Reports show that globally, in 2021, the number of ransomware attacks increased significantly. Not only did the level of frequency grow, but so did their level of sophistication. Ransomware as an industry is escalating and it’s important to know what to look for to better protect sensitive data.
Here are several trends to be aware of and steps to help mitigate the risk of attack:
Cybercriminal Services for Hire
The ransomware market has become more sophisticated and professional in recent years, making attacks harder to distinguish. It has also become more collaborative, with cybercriminals utilizing ransomware-as-a-service (RaaS), engaging with third-party payment brokers, and sharing victim information with each other.
RaaS is a business model where affiliates pay to use ransomware code developed and maintained by operators. This makes deploying a ransomware attack more accessible to threat actors who might lack the skills or time necessary to create their own. The vast network behind RaaS services also make it more difficult for authorities to identify those behind the attack.
Some ransomware groups have started selling victim information to others, adding another type of threat to targeted organizations. One such organization is Conti, who began selling access to networks in October 2021.
Secure the Cloud
Cybercriminals are targeting known vulnerabilities in cloud applications, virtual machine software, cloud application programming interfaces (APIs), and data storage systems. Threat actors also try and access cloud services by breaching on-site networks and moving laterally through them.
Consider storing encryption keys outside the cloud so they are protected in the event of a cloud attack.
Remote Lifestyle Increases Vulnerabilities
Due to the significant increases in both remote work and remote learning, unprecedented amounts of users are utilizing virtual private networks (VPN) and Remote Desktop Protocol (RDP). With this expanded attack area, security and IT teams struggle to manage software patching.
Users are also at risk of falling victim to phishing attacks or RDP credential theft which could result in a network breach. Reports indicate that these attack vectors, along with brute force vulnerability exploitation, remain the most popular, due in part to the volume of remote work.
Moving Away from Big Game Hunting
Early in 2021, reports indicated that threat actors were attacking “big-game” targets (critical organizations and/or organizations with an assumed high-value). Due to interruptions by U.S. authorities, some ransomware attackers have changed their focus to more mid-sized companies (mid-game hunting). Unfortunately, these companies are more likely to pay the ransom because they do not have the infrastructure or funds to remain nonoperational for an extended period of time.
Managed Service Providers (MSPs) are often a trusted partner managing companies’ IT operations externally, which is why they are appealing to cybercriminals. By attacking an MSP, threat actors have the potential to target multiple victims at one time.
In July 2021, the REvil Kaseya attack disrupted over 1,000 businesses who used Kaseya VSA, a remote network and end-point monitoring tool.
Targeting Critical Operations
Ransomware attacks commonly target business operations and IT systems; however, the FBI has observed that criminals have started launching code aimed at halting critical infrastructure and industrial processes. 2021 reports indicate that 14 out of 16 critical U.S. infrastructure sectors were involved in ransomware attacks, including the Defense Industrial Base, Emergency Services, Food and Agriculture, and Information Technology.
Attackers have also targeted the software supply chain to increase their impact by targeting multiple victims.
Threat actors are now engaging in double—or even triple—extortion efforts to entice victims to pay their demands. This goes beyond the typical ransom wherein attackers hold networks or data hostage until payment is made. Now, actors threaten to sell or leak stolen information to the public, inform shareholders and other partners about the attack, and/or disrupt the victim’s internet access.
Cybercriminals Don’t Stop for Holidays & Weekends
Over 2021, it became apparent that more and more cyberattacks were executed on holidays and weekends due to the enticing combination of offices being closed and reduced numbers of staff working.
How to Mitigate Threats
Keep Systems Updated
Patching vulnerabilities is one of the most important—and cost effective—ways to make sure your networks are secure. Check for software updates and end-of-life (EOL) notifications often. If working with an MSP, ensure they are also patching regularly. If possible, automate software testing and security scanning to increase security.
It’s important to have clearly defined cybersecurity procedures and to train users regularly. This is particularly helpful when it comes to phishing awareness. All users should be trained to recognize signs of phishing emails and know not to click on any suspicious links or attachments. Having in-house security teams send test phishing emails is a great way to reinforce this training.
Utilize Multifactor Authentication
With more users accessing networks remotely, it is crucial to implement multifactor authentication (MFA)2 wherever possible. This includes VPNs, email, accounts accessing critical services or infrastructure, and cloud systems.
In addition to MFA, require users to maintain strong passwords—or even passphrases—and update them regularly. Passwords should not be reused over multiple accounts.
Use Caution with RDP
If RDP is necessary at your organization, take care to limit access to resources and require MFA to protect credentials. When being used remotely, RDP should only be accessible via a VPN or other virtual desktop infrastructure. This remote access should be monitored, and account lockouts enforced to prevent forced entry.
All devices should be property configured with the latest security features and patches installed. Any ports and protocols that aren’t being used for business should be disabled.
Subvert Network Discovery Techniques
Threat actors commonly try to access systems and network via discovery techniques for visibility and mapping. To avoid this, here are some tips:
- Network segmentation to control access
- Deploy end-to-end encryption
- Use a network-monitoring tool to automatically investigate suspicious activity like an Artificial Intelligence (AI) enabled network intrusion detection systems (NIDs)
- Immediately investigate unapproved solutions installed on company machines
- Monitor use of credentials to prevent accidental exposure
- Have data backups physically disconnected from the network to reduce eliminate or reduce potential downtime in the event of an attack
- Encrypt backup data and ensure that it is immutable, covering the organization’s entire data infrastructure
- Retain telemetry from cloud environments
Ransomware Attack Response
If you are a victim of a ransomware attack, here are some recommended steps:
- Report the attack to the proper authorities
- Scan backups for malware using a trusted and isolated system to protect backup data from potential compromise
- Execute incident response best practices
- It is not encouraged to pay the ransom. Since threat actors are often motivated by financial gain, paying the ransom shows these types of attacks are successful and can inspire future attacks. There is also no guarantee that by paying the ransom, victims will receive their data.