Technical Support: 412-349-6678 | Incident Response

Hackers, Economics, & Red Teaming

Security Updates for July 2021

Economists know that humans will always pursue the highest value for their efforts. Hackers take this to an extreme.  

Not only do they want the most bang for their buck, they’re willing to go outside the boundaries of the law and common decency to do harm to others. Despite this lawless slant, their efforts still fall within standard economic models, and we understand why their malicious attacks evolve from that perspective.

Red Teaming & Continuous Testing

Two factors increase costs for attackers as businesses focus more on security.

This increase in costs suggests that vigilant companies can influence attackers to pursue other less difficult targets that consume less time.

The first factor is red teaming

Hiring an external consultant, such as Blue Bastion, to attack your own infrastructure has become more common, and provides meaningful results. Over the past two years, the average number of attacks by a red team to locate vulnerabilities increased by 112%

Red teaming reduces the easy vulnerabilities, and leaves hackers with only complex, time consuming options that require expertise to exploit.

Recent: Tips to Prepare Your Team With Holiday Security

The second method, continuous testing, yields similar results.

Automated security testing can result in a 43% improvement in security posture for an organization – assuming the organization will remediate the vulnerability. 

Sixty-three percent of organizations tend to fix their vulnerabilities within three months, which reduces the time frame for an attack.  Additionally, even for those unable to fix the vulnerabilities quickly, you can watch for signs of attack using the known vulnerabilities found by continuous testing.

Another form of continuous testing is a bug bounty program. Bug bounties offer security researchers payment if they identify a vulnerability in a company’s publicly facing infrastructure (websites, firewalls, etc.). 

Even large corporations utilize bug bounties, such as Google. The tech giant recently declared a $1.5 million bug bounty reward  to anyone who cracked the Titan M secure element chip located in Pixel, Google’s smartphone brand.


While these security-improving methods have not been universally adopted, enough organizations have done enough to force attackers to evolve their methods.

How? By using specialization to create a competitive marketplace, just like with economics.


Several attacks uncovered over the past few weeks used phishing and ransomware attacks.  The niche nature of these specific attacks illustrates the specialization in progress.

The phishing attack actively targets Microsoft Office 365 administrators…  not users, administrators

Related: Phishing – How to Prevent Attacks

Usually, phishing tries to attack the largest number of people with the least amount of effort. But, targeting the small percentage of users holding admin status hints at improving phishing defenses, which force specialization.

However, the potentially devastating results of a successful attack merit special mention. 

The attack mimics a Microsoft 365 “action required” notice that prompts admins to update their payment information. Then, it bypasses many domain reputation filters and secure email gateways by using previously compromised Office 365 domains as the origin of the phishing email.

If the phish succeeds, the hackers gain admin control over the Office 365 environment, which provides them with the ability to create accounts, change passwords, etc.

Additionally, they can then use the organization’s Outlook domain to launch additional phishing attacks.


Ransomware also continues to develop at a fast pace.

For example, NextCry ransomware specifically targets NextCloud Linux servers. Unfortunately, as of Nov. 15, 2019, public antivirus scanning platforms won’t recognize those ransomware files, and no decryption tool exists to help victims. 

Related: Ransomware – Preparing for an Attack

Sure, Linux servers are categorized as niche servers, but these hackers want a niche within a niche. Thus, they target very specific vendors. 

NextCloud grew rapidly over the past few years, so hackers seem to be targeting a fast growing niche with inexperienced administrators at the helm.

Some ransomware attacks focus on specific languages or countries. 

In Asia, hackers use RIG exploit kits on low-quality web games and blogs to install the Sodinokibi Ransomware onto victim’s computers. In Germany, enterprising hackers created a German variant of the Stupid Ransomware – yes, that’s really its name. 

More significantly, over the past few weeks, ransomware attacks targeting companies with large customer bases crippled Spanish language companies.

Spain’s largest radio station, Cadena SER was temporarily incapacitated by ransomware attacks. Not long after that, hackers struck Mexico’s Pemex state-owned oil company, and held it for a $4.9 million-dollar ransom.

The specialization doesn’t end there, though.

Certain ransomware attacks now specialize by size of the organization.

Phobos malware targets companies with 150 employees or less. Sodinokibi malware, on the other hand, generally targets slightly larger companies, between 200 and 300 employees. And, Ryuk malware targets companies with between 1,000 and 4,000 employees.

This differentiation coincides with in their average ransom demands – $31k for Phobos, $157k for Sodinokibi, and $377k for Ryuk.  Ransomware attackers seem to segment the market, just as Proctor and Gamble might for laundry detergent.

Related: Ransomware Attacks on Government Organizations

In addition to diversifying into specific niches of victims, ransomware malware also seem to be shifting

MegaCortex ransomware encrypts data, then adds to the pressure. It changes Windows credentials for users, and threatens to release encrypted data to the public.

For example, if MegaCortex hits a hospital and the hospital refuses payment, it endures both the cost of a recovery and, potentially, an enormous HIPPA violation.

Bringing it All Together


Recent analysis of ransomware attacks revealed that 98% of those who pay ransoms receive decryption keys which work 94% of the time. 

After all, ransomware companies want you to keep paying. 

Despite plenty of awareness of the typical attack vectors, RDP still makes up 50.6% of the exploits and email phishing 39%.  Attacks on the public sector rose from 3% in Q2 to 13% in Q3 reflecting the attackers shift to a market that seems quite vulnerable.

As your organization’s cybersecurity program evolves, so too will hacking methods.

Despite increased awareness, you need to stay on alert, and fully protect your environment.

The best cybersecurity strategy needs to be tailored to your specific needs and budget.

Ideal Integrations & Blue Bastion are by your side. We’ll help improve your security profile and test its effectiveness with red teaming to make sure your data and your organization remain safe.

It’s time to maximize your return on IT!

For a risk-free demonstration, contact us today by completing the form below, or by calling us at 412-349-6680.

If you’ve been actively breached, and you need immediate support, call our incident response team at 412-349-6678.

Building networks and partnerships, we are on your side.

Request Your Risk-Free Consultation Today!

  • This field is for validation purposes and should be left unchanged.