Its 2022 and Ransomware Menace Refuses to Go Away

In the previous posts, we have discussed how mobile devices are the new attack surfaces for cybercrime, and cyber-kinetic attacks are here to stay. In this post, we would like to shed some light on the ever-growing menace of ransomware attacks.

On the surface of the matter, a ransomware attack is one of the most viable business models for threat actors – regardless of their geography. An attack that gains unauthorised access to vital infrastructure, encrypts it and holds it captive with a ransom. The ransom is often demanded in the form of bitcoins or other cryptocurrency, which if not paid there will always be a lingering threat of the stolen data being leaked in underground forums. What is, therefore, at stake is not data alone. It is the damage to reputation and the loss of consumer confidence as well.

To put things into perspective, here are some facts and figures on the ransomware threat landscape:

1. Almost 37% of all businesses and organizations, globally, were hit by ransomware in the year 2021.
2. Recovering from a ransomware attack has, on average, costed businesses USD 1.85 million in 2021.
3. While 32% of the ransomware victims paid the ransom, they could get only 65% of the stolen data back.
4. Overall, ransomware cost the world approximately USD 20 billion in 2021.

As per our research, ransomware operators have upgraded to following a four-layered approach of targeting organisations that includes:

1. Infiltrate into the target organization’s network
2. Exfiltrate and encrypt data
3. Demand ransom and “Name & Shame”
4. Leave behind footprints in the targeted organizations to return and attack again

As these attacks promise immense profits, along with a strong reputation amongst their peer group, cybercriminals have now opted for this model named Ransomware-as-a-Service (RaaS). In RaaS, ransomware developers sell/ establish affiliates for their tools.

Given that the cost of hacking tools has come down substantially, and the attack surface is expanding at a rapid pace, researchers believe that the ransomware industry could further evolve into a subscription model – wherein organizations/ businesses would pay the cybercriminals to not attack them.

Another interesting development in the ransomware landscape is the recruitment of insiders to improve their attacks. A survey conducted between 7 December 2021 and 4 January 2022, found that 65% of its respondents were approached by ransomware attackers to gain the initial access into critical infrastructure. Here it is important to note these cybercriminals are making most of the ongoing trend of “the great resignation” in the United States. The money offered to these employees was mostly below USD 500,000 – which can be quite enticing for those who are quitting or are on the verge of resigning.

Therefore, based on attack vectors like phishing emails, exploitation of vulnerabilities, and now leveraging the real-time trend of great resignation – the need of the hour is to build strong security boundaries to keep the ransomware criminals at bay.

As per our cyber threat intelligence (CTI) team, here are some of the best ways through which organizations and businesses can safeguard critical data and infrastructure:

1. Prioritize resources (based on classification, criticality, and business value) and understand the true scope and impact of a potential ransomware event. It is an important factor in contingency planning for future ransomware events, emergency responses, and recovery actions allowing the organization to prioritize the response and recovery activities.
2. Block exploit-like behaviour. Monitor endpoints memory to find behavioral patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
3. Periodically conduct red team exercises to identify externally exposed and insecure internal information.
4. Consider implementation of a people-centric Insider Threat Management (ITM) that is designed for modern work-from-anywhere workflows and provides cross-collaboration between technical and non-technical representatives (from IT, HR, compliance and legal, etc).
5. Deploy solutions to keep track of employee actions and correlate information from multiple data sources and leverages several techniques (sophisticated behavioral analytics, machine learning, adaptive baselining, heuristics, reputation databases, signature-based detection). Use Network Detection and Response (NDR) solution to overcome challenges when dealing with insider threats.
6. Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
7. Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.