From selecting the victim to making off with clean cash, Lisa Forte MBCS – partner at Red Goat – talks Martin Cooper MBCS through what happens in a ransomware attack.

There’s a lot more to goats than you might think.

Beyond their recent foray into the hipster end of the milk and cheese market, it transpires that goats can teach us a thing or two about cyber security and how successful cyber attacks are carried out.

‘I was reading an article,’ explains Lisa Forte. ‘It documented some research by a London university into goats. They discovered that goats could identify intruders in their herd by hearing their voices. So, they'd play an audio recording of a goat's voice, and the goats would be able to recognise whether that was one of their herd.’

Goats are, then, good at spotting intruders – a skill that’s an essential part of cyber awareness. And so, Lisa’s consultancy got its name: Red Goat (red because – well, why not?).

Explaining the agency’s work, Lisa says: ‘[We specialise in] going into companies and helping them think about what they would do during cyber attacks of all different types. We then look at building in plans and playbooks, testing them, stress testing… Seeing how they would respond and building resilience.’

Origins of a career

Lisa took a less than traditional route into a cyber security career. A lawyer by trade and training, she did a master’s in the international law of armed conflict and maritime affairs. She then joined a private security firm that specialised in protecting ships from pirates off the coast of Somalia.

‘We looked at how you protect both from the ship’s perimeter and internally,’ Lisa explains. ‘If the pirates got on board, how would you stop them from getting to the bridge quickly?’

After leaving that world, Lisa worked in counterterrorism intelligence for the police and joined one of the police cyber crime units.

Today though, we’re here to talk about ransomware - specifically an attack’s lifecycle. Who are the gangs behind attacks? How do they organise themselves? How do they select their targets, what research do they do, how do they prepare attack tools and, finally, how do they cash out?

How Hollywood and boards got it wrong

Lisa explains that ransomware gangs were long suspected to be highly organised. The Hollywood image of a lone, 16-year-old hacker sitting in a basement wearing the obligatory hoodie was never true. But just how far this image was from the truth became sharply evident in early 2022 with the Conti leaks.

Conti is a ransomware group that was first observed back in 2020 and was linked to a group based in Russia. The FBI’s Internet Crime Report 2021 stated: ‘The three top variants that victimised a member of a critical infrastructure sector were CONTI [87 incidents], LockBit [58 incidents], and REvil/Sodinokibi [51 incidents]’.

‘Conti was one of the largest ransomware groups,’ Lisa explains. ‘When Russia invaded Ukraine in 2022, they made an error. The group’s leaders put out a message expressing their support for Russia. They failed to appreciate that the group had quite a few members in Ukraine and other post-Soviet countries - and they didn’t take kindly to this.’

In one of cyber security’s richer ironies, the disgruntled Conti affiliates who disagreed with the group’s stance on Ukraine took several years’ worth of internal online chat conversations and published them publicly.

This prime example of an insider threat became the ransomware industry’s very own Panama Papers and, along the way, an invaluable source of insight for security researchers.

‘It gave our community unprecedented insight into what goes on inside a group,’ Lisa says. ‘What you’ll note from the leaks is that the group had employee of the month schemes, they had office spaces… They had discussions about repetitive strain injuries and carpal tunnel… They had structures and holiday pay and recruitment issues – all the things that, if they were about any other company, would be dull and mundane. It was remarkable.’

The point is, she says, that professional cyber security isn’t up against the imagined lone teenage hacker. Instead, they are combatting the efforts of highly organised, well-resourced, intelligent and determined organisations. ‘That’s a fundamental misunderstanding many boards have,’ she says.

Along with being well-organised, gangs are also international. It wouldn’t, Lisa says, make sense or foster operational resilience if staff were all concentrated in one single location.

‘There are certain countries who provide safe harbour for groups,’ she explains, naming no names. ‘And that poses some real issues for law enforcement… But, attribution is complicated – we see very few arrests because it is difficult to attribute an attack to an individual [perpetrator].’

And it’s not just a matter of discovering who committed the attack in cyberspace. That person would then need to be physically located and arrested - and that arrest itself would need to be done in accordance with the laws of the country they would be tried in.

‘Most of the countries we deal with have a right to a fair trial and that includes collecting evidence in an appropriate way’, Lisa says. ‘And because that’s so difficult, we see very few arrests being made.’

Becoming a victim

All the costs and risks associated with launching ransomware attacks beg the question: how do gangs choose their targets? What makes one company more attractive to criminals than another?

It transpires that it’s difficult to generalise, and that’s because of ransomware’s scale. The IBM Security X-Force Threat Intelligence Index 2023 found that 27% of cyber attacks in 2022 were extortion-related.

Some gangs specialise in attacking and extorting organisations in particular sectors. Vice Society, for example, is known for its campaigns against healthcare and education organisations across Europe and the US.

‘It’s complicated,’ Lisa explains. ‘Overall, I think they're looking for industries that will typically have assets worth some sort of money. Most attacks are financially driven and need data or obvious critical processes.’

