The evolving ransomware landscape
Earlier this month, Lindy Cameron, head of the UK's National Cyber Security Center warned that in terms of national security, ransomware attacks are a bigger threat than more traditional espionage.
"Four nation-states – China, Russia, North Korea, and Iran – have been a constant presence in recent years. And as I've said before, we face a determined, aggressive Russia, seeking traditional political advantage by new, high-tech means," Cameron said at the Royal United Services Institute's (RUSI) Annual Security Lecture.
Such concerns are certainly understandable, as ransomware attacks grew by 150% during 2020, with the amount paid out soaring by an incredible 300%. 2021 shows no signs of that trend abating, with numerous high-profile attacks against key infrastructure illustrating the scale of the problem. Traditionally, ransomware attacks would utilize phishing emails that would enable malware to be deposited onto a device or network. This malware would then encrypt key systems, with the criminal demanding payment in exchange for the decryption key.
Often, the criminal wouldn't even gain access to the information on the server, and may not even know the organization that was ultimately the target. The key was more to find vulnerable systems and wait for the payout.
A changing game
A recent report from enterprise security company Proofpoint showed that things are rapidly changing, however. The researchers highlight that while email is still used, ransomware attackers often work in cahoots with other cybercriminals to buy their way into major targets in return for a slice of any bounty they secure.
This creates a complex but highly robust ecosystem of cybercriminals with individual actors specializing in particular activities rather than trying to do it all themselves. It's an approach whereby malware, such as Buer Loader or Dridex, is used to infect a target’s system, with the access then sold to the ransomware operators to deploy their encryption or data theft operation. Indeed, the research suggests that as many as 20% of malware found in banking systems was being used in this way.
Of course, what this means is that because ransomware attackers are capitalizing on a breach made by other cybercriminals, even if the attackers honor their word and provide the encryption or delete any compromising information they have, the breach still exists and may easily be sold afresh to a new cybercriminal to exploit. Indeed, the Proofpoint data did indeed reveal that multiple threat actors are using the same malware payloads to distribute ransomware attacks.
On the hunt
This shift is significant, as Proofpoint reveals that the distribution of ransomware via email has grown considerably since 2015. Such attacks would commonly see criminals sending out a huge volume of emails to individual addresses, with those messages containing either malicious files or links that would infect the victim’s device once clicked on.
They reveal that attackers would often conduct surveillance of potential targets to help them identify potentially high-value organizations to attack. This surveillance would include not only vulnerability to attack but also the likelihood that they would pay out any ransom requests made of them.
After the shift to a more ecosystem-based approach, ransomware attackers would work with initial access brokers to leverage existing backdoors into the systems of target organizations.
The researchers believe that the threat landscape for ransomware attacks during 2021 will continue via email-based downloaders, with attackers using extensive reconnaissance to ensure that the ransomware is deployed in the most lucrative way. They also suggest that attackers are increasing the speed of their operations, with a typical "dwell time" of just two days in the victim’s system before ransomware is deployed. This is a noticeable drop from around 40 days in 2019.
Protecting against ransomware
For many organizations, it's more a case of when, not if an attack occurs, so it's vital that a robust incident response plan is not only prepared but acted upon. This will help to ensure that senior managers, the legal department, and insurers are notified at the earliest opportunity.
Many organizations are defaulting to paying ransom demands as quickly as possible, but in reality, each such attack should be treated on its individual merits, with an open mind kept where possible. It's very easy for executives who are unfamiliar with ransomware attacks to waste valuable time pledging never to settle with criminals before eventually accepting the reality of the situation and using their insurance to pay up.
It's highly likely that the attackers will have done their due diligence and chosen organizations with sufficient insurance to cover their attack, so it's important to keep calm and not panic. Instead, ask questions exploring things such as the sensitivity of any information that has been compromised, the availability of back-ups, the costs associated with non-payment of the ransom, and so on.
With ransomware attacks on the rise, it’s vital that organizations have plans and procedures in place not only to try to prevent them from happening but also to respond effectively when they do.