What Is Cyber Big Game Hunting?
Cyber big game hunting is a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities.
Generally speaking, victims are chosen based on their ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny. Common targets may include:
- Large corporations
- Banks and other financial institutions
- Hospitals and other healthcare institutions
- Government agencies
- High net worth individuals, such as celebrities and prominent business leaders
- Any organization that holds sensitive data, including intellectual property, trade secrets, personal data or medical records
Exploring the Current Big Game Hunting Landscape
A joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), FBI and other security groups in February 2022, indicates a dip in big game hunting beginning in the second half of 2021. Their analysis suggests that adversaries may have turned to other tactics due to increased scrutiny from law enforcement, as well as diminishing returns following the May 2021 Colonial Pipeline Co. cyberattack, which was widely publicized and resulted in a partial ransom payment recovery by the FBI.
However, recent analysis from CrowdStrike maintains that big game hunting continues to be a major security concern for large organizations, regardless of location or sector. The CrowdStrike eCrime Index (ECX), which is a proprietary tool that provides a composite score for tracking changes within the threat universe, confirms that big game hunters reduced their operational tempo or ceased activity in May 2021. However, beginning in September 2021, big game hunting activity appeared to return to near peak levels, indicating that this trend is once again on the rise.
The latest edition of CrowdStrike’s annual Global Threat Report confirms this analysis, revealing that “the growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world.” Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased. In fact, CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.Download Now
Who Are Cyber Big Game Hunters?
Cyber big game hunters are sophisticated players, often working as part of an organized group to take down significant targets. In many cases, these groups operate as highly structured and organized networks, not unlike corporate enterprises. They are often state-sponsored and are suspected to have ties to government agencies or prominent public figures.
CrowdStrike’s Adversary Universe spotlights and tracks the behavior of major adversary groups around the world. The goal of the Adversary Universe is to provide customers with a view of the threats that they face every day, from either a victim vertical or an adversary intelligence profile perspective.
How Do Cyber Big Game Hunters Attack?
Big game hunters utilize a variety of techniques to carry out their attacks. In most instances, the method of choice is ransomware, which is a type of malware that encrypts a victim’s data in demand of a payment to restore access.
Increasingly, eCrime groups are also leveraging ransomware as a service (RaaS), which, as the name implies, is a business model that leases ransomware variants in the same way that legitimate software developers lease SaaS products.
The table below outlines well-known examples of RaaS and their associated big game hunters:
|RaaS||Technique||Big Game Hunter|
|DarkSide||DarkSide operators traditionally focus on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. DarkSide RaaS is also believed to be the attack vehicle leveraged in the high-profile Colonial Pipeline attack.||CARBON SPIDER|
|REvil (also known as Sodinokibi||REvil is a RaaS most commonly used by PINCHY SPIDER. In such attacks, victims usually receive a warning of an impending data leak if a ransom is not paid.|
REvil is credited with being the ransomware behind one of the largest ransom demands on record: $10 million USD.
|Dharma||Dharma ransomware attacks are mainly associated with remote desktop protocol (RDP) attacks. Dharma variants come from many sources and are nearly identical in nature, making it difficult to ascertain who is behind an attack.||Linked to a financially motivated Iranian threat group
Not centrally controlled
|LockBit||In development since 2019, LockBit attacks demand a ransom to avoid the publication of a stolen data set. The RaaS is confirmed to have been involved in at least nine attacks.||Affiliated with Russian-speaking users or English speakers with a Russian-speaking guarantor|
In addition to relying on ransomware and RaaS to carry out attacks, cyber big game hunters also leverage various other vulnerabilities to advance their operations. These include:
- Cloud vulnerability exploitation: The CrowdStrike 2022 Global Threat Report indicates that malicious actors tend to opportunistically exploit known remote code execution (RCE) vulnerabilities in server software, typically scanning for vulnerable servers. After initial access, actors may deploy a variety of tools to advance the attack path. Multiple adversaries, particularly big game hunters, have leveraged such vulnerabilities to gain initial access to the system.
- Zero-day attack: Threat actors release malware to exploit software vulnerabilities before the software developer has patched the flaw. The term “Zero-day” is used because the software vendor was unaware of their software vulnerability, and they have had “0” days to work on a security patch or an update to fix the issue. These types of attacks are extremely difficult to detect, making them a serious security risk.
What Is the Cost of Cyber Big Game Hunting?
Big game hunting operations are rapidly maturing, leading to higher stakes and, thus, higher payouts by victims.
Below are some recent ransomware statistics from CrowdStrike’s annual Global Security Attitude Survey and Global Threat Report:
- The average ransom payment increased by 63% in 2021 to $1.79 million (USD), compared to $1.10 million (USD) in 2020
- The average ransom demand from attackers is $6 million USD
- There was an 82% increase in ransomware-related data leaks in 2021, compared to 2020
- 96% of those who paid the initial ransom also had to pay extortion fees
- 66% of respondents’ organizations suffered at least one ransomware attack this year
- 57% of those hit by ransomware didn’t have a comprehensive strategy in place to coordinate their response
How Do You Defend Against Cyber Big Game Hunting?
As noted in the CrowdStrike 2022 Global Threat Report, big game hunting operations will continue to dominate the eCrime landscape in 2022. The access broker market will also continue as an avenue for ransomware operators to gain victims, removing the initial access step and allowing swifter deployment of malware.
To quickly identify threats and reduce the risk of big game hunting, organizations should aim to establish a robust cybersecurity strategy that defends the organization on multiple levels. Here are some helpful recommendations for setting up a comprehensive cybersecurity strategy:
- Train all employees on cybersecurity best practices: Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.
- Keep your operating system and other software patched and up to date: Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you will minimize your exposure to known vulnerabilities.
- Implement and enhance email security: CrowdStrike recommends implementing an email security solution that conducts URL filtering and attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.
- Continuously monitor your environment for malicious activity and indicators of attack (IOAs): Endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.
- Integrate threat intelligence into your security strategy: Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading.
- Develop ransomware-proof offline backups: When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment. For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.
- Implement a robust identity protection program: Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement and implement risk-based conditional access to detect and stop ransomware threats.
Protecting the Organization from Big Game Hunters and Ransomware with CrowdStrike
For cyber protection teams that are struggling to respond to cybersecurity alerts and don’t have the time or expertise to get ahead of emerging threats, the CrowdStrike Falcon X™ solution delivers the critical intelligence you need, while eliminating the resource-draining complexity of incident investigations. Falcon X is the only solution to truly integrate threat intelligence into endpoint protection, automatically performing investigations, speeding response and enabling security teams to move from a reactive to a predictive, proactive state.
- Automates investigations into all threats that reach your endpoints
- Delivers custom IOCs to proactively guard against evasive threats
- Provides complete information on attacks to enable faster, better decisions
- Empowers your team with analysis from CrowdStrike Intelligence experts
- Simplifies operations via seamless integration with the CrowdStrike Falcon® platform
Defend, Detect, Respond and Recover with EY and CrowdStrike
EY’s Next Generation Security Operations and Response (NGSOAR) services and solutions, together with the CrowdStrike Falcon platform, provide industry-leading protection and detection capabilities with cyber threat intelligence and 24/7 threat hunting to gain a significant advantage over ransomware threats. The solution offers joint customers immediate, real-time visibility into their organization’s environment, identifying and eliminating potential compromises and preventing silent failure. This powerful combination helps to contain active threats and ejects them from networks quickly, eliminating the threat of ransomware immediately and efficiently.