Southeast Asia is seeing an uptick in Leak & Shame ransomware campaignsransomware campaigns. This type of attack involves attackers installing ransomwareransomware on an organization’s systems. The ransomware is then used to steal data, leaking a small portion of sensitive data online, and then encrypting the victim’s system thereby rendering the systems unusable. Ransomware operators extort the affected organizations by threatening to leave their systems encrypted and also threaten to release the remainder of the stolen data unless the ransom is paidthreatening to leave their systems encrypted and also threaten to release the remainder of the stolen data unless the ransom is paid.
Horangi is tracking multiple Leak & Shame ransomware campaigns in Southeast Asia, which we will outline in a separate blog post. The most prominent campaign deploys the MAZE ransomware via a phishing email and has infected several high profile victims in Singapore.
What Is The MAZE Ransomware?
The MAZE Ransomware was first discovered in May of 2019 by Jerome Segura of Malwarebytes. In Q4 of 2019, the MAZE campaign was updated to include leaking data as a means of extortion. Since then, the MAZE campaign has grown to affect every continent that conducts business including several victims here in Southeast Asia. Attackers generally distribute Leak & Shame ransomware via phishing campaigns which occur when attackers send fraudulent emails containing malicious links or malware attachments in the hope that unaware users will open them and become infected. This tactic holds true with the MAZE ransomware campaign. However, the MAZE operators have also demonstrated the capability to modify their distribution tactics when targeting a specific organization.
The MAZE campaign tends to target larger enterprises such as Hammersmith Medicine Research, Cognizant, an IT services provider, and ST Engineering. However, this observation does not alleviate the risk for smaller institutions, as Horangi has observed during threat research that Leak & Shame campaigns also affect smaller organizations with less ability to recover.
Singapore’s Computer Emergency Response Team (SingCERT) has an enlightening article describing the current MAZE Campaign in Singapore.
What Can You Do About Leak & Shame Campaigns?
We recommend two approaches to improve an organization's security posture that specifically address the risks posed by Leak & Shame campaigns:
Approach 1: Phishing Assessments and Training
Since the current Leak & Shame tactics include deploying ransomware via phishing email, it is logical that organizations should understand their susceptibility to a phishing attack and conduct training to reduce their risk.
Phishing Assessments and Awareness Training are exactly these remedies. They are intended to help prevent phishing attacks altogether and are also the easiest technique to get quick results. A phishing assessment is started by launching a campaign against a customer; this process is very similar to launching an email marketing campaign and many cyber operations teams use the same tools marketers use to track click-through rates and open attachments.
The purpose of a Phishing Assessment is to help customers answer three questions:
- How many people open phishing emails?
- How many people clicked malicious links and/or installed the malware?
- How many people realize they clicked on a phishing email and notified IT and/or internal security?
Once the first phishing assessment has been concluded, the results are shared with the customer. The results of the campaign are used to inform an Awareness Training curriculum and the training is delivered.
The magic of this approach starts to happen after a second phishing assessment is conducted, typically a few months later. By comparing the results of the first and second phishing assessments, executives can measure the growth in cybersecurity awareness of their staff. It is a great tool to measure the human component of an organization’s overall security posture. As an added benefit, the progress can be shared with third party auditors, partners, and customers who ask for evidence of a robust cybersecurity program or want to see tangible improvements, such as stakeholders wanting to see improvements after a ransomware attack.
Approach 2: Upgrade Your Cloud Architecture
Once an organization is in the cloud, there are a few strategies that can be implemented to defend against Leak & Shame attacks:
- Configuration Reviews
- Frequent back-ups
- Network and Data Segmentation
Configuration reviews are the most fundamental component of a robust cloud security program making a key element for defending against Leak & Shame campaigns. When hackers launch a new campaign, configuration reviews allow technical teams and executives to determine if their infrastructure is vulnerable and inform them on which components should be updated.
When defending against ransomware, the two most important factors in your cloud infrastructure’s configuration are ensuring that you have frequent backups that are easy to revert and making sure your networks and data systems are segmented.
One of the biggest challenges after ransomware encrypts your system is to get a team and its technology back up and running. If you don’t have frequent backups for both data and processing systems that are easy to revert, these processes can take days, weeks, or even months.
At Horangi, we take this very seriously and it’s an area where I love to brag on our engineering team. Our engineering and DevOps teams have gone to great lengths ensuring all of our important data stores are replicated and ensuring we operate a serverless environment where all of our “systems” are defined as code using AWS CloudFormation.
We also test the process of redeploying everything on a regular basis and we know it only takes a few minutes to stand everything from scratch. It might not be feasible for everyone to make the jump to a fully serverless environment; our technical teams have shown that it is an achievable goal and it is something we would like to help others in our community achieveit is something we would like to help others in our community achieve.
While having great backups is one huge step in the right direction, it does not prevent data theft or leakage. To help limit the impact of a data leak event, it is also important to segment data stores and networks. By doing so, it limits the total amount of data that can be stolen by any single vulnerability.
An example of network segmentation is ensuring that development, staging, and production environments can’t talk to each otherensuring that development, staging, and production environments can’t talk to each other. It is also important to have a strategy for segmenting your data across all three networks. Questions I often ask as a CTO are: “Do the developers really need production data in the development environment?”, and “Which elements of production data can we live without in staging?”. It is for each organization and team to decide, but these should be active decisions that include the consideration of a cyber attack.
In practice, technical teams use Cloud Security Posture Management (CSPM) tools to perform configuration reviews of their cloud infrastructureCloud Security Posture Management (CSPM) tools to perform configuration reviews of their cloud infrastructure. At Horangi, we know that figuring out how to get started can be a challenge and organizations may not be able to afford both cloud engineering teams and a dedicated cybersecurity team. Our goal is to help turn our customer’s cloud engineering and DevOps teams into cybersecurity experts by building easy-to-use software and making sure our first-class security experts are available when needed.
That’s why Horangi’s CSPM solution, WardenHorangi’s CSPM solution, Warden, goes an extra step to provide in-app education and resources that help bridge the gap between DevOps or cloud engineering and their cybersecurity counterparts. We also use Warden to ourselves to keep an eye on our own cloud infrastructure and measure ourselves against compliance requirementsmeasure ourselves against compliance requirements. One of the things our engineers like best about Warden is that they don’t have to rifle through lots of wordy compliance documents to understand why a particular check didn’t meet a requirement. All of the information is right inside the finding with links to more external resources.
The thing I like the most is that I can track our progress every sprint and every quarter. I’ve found this feature quite useful when looking at what has changed over the past month and it has been a godsend when trying to demonstrate this to auditors since I can do it dynamically or take a few screenshots instead of trying to document it in a lengthy reportdemonstrate this to auditors since I can do it dynamically or take a few screenshots instead of trying to document it in a lengthy report.
The Strength Of A Collective Defense
As painful as compliance can be, it plays an integral role in our region’s cybersecurity. With cyber attacks ramping up in Southeast Asiacyber attacks ramping up in Southeast Asia, regulators need to become aware of threats such as Leak & Shame ransomware campaigns and introduce effective policies that organizations can use to thwart malicious activity. Running phishing assessments and — for organizations in the cloud — upgrading cloud architecture should be considered as part of a comprehensive strategy to build a robust security posture.