The alarming business models of cyber-criminals

Cyber-crime has become big business


It’s organised, and the purveyors are shameless in their determination to steal from all of us.

Heaven only knows where they get their names from.  One group we recently became aware of is called ‘PINCHY SPIDER’, and they are doing something called ‘Big Game Hunting’.

Back in  January 2018, they created a ransomware toolkit called GandCrab.  While most ransomware today spreads through SPAM email, this uses an older technique.  It uses an exploit kit to spread, mainly through infecting websites, then taking advantage of vulnerabilities in common software like Internet Explorer, Chrome, Java and Flash.  Where it is particularly effective is that it then lies in wait.  If it can sense other computers on a local network, then it uses Remote Desktop Protocol  (that’s the same RDP that most of us use for remote access to work) to attack them and spread further.

Big Game Hunting


Now it seems that they have refined their model.  

They work with ‘affiliates’ for a share of the ransom.  It’s reported the PINCHY SPIDER people take 40% of the profits, with the affiliate ‘earning’ the rest for what is described a surgical strike.  Yes, they are franchising cyber-crime! These affiliates target an organisation, crafting their attacks, refining their knowledge of the target until they succeed.

It seems that once they penetrate the target, they then quietly work laterally to get their evil software onto the machines that will cause the most harm, whether that’s a server or a set of specific PCs.  They want to minimise the trail they leave behind, making it hard for the security software people to find ways to identify their footprints, and they may even manually remove their software from less-valuable machines as they move through the organisation.   If they encounter roadblocks, it seems they also manually work through these, removing or disabling all, or part, of your security tools until they can continue spreading their infection.

These are carefully crafted attacks.  They reconnoitre their victims and plan their attacks.  They sneak around your system until they are ready, then they strike.

What can you do?

  • Firstly, these exploits only work on machines that have vulnerabilities.  Regular patching updates is more important than ever, and systems like KARE are vital (needs to be our Core Fundamentals’ or ‘Premium KARE’ plans) and you need regular reports so you know ALL your devices are protected.   This isn’t infallible though – vulnerabilities are discovered and fixed all the time, so there is always a risk of a ‘zero-day’ exploit where the vulnerability is discovered and used before the updates are available.
  • Make sure your antivirus and anti-malware is up to date and do deep scanning.  This can have impacts on your operations depending on the software you use, so it needs to be done carefully.
  • Apply a ‘zero-trust stance to your IT, protecting not just the boarder of your organisation but also within it to reduce the surface area open to an attacker – creating those obstacles that slow them down or turn them away.
  • Use a URL-Protection service to reduce the chances of accidentally opening a compromised (exploited) website.
  • Use multi-factor authentication to require tokens, commonly approving access from your phone apps, as well as a username and password
  • Regular back-ups, especially ‘air-gapped’ backups where you have regular copies of your data that is physically separate and unplugged from your systems.

Unfortunately, none of these steps are fool-proof.  They are all layers.  For example, even backups are compromised if they are connected to your system and become encrypted themselves.  Likewise, if the compromised software doesn’t activate straightaway, then it might hide, dormant, even on your backups.

However you do need to take all reasonable steps, which is the stance we’ve taken with our KARE for Security service and you need to look at cyber-insurance.

If you want to read more: