Ransomware surged during the COVID-19 pandemic to become the biggest cyber security threat facing businesses. Although the shift to home working has helped many companies stay afloat, it’s also made them riper targets for ransomware gangs.
Overall trends seemed reassuring earlier this year. Sophos’ State of Ransomware 2021 report published in April, for example, found 37% of organisations were hit by ransomware over the past 12 months, down from 51% in the previous year. Successful efforts to encrypt data were down, too, from 73% to 54% most recently. These statistics, coupled with a handful of notorious groups falling apart – from REvil going offline to Avaddon handing decryption keys to its victims – painted a promising picture for businesses.
These headlines, however, belied sinister trends; attacks may be fewer in volume but are more severe in impact. Fewer encryptions, too, might simply suggest hackers are stealing files instead, according to Sophos. Indeed, Avaddon, whose victims include Fujifilm and AXA, adopted a ‘double extortion’ approach, whereby files were both encrypted and stolen, with the group threatening to expose them publicly.
Such gangs rarely disappear for good, meanwhile. REvil resurfaced only a few months later, and Avaddon’s operators are projected to return under a new guise, with sharper tactics and more sophisticated technology. With the threat landscape intensifying as we tick into 2022, businesses will need to take more care than ever to avoid being hit by ransomware.
Extortionists for hire
Ransomware gangs are refining their targets to ensure they enjoy as big a payday as possible, Simon Edwards, the founder of SE Labs, tells IT Pro. “Ransomware used to be automated for the masses, but now it’s a manual process targeting healthcare, energy, and rich organisations where failure is disastrous for society,” he says. “A hospital is also more likely to have the technical ability to pay with a cryptocurrency than a member of the public would. We’re actually seeing ransomware gangs compete to provide better customer service because they want to enable you to pay them.”
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
As we approach 2022, statistics seem bleaker. Ransomware attacks have surged by more than 1,000% year-on-year, claims research published last month, reaching “stratospheric levels”, according to Positive Technologies. Worse yet, for IT teams trying to establish defence strategies, new and maverick gangs such as FIN12 combine old habits with new ones. Such groups keep their focus on large organisations but also fall back on huge, multi-target, attacks and efforts to encrypt data.
Ransomware, meanwhile, is becoming so sophisticated that it bypasses and even exploits security best practices, from regular backups to two-factor authentication (2FA). New ransomware strains have been seen stealing privileged account access credentials; scanning for endpoints, servers and backups; switching off antivirus; and installing backdoors that allow them to come and go incognito.
Such malware strains are beyond the capabilities of bedroom hackers so, instead, they hire them. Avaddon and WannaCry are prominent examples of ransomware as a service (RaaS), which can be hired by any subscriber to execute attacks, then collect a share of the bounty. REvil, responsible for the devastating Kaseya attack in July, is an example of RaaS, as is Ryuk, which comprised one-third of all attacks in 2020 and amassed more than $150 million in earnings as of January this year.
“Today 99% of ransomware attacks are from organised crime, and the motive is always financial,” explains Kevin Curran, senior IEEE member and professor of cyber security at Ulster University. “It’s a few key players at the top who rent out their ransomware bots, then keep tabs on what the people who rent the bots are doing.”
As the ransomware landscape becomes more terrifying, the business landscape grows more vulnerable. “Almost the entire world has started working from home in the last year and a half, and that’s caused a massive disruption to security,” Mark Walker, security solutions lead at Jamf and former Oxford NHS Trust head of IT, tells IT Pro. “All those protections we’ve built up over the years are no longer valid.”
Home alone
The switch to using personal mobile devices for work is a major weak spot. “We’re seeing a huge increase in attackers trying to gain entry into a target organisation using mobile devices,” Walker continues. “All it takes is a phishing attempt or a man-in-the-middle attack, and users won’t even know their credentials have been compromised. With an SMS phishing (smishing) attack, the exploit can capture your second factor in 2FA. The vulnerability, in that case, is the human being.
“Similarly, virtual private networks (VPNs) have been around for decades and is a great resource. But it’s not great on mobiles. And if your credentials are compromised, the attacker has access to the entirety of the infrastructure the VPN connects to.”
Businesses, generally, need to up their game, which they can do by adopting policies such as 2FA and zero-trust network access (ZTNA), so remote workers can access data securely. Privileged access management solutions, too, are essential so only the people can only access the resources they need to do their job.
“We’re seeing a huge increase in demand for smarter remote-access solutions like ZTNA, where you’re not sending nearly half the data that you would with a VPN,” Walker adds. “You only have access to the back-end resources that you need for a particular use.”
Security systems need to cover multiple platforms, too, he adds, with his firm using things like security information and event management (SIEM) as a single pane of glass. Any system an organisation uses should also focus on the dominant operating system, whether it’s Windows 10 or otherwise, so it isn’t trying to spread itself thinly.
Backup remains the gold standard defence, but backups must be kept in multiple places and off the network, Kevin Curran explains. “Decide what the major files and databases are, and back them up in a machine or server that you can back it up from if you get hit by ransomware. Patch all your products as well. You’ve got to presume the worst.”
While you’re working to shore up your defences, there are also tricks you can deploy to hoodwink hackers. “A lot of these gangs are based in Russia,” Curran adds. “Some of the main malware strains a few months ago looked for a Russian Cyrillic keyboard. If you had that on your machine, it wouldn’t install the ransomware.” This begs the question: can you trick the ransomware by installing a Russian keyboard? “Yes, that worked – but they’ll probably change it to look for people’s IP addresses instead. They will always look for ways to target attacks that people haven’t worked out how to get around yet.”
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device program
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain security
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirements