Big ransomware attacks overshadowing other alarming trends

While high-profile ransomware attacks and data leaks have dominated the news this summer, experts say there are more alarming trends in the ransomware landscape.

In the last few months, a number of large, recognizable brands were hit by either confirmed or suspected ransomware attacks. Some of the names include Xerox, Canon, Konica Minolta, Garmin, Carnival Cruises and Brown-Forman Corporation (the maker of Jack Daniel’s), among others. But threat researchers say those headline-grabbing attacks have overshadowed other, more concerning trends.

SearchSecurity spoke with several cybersecurity experts to get a grasp of what’s going on in ransomware right now, whether the threat is getting worse, what to expect going forward and how enterprises can protect themselves as more and more employees are working from home.

Ransomware is increasing, but it’s not just that

The practice of “shaming” ransomware victims, which was pioneered last year by the Maze ransomware gang, has dominated the headlines in recent months. But Jared Phipps, SentinelOne vice president of worldwide sales engineering, told SearchSecurity that this isn’t necessarily a sign that the volume of attacks is increasing — although that certainly is the case.

“It’s not that more are happening — it’s just that for whatever reason, those ones made it to the news. The volume is pretty consistent — it’s really, really high. It’s always really, really high,” he said. “But ransomware as a whole has been rising for the last two years very consistently and it’s at a very high volume.”

But the attacks on major enterprises, which have been publicized by Maze and other gangs on their “news” sites, have overshadowed many other attacks that haven’t been publicized. “For every ransomware attack you’re reading in the news, there’s several hundred you’re not reading about. Some of them are very large. Some of them are business divisions of larger units. But if you’re looking at the cyber insurance industry, they’re looking at upwards of 100 claims per day that are ransomware-oriented.”

Jeremy Kennelly, manager of analysis at Mandiant, said that the newfound publicity comes down to the style of ransomware attack that’s being conducted.

“I think what’s happening is that the public awareness of these ransomware campaigns is just so much higher because the scheme being used to monetize these incidents now necessarily involves a component where the criminals will shame the victims that don’t pay and publish their data publicly, and I think that shaming and publishing process is just significantly increasing the number of incidents we’re aware of,” Kennelly told SearchSecurity.

Chester Wisniewski, principal research scientist at Sophos, said that while many ransomware gangs have embraced data theft and shaming, those types of human-operated attacks take more time, effort and people to pull off successfully.

“Right now there are five or six of these ransomware groups breaking into organizations for large-value ransoms, and that means that they can only do so many [attacks] because it’s all being done by hand,” Wisniewski said in a recent Risk & Repeat podcast. “The good thing about humans being involved on the criminal side is that it doesn’t scale.”

While the most formidable — and embarrassing — types of ransomware attacks may be limited in numbers, there are others alarming trends, according to experts.

Ransomware trends

Despite improvements in ransomware detection in recent years, ransomware continues to be a lucrative enterprise for cybercriminals. Phipps said that ransomware will continue to be the monetization choice of threat actors going forward. Reasons for that include the idea that “you make a very compelling need when you take down an organization’s ability to operate,” the ability to get paid in cryptocurrency and the presence of cyber insurance policies encouraging an organization to pay the ransom in order to recover more quickly.

McAfee chief scientist and fellow Raj Samani said that one trend he’s noticing is that organizations are paying the ransom in large numbers. “By paying they are funding the development of ransomware variants to be even more impactful, which simply means this will be here and continue to get worse until the millions being paid stops.”

Kennelly also said he sees more cybercriminal groups adding an extortion component to their ransomware attacks, a continued proliferation of services and platforms used to enable ransomware and extortion (such as platforms for actors to publish data and publicize breaches) and more actors starting to specialize in different industries or verticals.

“What we may also see is as actors are more involved or more invested in this extortion component of these campaigns, we may see actors that start to specialize and learn about different industries and organizations in different countries who start to specialize,” Kennelly said. “What we see sometimes when an actor steals data and extorts a victim using that stolen by threatening to publish it, often that data is not necessarily data that gives them the leverage to get a payment out of the victim. We expect to see actors get better at that, to be better able to identify information that’s legitimately of value to organizations. And that may lead to actors with specialized targeting organizations from particular verticals”

In addition to extortion and data shaming tactics, Wisniewski said there’s an “arms race” for new evasion techniques. For example, the Snatch ransomware group last year started rebooting infected Windows systems in Safe Mode to inhibit endpoint security software. “There’s been a lot of cleverness, but to be fair, the smartest criminals have just been phishing admins for their credentials so they can log in and turn off the security.”

