Cyber Big Game Hunting

What is cyber big game hunting?

Cyber big game hunting is a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities.

Generally speaking, victims are chosen based on their ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny. Common targets may include:

• Large corporations
• Banks and other financial institutions
• Utilities
• Hospitals and other healthcare institutions
• Government agencies
• High net worth individuals, such as celebrities and prominent business leaders
• Any organization that holds sensitive data, including intellectual property, trade secrets, personal data or medical records

Exploring the current big game hunting landscape

A joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), FBI and other security groups in February 2022, indicates a dip in big game hunting beginning in the second half of 2021. Their analysis suggests that adversaries may have turned to other tactics due to increased scrutiny from law enforcement, as well as diminishing returns following the May 2021 Colonial Pipeline Co. cyberattack, which was widely publicized and resulted in a partial ransom payment recovery by the FBI.

However, recent analysis from CrowdStrike maintains that big game hunting continues to be a major security concern for large organizations, regardless of location or sector. The CrowdStrike eCrime Index (ECX), which is a proprietary tool that provides a composite score for tracking changes within the threat universe, confirms that big game hunters reduced their operational tempo or ceased activity in May 2021. However, beginning in September 2021, big game hunting activity appeared to return to near peak levels, indicating that this trend is once again on the rise.

The latest edition of CrowdStrike’s 2024 Global Threat Report reveals that ransomware remains the tool of choice for big game hunters. There was a 76% increase in victims named on BGH dedicated leak sites between 2022 and 2023.

Who are cyber big game hunters?

Cyber big game hunters are sophisticated players, often working as part of an organized group to take down significant targets. In many cases, these groups operate as highly structured and organized networks, not unlike corporate enterprises. They are often state-sponsored and are suspected to have ties to government agencies or prominent public figures.

CrowdStrike’s Adversary Universe spotlights and tracks the behavior of major adversary groups around the world. The goal of the Adversary Universe is to provide customers with a view of the threats that they face every day, from either a victim vertical or an adversary intelligence profile perspective.

How do cyber big game hunters attack?

Big game hunters utilize a variety of techniques to carry out their attacks. In most instances, the method of choice is ransomware, which is a type of malware that encrypts a victim’s data in demand of a payment to restore access.

Increasingly, eCrime groups are also leveraging ransomware as a service (RaaS), which, as the name implies, is a business model that leases ransomware variants in the same way that legitimate software developers lease SaaS products.

The table below outlines well-known examples of RaaS and their associated big game hunters:

RaaS	Technique	Big Game Hunter
DarkSide	DarkSide operators traditionally focus on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. DarkSide RaaS is also believed to be the attack vehicle leveraged in the high-profile Colonial Pipeline attack.	CARBON SPIDER
REvil (also known as Sodinokibi	REvil is a RaaS most commonly used by PINCHY SPIDER. In such attacks, victims usually receive a warning of an impending data leak if a ransom is not paid. REvil is credited with being the ransomware behind one of the largest ransom demands on record: $10 million USD.	PINCHY SPIDER
Dharma	Dharma ransomware attacks are mainly associated with remote desktop protocol (RDP) attacks. Dharma variants come from many sources and are nearly identical in nature, making it difficult to ascertain who is behind an attack.	Linked to a financially motivated Iranian threat group Not centrally controlled
LockBit	In development since 2019, LockBit attacks demand a ransom to avoid the publication of a stolen data set. The RaaS is confirmed to have been involved in at least nine attacks.	Affiliated with Russian-speaking users or English speakers with a Russian-speaking guarantor

In addition to relying on ransomware and RaaS to carry out attacks, cyber big game hunters also leverage various other vulnerabilities to advance their operations. These include:

• Cloud vulnerability exploitation: The CrowdStrike 2022 Global Threat Report indicates that malicious actors tend to opportunistically exploit known remote code execution (RCE) vulnerabilities in server software, typically scanning for vulnerable servers. After initial access, actors may deploy a variety of tools to advance the attack path. Multiple adversaries, particularly big game hunters, have leveraged such vulnerabilities to gain initial access to the system.
• Zero-day attack: Threat actors release malware to exploit software vulnerabilities before the software developer has patched the flaw. The term “Zero-day” is used because the software vendor was unaware of their software vulnerability, and they have had “0” days to work on a security patch or an update to fix the issue. These types of attacks are extremely difficult to detect, making them a serious security risk.

How do you defend against cyber big game hunting?

To quickly identify threats and reduce the risk of big game hunting, organizations should aim to establish a robust cybersecurity strategy that defends the organization on multiple levels. Here are some helpful recommendations for setting up a comprehensive cybersecurity strategy:

1. Train all employees on cybersecurity best practices: Your employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.
2. Keep your operating system and other software patched and up to date: Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you will minimize your exposure to known vulnerabilities.
3. Implement and enhance email security: CrowdStrike recommends implementing an email security solution that conducts URL filtering and attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.
4. Continuously monitor your environment for malicious activity and indicators of attack (IOAs): Endpoint detection and response (EDR) acts like a surveillance camera across all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods and providing visibility for proactive threat hunting.
5. Integrate threat intelligence into your security strategy: Monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading.
6. Develop ransomware-proof offline backups: When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment. For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.
7. Implement a robust identity protection program: Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Entra ID). Ascertain gaps, analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement and implement risk-based conditional access to detect and stop ransomware threats.

Protecting the organization from big game hunters and ransomware with CrowdStrike

For cyber protection teams that are struggling to respond to cybersecurity alerts and don’t have the time or expertise to get ahead of emerging threats, CrowdStrike Falcon^® Adversary Intelligence delivers the critical intelligence you need, while eliminating the resource-draining complexity of incident investigations. CrowdStrike Falcon^® Adversary Intelligence is the only solution to truly integrate threat intelligence into endpoint protection, automatically performing investigations, speeding response and enabling security teams to move from a reactive to a predictive, proactive state.

Key benefits:

• Automates investigations into all threats that reach your endpoints
• Delivers custom IOCs to proactively guard against evasive threats
• Provides complete information on attacks to enable faster, better decisions
• Empowers your team with analysis from CrowdStrike Intelligence experts
• Simplifies operations via seamless integration with the CrowdStrike Falcon® platform

Defend, detect, respond and recover with EY and CrowdStrike

EY’s Next Generation Security Operations and Response (NGSOAR) services and solutions, together with the CrowdStrike Falcon^® platform, provide industry-leading protection and detection capabilities with cyber threat intelligence and 24/7 threat hunting to gain a significant advantage over ransomware threats. The solution offers joint customers immediate, real-time visibility into their organization’s environment, identifying and eliminating potential compromises and preventing silent failure. This powerful combination helps to contain active threats and ejects them from networks quickly, eliminating the threat of ransomware immediately and efficiently.