Increase in Tailored Ransomware During COVID-19

Posted by Trevagh Stankard on Thu, May 20th, 2021

As the pandemic lockdowns forced work, school, and healthcare providers to go virtual, threat actors authored malware specifically for the global situation. No matter what target country, malware authors are sure to find victims. Authors no longer looked for multiple victims across thousands of email addresses. Instead, they focused on specific industries and individuals to improve their payouts. Because cybersecurity was an afterthought as more companies and schools went virtual, the attacks proved to be successful as more ransomware affected businesses and their employees.

Pre-COVID Ransomware Attacks

Before pandemic lockdowns, ransomware authors created it so that as many people as possible could be victims of an attack. They used mainly emails to send malicious attachments, and a malware author would send thousands of messages to potential victims. Some email messages would get filters, others would be ignored or deleted by targeted users, but a small percentage of recipients would fall for the attack and install the malware.

With thousands of emails, an attacker could expect money from the small percentage of recipients who fall victim to the message. The victims would run open an attachment, execute a malicious macro, and then would pay the ransom to get their files back. Most ransomware targeted individuals and asked for a small fee in exchange for the private key. An attacker could make thousands off traditional malware targeting individuals.

Post-COVID Ransomware Attacks

In 2020 and into 2021, threat actors changed their targets to businesses and their employees working from home. Because most businesses were forced to go virtual, employees worked from home and cybersecurity was second-thought after initial setup of the environment. Businesses migrated data and applications to the cloud to give employees access to necessary infrastructure, but it was done in a way that left vulnerabilities.

Getting access to just one high-privilege user could be a major payout for an attacker. Ransomware can spread from a targeted user’s machine to the global network, giving the malware an opportunity to encrypt critical files for an entire organization. If the organization does not have proper backups and a disaster recovery plan, it will be forced to pay the ransom. Threat actors targeting businesses ask for tens of thousands of dollars rather than a few hundred in cryptocurrency, knowing that businesses have more money to pay.

Extortion and Distributed Denial-of-Service (DDoS)

If an organisation chooses not to pay the ransom, another evolution in new ransomware attacks is extortion and blackmail. Attackers will threaten to release the data publicly or launch a DDoS against the organization. Extortion is the most popular secondary backup for threat actors to blackmail organizations into paying the ransom even if they have backups.

By publishing stolen data, the organization suffers from reputation damage. It’s an effective tool should the organization fail to pay the ransom. The other option for threat actors is to DDoS the organization. It brings down critical services forcing the organization to pay the ransom to get the attack to stop.

Cybersecurity Should Be a Priority for Remote Staff

It’s inevitable that businesses have several staff members working from home at least through 2021. As people come back to the office, the world will return to normal. But attackers will still focus on vulnerable employees working from home. Multi-layer cybersecurity controls should be installed to prevent advanced threats such as ransomware, for any employee opening email messages at home. 

Read guide: ‘Pandemic Security: Three Key Cyber Threats Threatening the Working from Home Movement’

Email filters are an important layer of cybersecurity. Email filters detect malicious messages and attachments before they reach the user’s inbox. It’s installed on email servers so that administrators can review potentially malicious messages. Messages flagged by email cybersecurity systems are sent to a quarantine location where administrators can review them. Administrators can then forward false positives to the intended recipient or delete malicious messages.

Threat actors blackmail corporations only after they’ve been the victim of ransomware and a data breach. Deleting messages on an email server stops these attacks at the very beginning. You no longer rely on user training or local antivirus programs. Because user devices could have poorly managed antivirus programs, corporate networks cannot rely on user anti-malware systems to detect ransomware. With email filters, the user never receives the message, and cybersecurity control is returned to the targeted organization.

DDoS attacks are still a concern, but attackers looking to blackmail targets from ransomware will look towards organizations failing to stop malicious email messages. By eliminating the threat of ransomware, an organization greatly reduces the probability of becoming a victim of blackmail, extortion, and DDoS attacks. Using email cybersecurity, an at-home workforce becomes a lower threat to the organization from phishing, malware, and other online threats.

A multi-layered security strategy is vital for all organisations to prevent ransomware attacks and data breaches. SpamTitan Email Security and WebTitan Web Filtering provide 99.99% protection against malware, phishing, viruses, ransomware & malicious sites. Talk to a TitanHQ today to protect your organization with a multi-layered security strategy. Contact us.