Ransomware attacks have exploded in the last decade, but attackers now focus on industrial and enterprise targets to maximize the money earned for their efforts. Malware authors released several ransomware variants in the last year, especially designed to target specific industries and large enterprises. Cybersecurity suffered as more users worked from home in 2020, and the ransomware authors continue to create new variants long into 2021. Because of ransomware success, it doesn’t look like authors will stop any time soon, so it’s important for businesses to be aware of the latest variants so that they can take steps to stop them.
Older versions of ransomware mainly targeted individuals. The victim would open a malicious file attachment or download the malware from a site that hosted malware. The ransomware application would scan the local drive and find images and important documents, encrypt them, and then demand a payment. Variants would lock the Windows operating system so that victims could not get to any documents or installed applications.
After ransomware encrypted files, the targeted victim either paid the ransom or wiped the drive and reinstalled all applications. The latter case meant that users lost all important files, so they usually chose to pay the ransom. Unfortunately, paying the ransom does not always guarantee recover of files. A ransomware author promised to deliver the private key after a targeted victim paid the ransom, but attackers did not always respond with the private key. Some victims paid the ransom and still lost access to their files.
Ransomware targeting individuals banked the attacker a few hundred dollars in Bitcoin payments, but corporations have much more money. A large enterprise can afford to pay millions of dollars after a ransomware attack, and many of the latest variants will ask for up to 7 figure payments. An attacker only needs one payment for their efforts to walk away with a sizable income from an enterprise rather than targeting individuals who can only afford a few hundred dollars.
The new variants discovered in the last year extort money in other ways from an enterprise. Blackmailing individuals with the threat of publicly posting data is not a valuable endeavor, but publicly exposing gigabytes of stolen data could cause additional harm to a large organization. With new variants, ransomware authors threaten to expose sensitive data if the targeted victim does not pay a ransom.
As an example, the Conti ransomware variant will perform standard encryption of sensitive data, but attackers who authored this variant also blackmail organizations for additional money to keep files from being disclosed to the public. In a recent attack, a Scottish government agency had 1.2 gigabytes of sensitive documents disclosed to the public after it refused to pay the ransom.
Sophisticated attackers using the Egregor ransomware variant specifically target industrial goods and services sectors. The authors behind the malware recently targeted the book giant Barnes and Nobles with phishing emails, and it only took one victim to deliver the payload to the corporate network. The Egregor ransomware took over for the old Maze malware after patches and security updates stopped Maze from efficiently compromising corporate networks.
ZDNet reports that 80% of the successful ransomware variants are forms of Maze, Sodinokibi, Conti, and Netwalker. These variants focus on large paydays, opening the doors for attackers to potentially make millions on just one organized, sophisticated attack. Older ransomware software such as DoppelPayer has mainly disappeared and been replaced with the newer variants that target enterprise organizations with terabytes of files and data available for exfiltration.
Most ransomware attacks start with a phishing email. The best defense is to have cybersecurity rules and applications surrounding email messaging. If an email server filters out malicious emails from ever reaching the targeted victim, the organization’s risk is greatly reduced. Filtering out suspicious email is far more effective than relying on user training. Training is a good additional layer, but it does not stop sophisticated attacks that incorporate social engineering.
Email filtering applications analyze email content, detect malicious links and attachments, and then quarantine messages that do not pass security validation. Administrators can review incoming quarantined messages to better understand ongoing attacks and remediate false positives. False positives can be transferred to the user’s inbox and changes made to stop false positives.
User training is always beneficial, but it should not be the only strategy to stop phishing and ransomware. It should be used in addition to good cybersecurity on your email system.
Download free guide: How to Reduce the Risk of Phishing and Ransomware
Protect your organization from phishing and ransomware attacks with SpamTitan advanced email protection. To learn all about how SpamTitan can prevent phishing and ransomware attacks, view demo today.
Sign-up for email updates...