Recent trends in ransomware attacks look scary. Are you prepared?
Two recent ransomware attacks, one targeting Colonial Pipeline, the largest pipeline system in the United States for refined oil products, and the other targeting JBS, one of the largest meat processing companies in the world, gave us a glimpse of the increasing frequency, as well as the clear and present danger of ransomware attacks.
The impact of ransomware has been growing ever since the first documented ransomware attack in 1989. Per recent reports, the average cost of remediating and recovering from a ransomware attack is a staggering $761,106. This cost not just includes the ransom that is paid but also the consequential cost involved to restore the affected systems and recuperating from the damage caused by the attack.
In the year 2020 ransomware attacks increased 150% as compared to 2019 and the ransom paid by victims of these attacks increased more than 300%.
The alarming numbers
Here are some alarming statistics that will make most anybody sit up and take notice:
Clearly ransomware attacks aren’t going to stop anytime soon, and malicious actors are bent on exploiting the situation that the global pandemic has put employee workforces in. Working on unsecured network, in unsupervised conditions, employees working out of homes tend to be an easy target for ransomware attacks.
Recent trends in ransomware attacks
1. Sophisticated Approaches
Apart from the age-old proven medium of phishing emails as a distribution channel, there is a sudden increase in ransomware attacks through the RDP protocol and remote-access trojans (RAT).
RAT programs stealthily infiltrate business systems acting as trustworthy remote access apps and take full control over the target system. The attackers then access local files, login credentials, and other critical information to download and install other malicious programs that can be unintentionally passed to other users in the network. These are complex software programs written by professional malware authors, and some have been known to contain as many as 70 separate modules, intended to resolve various levels of security obstacles and bypass enterprise-level defense boundaries.
Another new set of brute force ransomware attacks involve scanning, identifying, and exploiting open RDP ports. The attackers gain access to a victim’s system and network through a backdoor approach by exploiting vulnerabilities in Remote Desktop Protocol (RDP) applications. This is quite common now, as a lot of employees working from home connect their business endpoints using Microsoft’s RDP (remote desktop) for daily business operations.
During Q3 2020, ransomware attacks increased globally by 40% to 199.7 million cases. In the United States alone, attacks increased by 139% year-over-year, totalling 145.2 million cases in Q3 2020.
2. Shift of focus to SMBs and new business verticals
A recent report reveals that as many as 46% of Small and Medium Businesses (SMBs) have been victims of ransomware during 2020. The trend of targeting prosperous businesses with weak cybersecurity infrastructure has now extended to small and medium-sized businesses as well. These businesses provide an easier target then the larger enterprises whose defenses are comparatively tougher to infiltrate. Most SMBs tend to have limited resources, lower dedicated IT support to handle cybersecurity, and insufficient security checks for their remote or mobile workforce.
Ransomware attackers have also started targeting industries such as manufacturing units, smaller franchised retailers, education, and supply chain companies. These suffer from the same malaise as SMBs in terms of relatively weaker security defenses. State and regional government entities remain a favored target for the same reason. Federal government entities, Tech and Financial services companies, although lucrative, are harder targets to penetrate.
But not all business are awake to the danger. Most businesses thing ransomware attacks could happen to “someone else”.
A recent research by BullGuard states that 60% of surveyed SMB owners assume that their businesses are not a likely target for cybercriminals.
An important reason for the increased incidences of ransomware attacks is also due to the advent of Ransomware-as-a-Service (RaaS).
Ransomware as a service (RaaS) is a subscription-based model that enables malicious entities to use ready-to-use ransomware tools to execute ransomware attacks. RaaS gives anyone the ability to launch ransomware attacks just by signing up for a service. These easy-to-use and affordable RaaS kits need no technical know-how or technical expertise, can be easily procured on the dark web, and come with technical support just like any other legitimate SaaS product!
RaaS is proving to be a profitable venture for hackers. It is estimated that total ransomware revenues in 2020 were around $20 billion, up from $11.5 billion the previous year.
This new development in the ransomware delivery model has taken ransomware threats to a whole new level.
- DarkSide: DarkSide is a RaaS operation that is focused on Windows and Linux machines running unpatched VMware ESXi hypervisors.
- REvil: REvil or Sodinokib is sold by criminal group Pinchy Spider under the affiliate model and typically takes 40% of the profits. It initially warns victims of the planned data leak along with the timelines and countdown timer that intimates the victims before the stolen data is published on public forums. This is the variant that recently was used to attack Colonial Pipeline and JBS in the US.
- Dharma: Dharma ransomware attacks are associated with remote desktop protocol (RDP) attacks that utilize RDP services via TCP port 3389 and brute force the password to gain access to business systems and networks. This variant encrypts system/user files and demands a ransom in exchange for decryption keys.
- LockBit: LockBit available as a RaaS is malicious software developed to block victims from accessing targeted computer systems and which are then used as extortion tools to demand financial payment in exchange for decryption.
- Shark: Shark, a recent RaaS variant, uses anonymous networks to host its ready-to-use packages. Ransomware distributors can download a zip file containing everything they need to get started. The zipped file includes ransomware configuration builders as well as executable files that can be customized and configured according to the distributors’ needs.
- Stampado: Stampado is known to be an astonishingly low priced RaaS variant. The ransomware uses Advanced Encryption Standard (AES) to lock down business systems and deletes files after a communicated period to force victims to pay.
Preventing Ransomware (including RaaS) Attacks
Considering the financial losses and potential harm to an organization’s, it is imperative for enterprises to take proactive steps to prevent ransomware attacks. Here are a few recommended, best practices that businesses should consider:
- Implement robust endpoint protection along with effective antivirus and anti-malware solutions.
- Perform regular and frequent backups to minimize the damage caused by ransomware attacks. A reliable and comprehensive backup allows any lost data to be restored without having to negotiate with the attacker or pay any ransom.
- Ensure a strict software patch schedule or enable automatic software updates for security patches to protect business systems from known and unknown vulnerabilities.
- Since phishing emails tend to be the most popular vector for ransomware, implement advanced anti-phishing protection to improve ransomware detection and blocking capabilities.
- Disable unnecessary remote desktop connections to prevent hackers from access business users’ devices and files remotely. Also, monitor unusual endpoint connection requests and implement validation/authentication processes.
- Humans are the weakest link in the security chain. Encourage and implement user training to provide the workforce with comprehensive training on cybersecurity best practices and defending against potential social engineering attacks.
Data Backups and Ransomware Attacks
Ransomware has proved that it can get around the best-laid security defenses and most IT Pros acknowledge that a reliable backup strategy is the best way to defend against and recover from ransomware attacks.
Having a robust data protection process in place that ensures comprehensive data protection performed at frequent intervals, and having multiple, redundant copies of data saved in geographically gapped locations has been proven to aid business continuity even when the organization is under attack. Even if you have other cybersecurity solutions, a safe, immutable copy of business data stowed away encrypted, on the cloud, is a necessary and basic defense against ransomware.
Backups – A necessary part of your ransomware defense
Modern, cloud-agnostic data backup solutions like BluVault offers a solid defense against ransomware even if all other security barriers are breached.
BluVault equips businesses with:
- Safe, reliable, versioned, data backups to the cloud using a secure storage container enabled by an enterprise-grade privacy gateway
- Easy, granular, point-in-time, data recovery whenever required
- Industrial-strength encryption (with control over encryption keys) to secure your data both at rest and in transit as it travels between your enterprise assets and the cloud