Cyber- Cyber Attacks – Pegasus to Akira, Cyber Policy of India, LockBit Ransomware Flashcards
NEWS
Recently, it has been found that LockBit ransomware was found to be targeting Mac devices.
Earlier in January 2023, the LockBit gang was reportedly behind a cyber-attack on U.K. postal services, causing international shipping to grind to a halt.
A ransomware is a type of malware that hijacks computer data and then demands payment (usually in bitcoins) in order to restore it.
Recently, the Indian government’s Computer Emergency Response Team (CERT-In) issued a warning about the Akira ransomware, which has emerged as a significant cybersecurity threat, targeting both Windows and Linux devices.
Ransomware is a type of malware that hijacks computer data and then demands payment (usually in bitcoins) in order to restore it.
What is LockBit Ransomware?
LockBit, formerly known as “ABCD” ransomware, is a type of computer virus that enters someone’s computer and encrypts important files so they can’t be accessed.
The virus first appeared in September 2019 and is called a “crypto virus”, because it asks for payment in cryptocurrency to unlock the files.
LockBit is usually used to attack companies or organizations that can afford to pay a lot of money to get their files back.
The people behind LockBit have a website on the dark web where they recruit members and release information about victims who refuse to pay.
LockBit has been used to target companies in many different countries, including the U.S., China, India, Ukraine, and Europe.
Modus Operandi:
It hides its harmful files by making them look like harmless image files. The people behind LockBit trick people into giving them access to the company’s network by pretending to be someone trustworthy.
Once they’re in, LockBit disables anything that could help the company recover their files and puts a lock on all the files so that they can’t be opened without a special key that only the LockBit gang has.
Victims are then left with no choice but to contact the LockBit gang and pay up for the data, which the gang may sell on the dark web - whether the ransom is paid or not.
LockBit Gang:
The LockBit gang is a group of cybercriminals who use a ransomware-as-a-service model to make money.
They create custom attacks for people who pay them and then split the ransom payment with their team and affiliates.
They are known for being very prolific and avoiding attacking Russian systems or countries in the Commonwealth of Independent States to avoid getting caught.
Why is LockBit targeting macOS?
LockBit is targeting macOS as a way to expand the scope of their attacks and potentially increase their financial gains.
While historically ransomware has mainly targeted Windows, Linux, and VMware ESXi servers, the gang is now testing encryptors for macOS.
The current encryptors were not found to be fully operational, but it is believed that the group is actively developing tools to target macOS.
The ultimate goal is likely to make more money from their ransomware operation by targeting a wider range of systems.
What are the Recent Instances of Cyberattacks in India?
India has been facing a significant increase in ransomware attacks, with approximately 82% of companies impacted in 2020.
Several high-profile attacks have occurred in recent years, including the WannaCry attack in 2017, a data breach at Juspay that affected 35 million customers, including those of Amazon in 2021, and more recently a ransomware attack on AIIMS Delhi in Dec 2022.
In 2022, Air India suffered a major cyberattack, compromising 4.5 million customer records, including passport, ticket, and credit card information.
How to Protect against LockBit Ransomware?
Strong Passwords:
Account breaches often happen because of weak passwords that are easy for hackers to guess or for algorithm tools to crack. To protect oneself, choose strong passwords that are longer and have different types of characters.
Multi-Factor Authentication:
To prevent brute force attacks, use additional security measures like biometrics (such as fingerprint or facial recognition) or physical USB key authenticators along with your passwords when accessing your systems.
Brute force attacks are a type of cyber-attack where attackers try to guess a password by repeatedly trying different combinations of characters until they find the right one.
Reassess Account Permissions:
Limiting user permissions to stricter levels is important to reduce security risks. This is especially critical for IT accounts with administrative access and for resources accessed by endpoint users.
Ensure that web domains, collaborative platforms, web meeting services, and enterprise databases are all secured.
System-wide Backups:
To protect against permanent data loss, it’s important to create offline backups of your important data.
Make sure to periodically create backups to ensure that you have an up-to-date copy of your systems. Consider having multiple backup points and rotating them, so you can select a clean backup in case one becomes infected with malware.
What is Akira Ransomware?
It is malicious software that poses a significant threat to data security.
It targets both Windows and Linux devices, encrypting data and demanding a ransom for decryption.
Key Characteristics of Akira Ransomware:
Designed to encrypt data and create a ransomware note with a unique “.akira” extension appended to encrypted filenames.
Capable of deleting Windows Shadow Volume copies and shutting down Windows services to prevent interference during encryption.
Exploits VPN services and malicious files to infect devices, making it challenging to detect and prevent.
Mode of Operation:
Akira ransomware spreads through various methods, including spear phishing emails with malicious attachments, drive-by downloads, and specially crafted web links in emails.
