Ransomware cyberattacks have been growing year-on-year, how successful are they really?
A commercial business is evaluated on profitability. The more profit a business makes, the more successful it is seen as being. In this regard, ransomware can be viewed as a highly successful business. In 2020, ransomware attacks ran amok. Security experts at PurpleSec estimate that the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.
A successful business will continue to be promoted by its founders, and opportunities will be built upon previous successes. As security doors close to ransomware attacks, new ones are opened through innovation in the world of cybercrime. Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation.
Ransomware attackers think like shrewd business owners. They need to make the most of their ‘product’ and use ransomware to not only extort money by encrypting data but then also making demands against that data by the threat of online expose. The threat of leaking stolen data can often tip the balance in the decision to pay, or not pay, the ransom demand. Sophos describes this as a “secondary extortion market”. In a 2020 report into ransomware tactics by the security vendor, they found that a growing number of ransomware toolsets are being used to exfiltrate data from a victim’s network. In a previous post, TitanHQ talked about this ‘double-whammy’ tactic, describing how CLOP ransomware uses a ‘double-extortion’ technique to encrypt and steal data, threatening to expose these data, to add weight to the ransom demand.
Ransomware attacks are increasingly successful. This success has emboldened the criminals behind the attacks. This success is largely created by clever tactics that hide ransomware in plain sight, allowing the attack vectors and malware to evade detection. For example, many modern ransomware kits use legitimate utilities as a basis for the delivery of the ransomware. This means the attack vectors and malware is unlikely to be detected by endpoint security products. In concurrence with this finding, the PurpleSec report pointed out that in 75% of ransomware attacks, organizations were running up-to-date endpoint security.
In 2020, Covid-19 played a large part in increased ransomware activity. It was discovered that during the year, Remote Desktop Protocol (RDP) was a “root cause” of ransomware attacks. Because of the ‘work from home’ policy of many organizations during the pandemic, companies were forced to rely on remote desktop access using RDP. The result was that ransomware attackers focused threats on this weak point using credential guesses or automated brute-force attacks. Once in the network is compromised via RDP, the dropping of ransomware files onto the network is easy, especially if the attack vector uses the legitimate toolkits as identified in the Sophos report. Read this guide on Key Cyber Threats on the Working from Home Movement.
Compounding these issues is the accessibility of ransomware kits. Ransomware attacks follow the money and Ransomware-as-a-Service (RaaS) has become common. One such RaaS kit is REvil (Ransomware Evil, also known as Sodinokibi) which works on an affiliate basis, and can earn REvil developers up to 30% of the proceeds. An IBM report into the problem of ransomware found that one in three ransomware attacks were from REvil attacks.
2020 was a successful year for cybercriminals in the business of ransomware. Tactics were adjusted to fit the climate of home working and utilize the proliferation of stolen data and credentials. Businesses across all sectors should expect ransomware attacks to continue if cybercriminals get their payday. RaaS only exacerbates the issue by making the tools behind the crime easy to use.
One thing is certain, cybercriminals will adapt their tactics and processes to fit the environment. The ransomware of old, which relied on encrypting data to extort a ransom, is now using expanded techniques including data exfiltration and the threat of exposure of stolen data. For the cybercriminal, ransomware is the gift that keeps on giving.
Organizations too must adapt to counterbalance these cyber-threats, no matter what form they take. Ransomware must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat. ‘Nipping ransomware in the bud’ is a strategic move by an organization to contain this threat. Endpoint protection is clearly not enough.
The use of a smart monitoring system designed for complex threats like ransomware can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.
WebTitan DNS Filter blocks malware, phishing, ransomware and malicious sites. Discover how WebTitan can protect your business, View WebTitan Demo.
Sign-up for email updates...