Horangi Among First Cybersecurity Companies in Asia to Attain SOC 2 Type II Certification


Products +

Services +

Customers +

Partners +

Resources +

The Current State Of Ransomware in APAC

With ransomware attacks on the rise, it's no longer IF you experience a ransomware attack, it's WHEN. How can you protect your organization from falling victim to ransomware? Listen as Mark Fuentes (Horangi) and Nathan Reid (Blackpanda) talk about some areas you should first focus on and share best practices you can quickly adopt to safeguard your data.

Welcome to this week's episode: The Current and Future State of Ransomware in APAC - a conversation.

Ransomware, as the year progresses, feels like it's everywhere. Sometimes in every day, a new ransomware hack is revealed in the news, or it's discovered in the dark web. It affects everything from our infrastructure with our energy grids, oil and gas, need supplies, financial institutions, global telecoms, healthcare services, and small to medium enterprises who thought they were too small to even be targeted.

Today's guests are two prominent ransomware experts in the realm of cyber threats here in Asia Pacific: Mark Fuentes, Director of Cyber Operations, Strategic Services at Horangi, and Nathan Reid, Director of Digital Forensics and Incident Response at Black Panda. Gentlemen, thank you for joining us this morning. Let's speak about the state of ransomware globally versus APAC. You know, first off, we're here in Asia, but ransomware victims are without borders. Same with the attackers, they seem to be without borders, what are your thoughts on the state of ransomware, globally versus here locally?

Nathan Reid:
So what we're finding in the Asia region is the laws and regulations here are a little bit behind other countries, especially in Europe and America. And what that leads to is demotivation in order to carry out incident response, or effective cyber defenses to protect against ransomware. We've seen a few cases in the region where they're okay to get a few of the devices ransomed, and they just restore the device from a backup and continue on with business.

The backup works. However, they're not fixing the root cause of the issue. And so we've seen that kind of motivation with quite a few teams around here where they deal with the threat, but they don't really get to the root cause of the problem.

And the maturity of the different cyber teams is still coming up to par with other countries. And so we see low level of knowledge, potentially low political buy-in from the different sizes of the business. And that leads to a low level of defense, unfortunately, which makes it a very good target to be attacked. And so with having a low budget for being able to defend your company, and potentially not having dedicated resources, it makes you a very easy target for ransomware attackers.

And also on that with the regulations, we don't see a true picture of how many people do get attacked in the region, because they don't have to report it most of the time. And so it could be a lot worse than what the statistics currently state. And we're not seeing a trend in a positive direction as of yet.

Unfortunately, what we're seeing recently in the last couple of years is the number of ransomware outbreaks in the area. It's just been increasing and their impact as well as been increasing along those lines.

Mark, what have you experienced?

Mark Fuentes:
I'm seeing a lot of the same. What I'm really paying a lot of attention to is a noted rise in ransomware attacks.

I think this is due to a lot of things. Ease of use is one of them - it's very easy to launch a ransomware attack, especially nowadays, with the, you know, the prevalence of Ransomware as a Service, or a lot of kids that are helping people just launch these attacks without having much knowledge into how to create ransomware itself. So the gate to enter is quite easy.

So we're seeing a big rise. Not only is it easy, but the payoff is big. So low risk, high reward. So we're seeing a lot of these things happen now. These are the most prevalent, I mean, obviously, phishing and ransomware are kind of like neck and neck is as we see, as the higher level of attacks in the world today. But it's kind of the same.

They're both based on social engineering. I think I saw a stat, I think, a little while back from ABC News. They said that malicious emails have risen 600% in 2021 because of COVID. And that's obviously going to be either phishing or ransomware. So definitely if I just wanted to give a statement about it, this is becoming the favorite attack vector for hackers. And not just your common cybercriminals but some of these I'm feeling are probably state-sponsored as well.

Nathan Reid:
Here we had a couple of instances with North Korea with WannaCry and Russia with NotPetya. Classic examples. And, as you said, the budget entry into ransomware is lower. Some of the customer support you get on those ransomware service portals is fantastic. Someone with very little or no computer experience could actually carry it in tech.

