People are masquerading as hackers in order to ransom companies. Here's how to spot a phoney from the genuine article (and what to do next).
People are masquerading as hackers in order to ransom companies. Here's how to spot a phoney from the genuine article (and what to do next).
What do Armada, DD4BC and Lizard Squad have in common? I’ll give you a clue. Hacking. Yep, they are all hacking groups that have garnered worldwide notoriety for their ability to exploit ransomware to make millions.
Their methods are simple. They send a ransom note explaining that the gentle attack they’ve unleashed on your network will stop if you hand over a sum of money in the form of bitcoin. Rather helpfully they also explain how you set up a bitcoin account if you’ve never come across the currency before.
These groups are famous for their attacks so people take the threat seriously and pay the ransom. That’s usually when the trouble starts. Rather then cease, the attack intensifies and the impact is usually devastating.
As you can imagine the efforts of these organised groups have got them into hot water and arrests have been made. Thankfully this effectively shut down groups like Lizard Squad at the end of last year.
That was a significant moment in hacking history. It marked a watershed in the proliferation of ransomware. The global landscape for ransom attacks really quietened down.
That was until the first week of May when our Emergency Response Team detected a spate of ransom letters being sent. They claimed to be from Amada Collective and the emails had all the hallmarks of the real deal.
But there was something fishy going on as when they were outed by security specialists they switched tack and became Lizard Squad. There were other warning signs too.
Firstly the deadline set in the letters passed without any attack taking place. When a second wave of letters were sent to different targets, the suspicion that something odd was going on was confirmed.
There were subtle differences to the way the notes were written when compared to ones we’d seen before allowing our team to conclude the letters were fake. To the untrained eye you wouldn’t know. But once the differences are pointed out, and you see how the approach overall is different, it’s obvious.
Before we go through the subtleties, let’s firstly deal with why anyone would go to the trouble of sending a fake note. Very simply it’s about naivety and greed. These unscrupulous pretenders have no intention of running a cyber attack on your network.
In fact they aren’t even running a gentle one in the background. Instead they are playing on fear and the hope that you will Google Lizard Squad and jump to conclusions and buy bitcoins.
Let’s face it, media interest in ransom attacks has been high. There’s been plenty of coverage. And when you consider that around 1 in 3 companies has experienced a ransom attack it’s easy to see why a quick search online would lead many businesses to think the note was genuine.
I worry though that the companies receiving these fake notes, most likely for the first time, will pay up. As a result, they will be drawn into a false sense of security. If we pay we survive.
Of course, the reality is that it’s only a matter of time before a new genuine organised crime hacking group is formed. And when it does, it will mean business. Thinking you will be able to pay your way out of it because it worked before is a recipe for disaster.
What should you do then? Well there are some golden rules for managing an attack and, from what we’ve seen of the bogus attacks, some indicators that will help you spot a fake.
Starting with the fake then. There are five signs to remember:
1. Money. Fake hackers request different amounts of money. Armada Collective normally requests 20 bitcoin. Low bitcoin ransom letters are most likely from fake groups hoping their price point is low enough for someone to pay rather than seek professional assistance.
2. Prowess. Real hackers prove their competence by running a small attack while delivering a ransom note. If you can see a change in your network activity then it’s probably genuine.
3. Disorganisation. The fake hackers don’t link you to a website because they don’t have one. And they don’t have official email accounts, a good sign they are not organised.
4. Haphazard approach. Real hackers tend to attack many companies in a single sector. Fake hackers target anyone and everyone. You’ll tend to see on social media when other companies in your sector are also being hit.
5. Spot the difference. There are subtle differences between a real and a fake ransom note as can be seen in the image here. Setting aside grammar and quality of English, you can spot a fake when you’ve dealt with a lot of genuine notes. It takes practice so if in doubt send it to a specialist to review.
Now on to how to deal with an attack. There are three things to remember:
1. Check before you act. Bottom line, whether you think it is real or not, seek expert advice on how to safeguard your network before you do anything. You’ll find that if you do engage with the hackers, whether it’s a reply or notice of payment, you’ll open up an attack you could never have planned for.
2. Get clued up. There’s lots written about getting your people clued up, and dare I say it, it tends to be a once a year tick box exercise. Make sure it isn’t. Right now you should be telling employees to check email spam filters regularly so genuine ransom notes are not missed.
So many companies have unwittingly ignored the genuine threats just because they hadn’t seen the email. As a result the attack has steadily ratcheted up until the point of no return.
3. Employ an ex-hacker. This will be controversial for many companies, but some are seriously considering it – employ an ex-hacker who can help you spot the trends. If you are uneasy about the risk then work with a partner who is employing the skills of ex-hackers.
They can spot attacks a mile off – they monitor the web in a way you can’t quite believe and as a result know which attacks will turn into a global concern.
When you know the rules and the traits, planning for attacks and managing them becomes easier. That’s not to say it’s an easy task. It’s not. But the way ahead is clearer and the strategy can be more focused and effective. Ultimately you can protect your customer and confidential data, employees, and your brand more successfully.
Thanks for signing up to Minutehack alerts.
Brilliant editorials heading your way soon.
Okay, Thanks!