Insecure Remote Desktop connections are another avenue for ransomware transmission.
Implications of an Akira Attack:
Once infected, Akira ransomware steals sensitive data and encrypts it, rendering it inaccessible to the victim.
Attackers then demand a ransom for decryption and threaten to leak the stolen data on the dark web if their demands are not met.
Protection Measures Against Akira Ransomware:
Regularly maintain up-to-date offline backups to prevent data loss in case of an attack.
Keep operating systems and networks updated, including virtual patching for legacy systems, to address potential vulnerabilities.
Implement security protocols such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), Domain Keys Identified Mail (DKIM), and Sender Policy for email validation.
Enforce strong password policies and Multi-Factor Authentication (MFA) to enhance user authentication.
Establish a strict policy for external device usage and ensure data-at-rest and data-in-transit encryption.
Block attachment file types with suspicious extensions like .exe, .pif, and .url to avoid downloading malicious code.
Educate users to be cautious about clicking on suspicious links to prevent malware downloads.
Conduct regular security audits, especially for critical systems like database servers, to identify and address vulnerabilities.
What is CERT-IN?
Computer Emergency Response Team - India is an organisation of the Ministry of Electronics and Information Technology with the objective of securing Indian cyberspace.
It is a nodal agency which deals with cybersecurity threats like hacking and phishing.
It collects, analyses and disseminates information on cyber incidents, and also issues alert on cybersecurity incidents.
CERT-IN provides Incident Prevention and Response Services as well as Security Quality Management Services.
About Pegasus
It is a type of malicious software or malware classified as a spyware.
It is designed to gain access to devices, without the knowledge of
users, and gather personal information and relay it back to whoever it is
that is using the software to spy.
Pegasus has been developed by the Israeli firm NSO Group that was set up in
2010.
The earliest version of Pegasus discovered, which was captured by researchers
in 2016, infected phones through what is called spear-phishing – text
messages or emails that trick a target into clicking on a malicious link.
Since then, however, NSO’s attack capabilities have become more advanced.
Pegasus infections can be achieved through so-called “zero-click” attacks,
which do not require any interaction from the phone’s owner in order to succeed.
These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in
an operating system that the mobile phone’s manufacturer does not yet
know about and so has not been able to fix.
Targets:
Human Rights activists, journalists and lawyers around the world have been
targeted with phone malware sold to authoritarian governments by an Israeli
surveillance firm.
Indian ministers, government officials and opposition leaders also figure in the list
of people whose phones may have been compromised by the spyware.
In 2019, WhatsApp filed a lawsuit in the US court against Israel’s NSO
Group, alleging that the firm was incorporating cyber-attacks on the
application by infecting mobile devices with malicious software.
Recent Steps Taken in India
Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to
spread awareness about cybercrime and building capacity for safety measures
for Chief Information Security Officers (CISOs) and frontline IT staff across all
government departments.
National Cyber security Coordination Centre (NCCC): In 2017, the NCCC was
developed to scan internet traffic and communication metadata (which are little
snippets of information hidden inside each communication) coming into the
country to detect real-time cyber threats.
Cyber Swachhta Kendra: In 2017, this platform was introduced for internet
users to clean their computers and devices by wiping out viruses and malware.
Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated
by the government.
National Cyber Crime Reporting Portal has also been launched pan India.
Computer Emergency Response Team - India (CERT-IN): It is the nodal
agency which deals with cybersecurity threats like hacking and phishing.
Legislation:
Information Technology Act, 2000.
Personal Data Protection Bill, 2019.
Types of Cyber Attacks
Malware: It is short for malicious software, refers to any kind of software that is
designed to cause damage to a single computer, server, or computer network.
Ransomware, Spy ware, Worms, viruses, and Trojans are all varieties of malware.
Phishing: It is the method of trying to gather personal information using deceptive emails and websites.
Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its intended users.
DoS attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash.
Man-in-the-middle (MitM) attacks: Also known as eavesdropping attacks, occur when
attackers insert themselves into a two-party transaction.
Once the attackers interrupt the traffic, they can filter and steal data.
st
4/4
SQL Injection: SQL stands for Structured Query Language, a programming
language used to communicate with databases.
Many of the servers that store critical data for websites and services use SQL to
manage the data in their databases.
A SQL injection attack specifically targets such kinds of servers, using malicious
code to get the server to divulge information it normally wouldn’t.
Cross-Site Scripting (XSS): Similar to an SQL injection attack, this attack also
involves injecting malicious code into a website, but in this case the website itself is not
being attacked.
Instead the malicious code the attacker has injected, only runs in the user’s
browser when they visit the attacked website, and it goes after the visitor directly,
not the website.
Social Engineering: It is an attack that relies on human interaction to trick users into
breaking security procedures in order to gain sensitive information that is typically