Mark Fuentes:
Yeah, that's a great point. The customer service is fantastic. It actually rivals a lot of enterprises as far as customer service in support for some of these other legit software companies. So it's definitely easy to get into. So we're not really surprised that we're seeing this giant surge in ransomware attacks.

Nathan Reid:
Absolutely. And the skill set of those exploit kits, as you mentioned because you have (the) head of developers always increasing it. So as soon as a defense is put out there, they start working on a patch.

Mark Fuentes:
So it's definitely the attack of the day, it's the vector of the day. And I don't see that going away for a while, because it's just the success rate.

Not only, I mean, the success rate is high, but it doesn't even need to be that high because it's so easy to just attack people en masse. And if one campaign fails, you just move on to the next one. It's not that crazy, doesn't cost the attackers much to operate.

Nathan Reid:
Yeah, that's exactly right. That's what, a couple of dollars per technique, the payoff of potentially 1000s. Easy, that's a good ratio.

Mark Fuentes:
Yeah. And you know, it's a battle of numbers. So you know, even if you attacked 1,000, hosts, only have three or four of them got infected, you've already got a good payout.

Nathan Reid:
Exactly right. That's why we often try to make customers at least more secure than their neighbor because the attacker just moves on to the least secure target. Because it's easy,

Mark Fuentes:
Most definitely. All of this stuff we're talking about just gives everyone a good idea of what we're dealing with here. Obviously, we're not, I mean, we're on the other side of it. So it's really important to educate people like you said, as to how easy these things are to perpetrate.

So people need to know that it's, you know, when you talk about ransomware, you talk about data breaches, any kind of attack, any kind of hacking attack or anything like that, most people feel like that's happening somewhere else in the world like it's not going to happen to them. So what I see with my clients is they always feel like it's going to happen to someone else.

And that's the one thing that we have to battle while we're, you know, trying to get people ready to fight this stuff.

Nathan Reid:
Absolutely. And also people, they need to put their mind in the mind of the attacker. So as the defending team, I need to be thinking, how would I get into a network? There's a server with a service publicly available, and it's vulnerable to remote code execution, and that's an open door right there. So I should be moving my defenses to protect that exit and carry out patching, naturally. And so I think it's prioritizing different patches that come out, especially on Patch Tuesday, seeing what vulnerabilities come out and fix them. Critical.

Mark Fuentes:
And you know what, it's funny because I've, you know, I grew up in the industry working in the West, in America, mostly. And we always talk about Patch Tuesday, right? But I've been out here in Southeast Asia for about three or four years. And I've never heard anyone once mention Patch Tuesday, not once, and that's the first time I've heard it in the last four years.

So yeah, that's a big thing. Vulnerability management is huge. Patch management is huge. And I have a hard time finding a lot of finding many organizations that are that mature, that they take patch management and vulnerability management seriously. And that's, that's quite a low bar as well.

What do you think about it?

Nathan Reid:
Absolutely. Yeah, I totally agree. The other thing that I found also concerning thing more recently when I do darknet monitoring, is a kind of Remote Access-as-a-Service where someone will go around doing brute force against RDP protocols, or similar, or VPN that doesn't have multi-factor. Colonial Pipelines is a classic case of that. And it's just a time game.

Or if he used the password that is on the rainbow dictionary, you can crack it almost straight away. And then they sell that access. And so if you could combine Remote Access-as-a-Service, and Ransomware-as-a-Service, kind of like when AutoSploit connected Shodan with their toolkit so they could automatically scan the entire internet without touching it, find the valuable things, and hit it.

Mark Fuentes:
It's kind of funny to me because I didn't think that rainbow tables would still be pertinent at this time. I thought they would be obsolete by now. But I mean, organizations are just, for many reasons most of them being just not knowing or just not feeling that it's valuable. Many organizations are not ramping up their security programs like you say. Colonial Pipeline, right? They could have just put in multifactor on their VPN, and they could have saved themselves a lot of headaches. MFA is just, should be a no-brainer at this point in our society, but it's not something that's as prevalent as we would hope.

Nathan Reid:
Yeah, that's exactly right. I think if MFA was in place, half my jobs will go away. It's terrifying to see. And it's really sad seeing a customer, where just a tick box in office 365 or something, I could have saved them such a massive impact, half a million dollars in one case.

