constantly evolving threats was challenging.
In his view, what organisations need to overcome these challenges and stay ahead of the threat is a simple, coordinated defence system. He gave the example of Sophos’ own technology called Synchronised Security, which includes common elements required by today’s organisations, such as endpoint and mobile protection, email security, firewall, access control, network, encryption, that can coordinate among themselves, share information in real time and respond automatically to cyber incidents.
The overarching idea he put forward was that although keeping out these threats is a complicated process that takes into account many layers of security considerations, methods and technologies, from the point of view of the user, it has to be operationally simple, automated and can be managed from a single pane of glass.
“My advice to Malaysian companies, in view of all the challenges, is to keep it easy, keep the deployments synchronised and make sure that they have a depth of defence, although the technology looks simple,” Wong added.
In terms of skilled cybersecurity talent, though, he said this was a global issue. One way around it is by outsourcing their cybersecurity, SOC, remediation and threat hunting needs to a security provider. Fulfilling this growing demand was among the main reasons that Sophos acquired DarkBytes and Rook Security earlier this year.
Last but not least, Wong said Malaysian companies should always take steps to ensure cybersecurity hygiene. “Keep a full inventory of your whole environment, use genuine software, keep patches up to date and use multi-factor authentication.” He highly recommends that they leverage the right technology to bring down the cost of keeping their data secure and simplify the whole design of the security infrastructure.