Ransomware in the first half of 2022
Compared to 2021, the amount of publicly reported ransomware attacks has increased across most months according to BlackFog’s 2022 state of ransomware report. These numbers are significantly higher than in 2020 and could be a result of the specific sectors being attacked. Certain industries, like education and government, don’t have the luxury to pause operations, and are sometimes have no choice but to pay ransoms if they don’t have proper data backups. In addition, industries like technology and healthcare are seeing a rise in ransomware attacks, likely due to the sensitive nature of their data. Ultimately, threat actors are targeting attacks on the sectors that will pay out more heavily.
Notable events in the ransomware sector
So far, the most groundbreaking event in ransomware has less to do with the number of attacks or trends in cases, and everything to do with the change in leading ransomware gangs. Specifically, which groups have emerged, and which have disappeared. The foundational shift in how ransomware groups operate is linked to the Conti group’s actions and their subsequent breakup.
Conti
The downfall of Conti began when the group publicly supported Russia’s invasion of Ukraine. In response, Ukrainian members of the gang stole and leaked internal communications providing an unprecedented view of how Conti was operating as a business. As a result, Conti disbanded.
Due to this breakup, there is now a lot of overlap between ransomware gangs like Black Basta, Hive, and LockBit. These groups are treating ransomware as a business and are not doing the hacking themselves. Instead, they develop ransomware code and pay brokers for initial access, and then facilitate payments. Employees for the “business” are hired utilizing affiliate marketing techniques.
The return of LockBit
LockBit 3.0 treats their group as a business and features an HR department, affiliate marketing and bug bounty programs. This new version of its ransomware software integrates concepts from other RaaS groups to stay ahead of the competition. Learn more about LockBit 3.0 and the tactics the LockBit group uses here.
Impacts of ransomware trends
Initial access brokers
These individuals gain access to a company’s network to sell the access to ransomware gangs who will then use it to deploy ransomware software. This has created new business in the ransomware as a service space.
Cyber double extortion
This popular attack tactic is when threat actors steal data and threaten to leak it online if the company does not pay. Common victims are organizations targeted for their highly guarded code. While backups continue to improve, extortion will always remain a threat.
Accessibility of cyber insurance
Cyber insurance has become harder for businesses to get, which is due in part to the effects of ransomware. Insurance companies don’t want to pay ransoms, so they are putting pressure on companies to better their cyber security before they can get insured. This might entail rewriting your policy when it is time for renewal.
Ransomware groups have started probing networks looking for insurance policies to use as insider information during the ransom negotiation. Bad actors tell the company that they know the policy details and they want to get the max payout. Insurance agencies have realized that by not forcing organizations to improve their security protocols, their margins can be severely impacted.
Issues prolonging the existence of ransomware
Skipping the basics
Ransomware will continue to thrive as long as companies neglect foundational security measures. Without basic cyber hygiene like network patching and employee training, phishing and attacks on vulnerable systems will persist.
Poor network segmentation
Network segmentation allows admins to divide a network into smaller segments (subnets) to have more control over access points and traffic flows. It also allows for increased performance and the ability to localize issues.
Many companies do this incorrectly, which contributes to the success and longevity of ransomware. Internal intrusion prevention systems (IPS) can help prevent attacks and keep networks secure.
Not separating company assets
Companies need to keep their assets fully separated on different networks, because if they don’t, a ransomware attack could cause an entire company shutdown. Not only will this harm company reputation and revenue, but it will also increase recovery costs. If part of your network is breached, you should be able to contain the damage so that it does not affect any other areas of the business.
Moving forward
Ransomware isn’t going anywhere, and it’s critical for organizations to take their security seriously. If not, there is the potential for severe consequences. Contact Blue Team Alpha, we have plenty of services to help keep your network safe and secure.