Mark Fuentes:
I see a lot of my clients, they will shun MFA simply for the fact that too many other users are saying, we don't want to have that extra step to get into our stuff. It's just not, it's not convenient for us. So a lot of People knowingly will shun MFA. Simply for ease of use, which is kind of crazy to me, because it's not that much of, I mean, when it takes maybe three months of getting used to like it's a hassle for three months, but then after that, you're just, it just becomes part of your routine, you know, and it's a very valuable thing to add to your team. So

Nathan Reid:
Yeah, exactly right. And naturally, we use it here for all of the admin tasks end user. But I find Microsoft, I mean, the cookies make it very easy. Once you trust one computer, that's fine. But as soon as my Russian buddy figures out my password and tries to log in, no hard has code.

Let's move on down the list of questions. The next one was common - pitfalls and mistakes for companies for initial compromise. And pretty much wherever the bar is, I find misconfigured services or classic unknown devices as well. It seems to be quite interesting recently, where you think you've decommissioned the server, but it's still running there. And so naturally, teams not looking at it start being secured or patched, but it's still quite vulnerable.

Mark Fuentes:
So I'll talk about it here.

So selfless plug. Shameless plug: I've just released a Ransomware Defense Assessment over at Horangi, creating a ransomware defense framework. And I do this because, at the end of the day, it's nothing new. It's really just hygiene. It's just hygiene, it's not really a thing.

I probably shouldn't say this. I mean, if people watch this thing, but really, it's important. It's very important. And people really, because it's not sexy, it's not cool. It's not the, it doesn't have AI and it doesn't have machine learning attached to it. People always ignore hygiene. Like you were saying, Ghost IT, Rogue IT or Ghost IT, it that just that's just off-boarding processes. You just need a robust onboarding process for that MFA.

Just having proper asset management in place, having a proper backup management in place. These are the best ways to protect yourself against ransomware. And no, and people are not doing they're just not. And it's so funny to me because you'll go on these forums, or you'll go on LinkedIn, and people go, Hey, what's the best way to like, you know, what's, what would you do when you get hit by ransomware?

They're like, "Oh, what we do is we put together we put aside all of these funds, and we get ready to pay the ransomware. whenever it comes," I'm like, well, if you're gonna put all that money aside, why don't you spend it on security? Like, why don't you spend it on readiness, spend it on backups, spend it on security awareness, spend it on email security, you know?

There are so many things you can do to really lessen the impact of ransomware in your organization. You just, if you had money, and these people were saving money to just skip the step and go pay the ransomware. And that's absurd because number one, you have no guarantee you're going to get your data back. And number two, you pay that ransomware, I believe the number is like, there was a survey I saw and while the respondents that got attacked by ransomware and paid, 43% of them got hit by ransomware right after. Again. Because you've told the world that you pay, you've told all the attackers that if I get hit, there's gonna be money involved here, and I will pay you out.

Nathan Reid:
Yeah, that's exactly right. We had one customer that got hit every month. We're pretty sure it's the exact same attack group, same bitcoin wallet, every month had come in, they've broken us money. If they had a robust secure backup, I mean because if you lose the data, you can just restore it.

Mark Fuentes:
You basically subscribe to ransomware now, right? You're like, Okay, well, let's pay them the monthly payment, you know?

Nathan Reid:
Yeah, just like Netflix but they don't get the reward.

Mark Fuentes:
Exactly. So I mean, for me, if you wanted, and it's a blanket statement, but if you wanted me to point to one common pitfall, it's that people don't spend enough money preparing themselves for this exact eventuality. Well, they do, they think they do by saving money to pay for it when you could really be, you know, bolstering your own defenses and making sure that the impact is much lower.

Nathan Reid:
Yeah, that's right. And it doesn't have to be on technology there. It could be on skilled people who can adjust your systems correctly. I was in Asia for just over a year, just in Hong Kong, and I haven't seen a network diagram. Most teams don't know what they can visualize.

Mark Fuentes:
And that's so insane to me that they don't.

So because I tell people, because people are always like, yeah, you know, let's get a really good risk management policy in place. Really good IR policy in place.

And I'm like, Okay, well, you want to measure risk, right? But what's the risk of all your assets like, well, what about this asset? We're like, Oh, we don't know. What about your networks like how What about the different networks you have? What's allowed on those networks and what's not allowed? Oh, we don't know, we don't have a network map. We don't have a network. We don't have a network map, we don't have an asset register.

And I was doing a talk a couple of months ago, and it was the same conversation. Nobody does these things because it's not sexy. It's not, it's not cool. It's not the bleeding edge thing. But these foundational things, if you're not doing them right, as a foundation, the rest is, it's kind of, it's a moot point.

Because, you know, yes, it's good to understand your risk. But what about your assets? What about your data? What about your network? You need to apply these risk management metrics to those things before you understand what you're protecting You can have the best shields in the world but, you know, if you don't place them in the right places, it doesn't matter.

So it starts there at the foundational part where you say, Okay, what is this data that we need to be backing up constantly? Because if it gets encrypted by an enemy, we're dead in the water. Can we be okay with it if it gets hit by ransomware? Maybe we just let it go? Maybe it's public information. But maybe our secret sauce, maybe we should have better policies around those things.

And another thing you said, it doesn't have to be technology, it doesn't have to be processes. It can be people too because ransomware hits your organization through people. I was talking to someone yesterday, and I'd never heard this before but they said, you have to worry about layer eight. I said, Layer Eight, what's Layer Eight? There's only seven layers. Layer Eight is the people. I was like, oh man, I'm gonna steal that, I'm gonna use that from now on.

And Layer Eight is probably the best place to put in. It's, it's your low-hanging fruit when you talk about the fence. If you can teach your people to spot red flags in emails and report them up to your security team, you can probably cut your risk in half. So awareness of, your users' awareness is huge, and I think that also often gets overlooked.

Nathan Reid:
Yeah, that's true. I found user awareness along with, in some cases, they went through the course, but they didn't actually tell them how to report a phishing email. And it's a key step. So if any people get phished, you only need one person to report it to the security team, and they can pull the email and reduce the risk.

Mark Fuentes:
I found I found that, yeah when that happens, and a user will get an email and then panic and not know what to do about it. And then they somehow find the IT team or someone and they say, hey, look, no one told me but is this who I talked to about phishing emails or whatever? So yeah, you're exactly right, they can go through that training and just not know how to actually react, you know, so that's a big, that's a key component.

Nathan Reid:
We had one recently where this political buy-in and willing to make the hard choices. So we had, let's say, 30 people phished in this case, they gave up their credentials. What occurred from there is you could have carried out a password reset immediately on all 30.

Don't worry if to trust them, whether they click the link or not, just reset the password. That wasn't carried out, and so half of those users then did an internal phishing campaign against all 800 employees. Now you had to reset the password for the entire business. And that spilled out to their sister companies as well. They started getting breached in the same way, because they received an email from a trusted sender. It's got all the DKM and demark checks but ultimately, it's malicious. And so that took quite a while to clean up and ultimately 3,000 users had had their passwords reset. And of course, MFA would have fixed that right away.

Mark Fuentes:
That's a great one. Decisiveness right in the middle of a crisis.

You have to be decisive, or else containment becomes a lost cause.

Nathan Reid:
Absolutely. And it's cool you mentioned Layer 8, right? One thing from a pen-testing side is you don't always need a zero-day exploit. You just got to exploit the user. That's it right there.

Mark Fuentes:
Same thing happens for us when we do red teams.

We did a red team, I think it was the middle of last year, where we just couldn't get through their firewall, we could get through their EDR, nothing. So we just started dropping USBs on their premises and that got us in. That's how we got in. We ended up doing bad USB attacks on them.

Nathan Reid:
And it works.

Mark Fuentes:
It's straight-up Layer Eight, right, so we couldn't get it and we were banging our heads against the wall for maybe two weeks. And we only had like maybe, like, one more week left on the contract. And we're like, oh man, we gotta get in. Somehow.

We just sent a guy in to dress like everybody else who works in the office and just start dropping USBs everywhere. And I think three of them got some juicy users. So yeah, very interesting.

Nathan Reid:
It's brilliant.

