Now that Cybaverse has accessed and exfiltrated the fake Naughty or Nice list, the next action a threat actor may take could be to encrypt the information to paralyse the organisation.
Threat actors often opt for data encryption because it is a relatively simple way to ensure that files and data are inaccessible. Hindering the organisations function and allowing them leverage for ransom. Encryption tools are sophisticated and are difficult to decrypt without a key.
Some companies that suffer cyber breaches and have their data encrypted, are now finding that threat actors have implemented multiple strains of ransomware. This is to ensure that even if an organisation can crack one level of encryption, then there is another second level that provides a fail safe for the threat actor.
Hackers have been known to encrypt an organisation’s data in as little as 15 minutes. However, most Endpoint Detection and Response software (EDR) ensure that test files in place at various points in the network and if anything accesses them, or attempts to encrypt them, a warning is triggered, and the encryption attempt blocked.
To complete the encryption on the dedicated fake Naughty or Nice list, the request would need to come from an authorised person within Lapland Industries. As Cybaverse has access to the network we can see that the last person who saved the Naughty or Nice list is Anthony Elf.
Cybaverse accessed Anthony Elf’s computer and ran a simple encryption tool to encrypt the fake Naughty or Nice list. We never risk encrypting live files – just in case this causes a malfunction in an EDR that corrupts files completely. To emulate the TTP of the Gruber Group, we asked for a file of the same type and size to be placed in the same location and any protection that is applied to the original list, is applied to our file. That way we can emulate encrypting the file without ever having to touch the real data.
Unfortunately for Lapland industries, the encryption was not detected, and the fake Naughty or Nice list was encrypted. Had this been a real attack, Christmas would be in real danger now.
Strangely, encryption is the best way to protect against encryption. Using encryption to protect customer data is a great way to protect your information, should a threat actor gain access to your network. The original data will only be shown to individuals with the appropriate key, meaning unauthorised access would only see meaningless symbols and letters. This method is a last resort, to protect your business if other methods fail.
Following the encryption, Cybaverse fed back to Santa and he confirmed that the EDR in place had not alerted the encryption request and that the Naughty or Nice list was in fact inaccessible. As this was the last TTP to test, Cybaverse will now put together a formal report on the findings of the Red Team with some recommendations to improve Lapland Industries cyber security posture.