Kennelly also saw evidence of cybercriminals and ransomware gangs engaging in partnerships to conduct larger and more effective campaigns.

“That’s likely due to the fact that certain malware families that are broadly proliferated, organizations potentially take that less seriously than they should, so we may expect ransomware distribution operators working with actors that may historically distributed malware that target’s individuals banking credentials to get initial footholds in networks to distribute ransomware,” Kennelly said.

The cost of ransomware

As ransomware attacks have gotten more elaborate and intrusive, the cost of recovery has increased. Phipps said that when it comes to the cost and damage of ransomware attacks, many organizations simply do not realize the cost of business downtime and assume their cyber insurance policies will pay for everything.

“The attacks are complex, and people vastly underestimate what it’s going to take to recover from them,” Phipps said. “They’re overconfident in backups, and they’re overconfident that the cyber insurance policy will be a couple days, no big deal, and they’ll be back up and running. And it’s not. It’s weeks or months of pain.”

One piece of this is the backup component of ransomware recovery. Many criticize organizations for not having backups, Phipps said, but that’s not always the case.

“The attackers get into these organizations, they move throughout the enterprise, and the ransom event is the very last thing that they’re doing. They’re disrupting, disabling or destroying backup systems,” Phipps explained. “They are taking down the Active Directory environments — they literally cripple an organization. And what happens is an organization shows up and it’s not just a couple of machines, their ability to operate a complete infrastructure is gone. And that’s a very calculated and a very deliberate attempt by these threat actors.”

Kennelly noted that cleanup costs will vary greatly on whether the ransomware operator gets paid, and that ransomware payments are increasing greatly.

“Actors have gotten better at identifying the size of a company that they’ve compromise and the likelihood they’re able to pay a large ransom, and we do expect that actors will get better at identifying numbers that victims are likely to pay versus sort of attempting to maximize the possible payout,” Kennelly said. “We’ve seen cases where actors will peg a ransom demand to an organization’s profits or revenue, and in many cases that has led to very high ransom demands that rarely get paid. So we do expect actors to get better at identifying numbers that are more likely to get paid on a regular basis.”

Protection in the work-from-home era

As organizations have been continuing to have their employees work remotely during the COVID-19 pandemic, many of them have seen an increase in cyberattacks. According to a study by Enterprise Strategy Group, 43% of survey respondents have seen some increase in attempted cyberattacks against their organization during the pandemic, and 20% saw a “significant” increase.

“A lot of the best practices for protecting yourself from ransomware haven’t really changed. However, now that a lot of organizations have started to have a larger proportion of their workforce work from home temporarily or permanently, that does kind of change where defenders need to be focusing their efforts,” Kennelly said.

Kennelly explained that organizations are going to have many more users using their VPN environment all hours of days, and that threat actors are deploying ransomware using the same common legitimate VPN services that companies are.

“As that legitimate traffic increases, it becomes easier for a threat actor to hide in legitimate traffic. So there’s certain traffic makeups you can begin to look for coming from VPN clients that may enable identification of this kind of activity earlier,” Kennelly said.

Ways to look for certain traffic makeups include “limiting SMB traffic from VPN traffic only to necessary servers, ensuring that all services enabling remote access have multi-factor authentication enabled, and structuring your network so that the management of critical servers is done via bastion hosts and setting up your access control in your environment.”

Phipps gave three pieces of advice: enable 2FA for anything that’s remote-workforce-facing, leverage proper VPN technologies and use modern endpoint protection capabilities. He noted that, “The legacy AV products that have been out for years and years are just not cutting it.”

Samani said that the best thing to do is to be proactive and start with basic cyber hygiene.

“This means securing all internet facing systems (e.g. RDP), making sure that security patches are routinely updated and of course testing the backup regime. Also, firms should undertake regular exercises to test out their IR practices, and even get input from their security vendors (e.g. are they responsive enough should something happen).”

Security News Director Rob Wright contributed to this report.