I missed those kind of physical contests. One thing we looked at was, according to the policy, their security guard station didn't have internet access. But if you've got a guy there after hours, he's actually going to come in design mode and find out you're gonna find it. Oh, absolutely every time and if you want to get access to all your CCD CCTV cameras, drop some USBs right next to where he smokes. And yeah, it's usually a pretty positive hit right on that one.

Mark Fuentes:
Yeah, that's fantastic.

Anyway, I guess what we're trying to say for those out there listening, it's pretty easy. It's pretty easy. And, you know, it's also it, I wouldn't say it's easy to protect yourself but there are things you can do is, it's not impossible. And it's also not difficult. It's just a matter of, you know, having the right buy-in, like you said, executive buy-in, making the right decisions at the right time. And not having people that know their stuff. No one can ever guarantee zero ransomware attacks, but you can definitely mitigate it. You can definitely mitigate that risk.

Nathan Reid:
Yeah, that's right, and securing the user in a way that doesn't affect the way they operate as well, it's quite doable. Do all users need administrator access? Do all users need remote access?

Through those GP changes, you can mitigate quite a few threats here where ransomware can install or it can move laterally easily through the network. Now we had one case where every user had remote access and admin, that means every user can go to the DC in one hop,

Mark Fuentes:

You know, shared accounts that shouldn't even exist anywhere, you know. Proper IAM scheme in place, a proper PAM scheme in place saves you a lot of headaches. It's a lot of headache in the beginning, obviously a lot of configuration and administration, but definitely saves money in the long run.

Nathan Reid:

And yeah, putting in the hard work, once, properly, put you in a really good position moving forward. Some problems that startups have is that they're right to get the product out, but at no point do they stop and look back and go, Okay, how do we secure this? And I think what's quite handy is when the security team gets involved in the development process as well. So that way, instead of the development process cocmpleting, and the security team saying no, that's very insecure, they can actually help the team through that development process. Oh, we can tighten up these ports, this code here, we could change that a little bit to make it more secure, etc.

Mark Fuentes:
Yeah, at Horangi we are definitely a huge proponent of shift left.

We definitely do believe it's, it's well worth it to go through the timely and resource-intensive and expensive practice of threat modeling during your planning phases.

Of course, nobody wants to listen to us, like you said, they want to ship fast, right? But it's definitely worth it in the end because when, you know, what we see is a lot of dev houses that they really want to ship fast. But some of them say Yeah, well, we're security-minded. So we build fast and then right before release, we do a source code review, or we do a pen test.

And then we have this laundry list of findings, and maybe four or five of them are quite expensive to remediate because we're gonna have to undo a lot of stuff you wrote, If you had planned it out earlier in the process, you wouldn't be going through that. But again, it's still an uphill battle converting the devs to that, that kind of mindset. But definitely, again, it's something we also try to yell as loud as the weekend at the top of our lungs, you know, shift left, make security part of the planning phase, and you'll avoid a lot of headache down the road.

Nathan Reid:
Sounds like there's a lot of war stories we can share!

Mark Fuentes:
I think so, yeah, I think it probably could have gone longer than 30 minutes, maybe.

The takeaway for anyone listening is if you're really worried about ransomware, if you're really worried about how it will impact your organization, focus on hygiene. Hygiene is the way to go. Work on your backups. Make sure your people are security-aware, work on your asset management, your risk management, data management as well as data mapping. Understand what you're securing, understanding what it is if it gets hit by ransomware. How hard do we have to work to get it back? So work on your foundations, hygiene.

Nathan Reid:
That's a good point.

Yeah, if they identify what do you need to operate as a business, secure that first and work out from there.

Mark Fuentes:
Yeah, definitely, because our focus, our thought, is you're going to get hit sooner or later. So we want to focus on response.

And the best way to focus on responses, if something hits you, there are three questions you have to ask. What was that data that got hit? What is it exactly? What's the risk? What's the risk when that data is completely lost? And do we have a plan? Those are the three first questions you have to answer. And if you can't answer those three questions, you got to focus on those right now.

Isaiah Chua

Isaiah Chua is a Content Marketing Specialist at Horangi who is passionate about technology and content marketing.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.