Big Game Hunting is on the Rise in Cybercrime

Cyberattacks called big game hunting (BGH) involve threat actors targeting big businesses – the “big game” – and demanding huge amounts of money in the form of a ransom. The term derives from “hunting large, dangerous animals,” an allusion to the high risk/high reward of such attacks.

They don’t want any random victims – they want targets that include critical infrastructure providers, multinational corporations, or other entities whose operations are important enough to warrant multimillion-dollar ransoms.

It’s important to note that the attackers usually use advanced ransomware strains that encrypt huge amounts of data and freeze most operations quickly.

BGH is no ordinary, fast operation. Instead, it is a planned process involving reconnaissance, and more complex attack methods usually in multiple stages.

Cybercriminals first choose targets that are both vulnerable and likely to pay large ransoms. Such targets can be in health and finance, energy or government sectors.

The attackers then compromise the network. This usually involves phishing campaigns, exploiting known software vulnerabilities, or purchasing access from other cybercriminals (access brokering).

Inside the network, the attackers laterally escalate privileges to critical systems. At this stage they often exfiltrate sensitive data – which they can use for double extortion – threatening to release the data if the ransom is not paid.

Once they are ready, attackers spread the ransomware across the network and encrypt files simultaneously to cause maximum damage and to limit the chances of detection before the full-scale attack occurs.

Attackers finally demand a ransom – often millions of dollars. Additionally, they may demonstrate control of the compromised system(s) by showing screenshots of encrypted data or stolen files. Sometimes they give decryption keys for partial payment or threaten to release the data if their demands are not met.

Several notable attacks highlight the increasing use of BGH in cybercrime:

In 2021, an incident involving the Colonial Pipeline occurred, supplying gasoline and other fuels to the United States. The East Coast was hit with ransomware. Specifically, DarkSide ransomware locked the company down and caused fuel shortages. For control of their systems again, Colonial Pipeline paid a ransom of about USD 4.4 million.

Another major attack targeted GPS maker Garmin in 2020. WastedLocker ransomware shut down Garmin services worldwide, including aviation and fitness tracking, and reports claim that Garmin paid a multimillion-dollar ransom to recover its systems.

As a final example, the REvil ransomware group attacked managed service providers (MSPs) and their clients using Kaseya’s IT management software in 2021. The attack targeted hundreds of businesses worldwide and demanded USD 70 million for a universal decryptor. That impact became so great that talk turned to a coordinated international response to BGH attacks.

This approach acknowledges that no single solution is foolproof. If one layer fails, others are there to provide backup and prevent a complete breach.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework outlines six core functions that every cybersecurity stack should encompass:

1. Identify: Before implementing any security measures, organizations need to understand their assets, potential vulnerabilities, and the threats they face. This involves conducting thorough risk assessments and identifying potential SPOFs.
2. Protect: This function involves implementing preventative measures such as firewalls, intrusion detection systems, antivirus software, email filtering, and strong password policies to prevent unauthorized access and malicious activities.
3. Detect: Continuous monitoring of networks and systems is needed to identify breaches or suspicious activities as they occur. This involves using tools like endpoint detection and response (EDR), network detection and response (NDR), and security information and event management (SIEM) systems.
4. Respond: Having a well-defined incident response plan is important. This plan should outline steps to quickly contain and mitigate threats, minimize damage, and ensure business continuity in the event of a security incident.
5. Recover: This function focuses on restoring systems and data to their normal operating state after a security incident. This includes having reliable backups, disaster recovery plans, and procedures for testing and validating the recovery process.
6. Govern: Establishing policies, procedures, and processes to manage and oversee the cybersecurity program is necessary. This includes defining roles and responsibilities, setting performance metrics, and ensuring compliance with legal and regulatory requirements.

Profitable payouts, advanced techniques, and systemic vulnerabilities are making BGH more common. Unlike traditional cyberattacks, BGH generates much greater returns when targeting large organizations that can pay multimillion-dollar ransoms.

With advanced ransomware and ransomware-as-a-service (RaaS), it’s now easier than ever for even less-skilled attackers to launch high-risk attacks.

Also, the existence of cyber insurance policies covering ransomware payments has made these companies easier targets – attackers know they can expect a ransom to be paid.

Geopolitical issues make matters even more precarious: some BGH campaigns have been linked to nation-state actors using cybercrime for asymmetric warfare. The combination of these factors has made BGH one of the most dangerous trends in cybersecurity at the moment.

BlackFog offers a comprehensive cybersecurity solution using anti data exfiltration (ADX) technology to prevent unauthorized data exfiltration. This next generation cybersecurity solution aims to protect organizations from ransomware and extortion 24 hours a day, 7 days a week – without human touch.

Don’t wait for the next ransomware attack wave – act now – protect your most important asset(s). See how our solutions improve your cybersecurity posture and prevent ransomware attacks.