Industries or organisations with a very clear and predictable business pattern are also attractive to ransomware criminals. ‘With the education sector,’ Lisa says, ’you could work out the critical periods of activity: exams, clearing and getting your university placements….’

Understanding and predicting when organisations see the most demand, and experience the most operational stress, is helpful in planning a crime because this insight allows you to apply maximum leverage. And that extra leverage should make the victim more susceptible to making ransom payments.

Summing up an attacker’s likely approach, Lisa says: ‘You're looking for organisations where the damage will be huge. Ideally, you'd be looking for an organisation with clients whose data you could exfiltrate to apply more leverage. Is the organisation insured? All these things increase the likelihood that the ransom will be paid.’

Knowing your value

So, how should organisations protect themselves and effectively disrupt a criminal gang’s playbook? Understanding and auditing your data is essential – safeguarding and backing up any databases or datasets which are critical to your organisation, such as pieces of intellectual property or client lists, is important but isn’t a guaranteed route to survival.

‘I don’t think it’s only digital assets and data,’ Lisa explains. ‘We do exercises [with organisations], and what comes out are key business processes. A law firm, for example, would have court dates and filing deadlines they have to meet. If you took their entire network offline, they still have to meet that deadline. It’s not discretionary. So, building resilience isn’t just about data; it’s about understanding those business processes that would completely cease. Those are critical to keeping your business going and for survival.’

With the target organisation identified, the next phase in the lifecycle of an attack is often close reconnaissance around the business itself. What can you discover about working life inside the company, who are the significant people, what are their roles, and how much can you learn about them?

This is important because the next phase of an attack is still relatively low-tech: phishing. An email carrying a software payload is still one of the most common ways criminals can gain a foothold on their victim’s network.

‘If you’re an attacker and you’re going to send in an email, there are two things you want to happen,’ Lisa says. ‘You want the staff member to interact with the email – that is, put in their credentials or open an attachment.’

The second thing criminals need is for the employees to interpret phishing emails as ordinary, familiar and unremarkable. Thinking back to goats and their ability to spot intruders, you want this email to look and sound perfectly normal.

‘If a user interacts with that email and immediately reports it, the chances are the security team will be on to you very quickly,' she says. ‘You’re going to have a much harder time being quiet on the network, and we know that ransomware groups sit in the network for a while – maybe months - before they launch the actual attack.’

This illustrates how it is vital that reporting is the focus of any security awareness training. Along with understanding what phishing is, how it works and how it might appear, training should support a culture where reporting is encouraged and applauded.

Choosing your weapons

The email’s attachment or its viral payload is the next decision the attacking group needs to make. Which piece of malware can, or could, they use?

For criminals, ransomware-as-a-service has been a game changer. Suddenly, effectively renting malware rather than developing it has opened up technologies and attack vectors that might otherwise have been closed to many gangs.

But, the malware itself – the program that encrypts and exfiltrates data– is only one part of the process. Large attacks yield hundreds of gigabytes of data. And this all needs storing, sorting and analysing.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

‘There was a law firm, I think they had 750 gigs of data stolen,’ she recalls. ‘If you imagine going through 750 gigs of data – it needs to be looked at and categorised. There's so much useless noise in there that's of no value whatsoever. So, if you want to cause maximum damage by dumping data, you must also have a back-end process.’

‘It’s not as simple as, “here’s the malware, now I’ve got money”. There's a whole load of other things that must happen for you to leverage that attack effectively. And that's where we've seen organisational structures become useful for these groups.’

Money laundering

Then comes the final, most complex and potentially riskiest phase of an attack: cashing out. Washing money to appear to be a legitimate by-product of legal and explainable endeavours is exceptionally hard.

‘Typically, police can trace the money,’ Lisa says. ‘So, you must have things in place and knowledge of the cryptocurrency landscape to wash money effectively.’

And here, cryptocurrency’s importance to criminal gangs’ ability to clean money can’t be overstated. Financial technology has provided criminals with the power to quickly and efficiently clean money at scale and under the umbrella of some anonymity.

‘Historically, the biggest factor that held organised crime back was this inability to move cash through the traditional financial systems,’ Lisa says, pointing to stories of money-swamped drug gangs that left millions in barns where rats ate the hundred dollar bills.

Again, in this endeavour, the as-a-service model provides criminals with options. Historically, Bitcoin was the criminal’s coin of choice but it has proved increasingly traceable. In response, criminal technologies evolved and mixing services were created – effectively black-box tumblers that obfuscate who sent money to whom. These services worked well until the Colonial Pipeline attack, where the FBI retrieved some of the ransom. This shocked ransomware gangs into more innovation and heralded a move to embrace Monero, a privacy-focused cryptocurrency.

‘And now they've got this perfect cover story,’ she says. ‘And that's the big problem because if you can stop the flow of money or make that more difficult, you have an opportunity to disrupt the ransomware landscape. And Monero makes that hard.’

So, in the face of all this, how should organisations think about and prepare for an attack?

‘I would say think about what it is you need to be able to do to keep the business going,’ Lisa says, ‘If that was taken away, what workarounds could you create to keep going? That will stand you in excellent stead for coping with a ransomware attack.’