Ransomware has been one of the hottest topics in cybersecurity during the last year. Some researchers are labeling it the "perfect storm." A storm made more severe by the pandemic, with so many employees working remotely, exacerbating the risk of ransomware. However, there are other contributing factors to the rise in ransomware the world witnessed in 2020.
The Royal United Services Institute for Defense and Security Studies (RUSI), a British defense and security think tank, has released a report titled Ransomware: A Perfect Storm which dives into specific reasons ransomware has become an issue so many organizations must face.
The report states there are five major contributing factors to the "perfect storm" of ransomware:
- Criminal services and collaboration.
- Building on past and financial success.
- Payment as the "solution."
- A range of initial access vectors.
- The coronavirus pandemic itself.
Criminal services and collaboration in ransomware
This is the first factor mentioned in the report and addresses how cybercrime groups might be more organized than you would think.
It also notes that there is evidence of ransomware operators actively recruiting new talent, which is a sign that the scale of the threat is still increasing.
Here is a quote from the report:
"Many ransomware variants are distributed on a 'ransomware-as-a-service' or affiliate model, where those conducting the attacks take a cut of the proceeds, and the top-level organizers typically provide the ransomware itself and handling of the extortion/payment process. This level of organization and collaboration within the cybercriminal landscape comes with a number of benefits to the criminal side, and appears to be working well for organizations such as REvil. Although there is undoubtedly competition and rivalry between sets, having different organized criminal groups specialize in different services (for example, ransomware development or initial access) is an efficient model that allows them to increase the tempo and volume of their operations."
Building on past and financial success in ransomware
Ransomware groups are constantly learning and adapting to current circumstances. Every news headline involving ransomware and a payout from the victim encourages more cybercriminal groups to use this attack. More groups are beginning to use the double extortion method, which has recently been encouraged by successful attacks against companies such as Travelex, CWT, and Garmin.
Ransomware operators are coming up with innovative ways to market their operations to both cybercriminals and their victims. There was one case in which a ransomware group used paid Facebook ads to increase pressure on its victims.
Payment as the 'solution' in ransomware
In some cases, paying the ransom is the only option for an organization. The data that has been stolen or encrypted is essential to operations and without it, even for a short time, the organization could fail.
That is an incredibly difficult situation to be put in, and one that is contributing to the problem. "The more organizations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes. Furthermore, when an organization has a cyber insurance policy, it might be able to claim the ransom back, which may encourage payment. Besides, the cost of payment may be far lower than the potential damages to the business, especially if they cannot recover quickly."
The report also mentions there has been an increase in the use of ransomware recovery companies that act as a middleman between the victim and the attacker. In some cases, they simply drive down the ransom demand and take a cut for themselves.
Range of initial access vectors in ransomware attacks
There is a plethora of ways for ransomware operators to gain initial access to an organization's systems. Here is what the report says are some initial access vectors:
"The use of spear-phishing emails, exploitation of vulnerabilities in external-facing infrastructure and brute force attacks on services, such as Remote Desktop Protocol (RDP), can theoretically allow for a wide net to be cast in the search for potential victims. Compromise of managed service providers (MSPs) has also proved fruitful for a number of ransomware groups. Research has highlighted that both human (social engineering) and technical vulnerabilities are exploited in ransomware attacks, and that this creates difficulties in establishing effective countermeasures. Furthermore, 2019 and 2020 were prolific years for the exploitation of critical vulnerabilities in external-facing infrastructure, which is quickly followed by public proof-of-concept code on open source repositories like GitHub."
It also notes that in many cases, ransomware groups don't even need to go through the hassle of gaining personal access to victims, they simply purchase pre-compromised corporate networks through the Dark Web.
The coronavirus pandemic
This is the last factor mentioned in the RUSI report, and perhaps the most impactful. The transition to remote work for many people has increased the potential access surface into target organizations. This is compounded by the potential for misconfigurations and vulnerabilities in new software and network equipment being rolled out across many organizations, as well as weaknesses in home IT.
This is what the report says regarding ransomware and the pandemic:
"Proving a statistical link between the coronavirus pandemic and the increased frequency of successful ransomware attacks would be difficult, but the increased attack surface and the use of coronavirus-themed phishing emails (which has been rampant across all areas of the threat landscape) are two factors which could potentially explain the increase in ransomware attacks during the pandemic. Further factors are likely to have played a part.
Furthermore, with many organizations in sectors typically favoured by ransomware operators (for example, healthcare, local government or education) vastly increasing their use of and reliance on remote IT services, victims may be more inclined to pay to restore services than under 'normal' conditions."
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
TR-21-110-002_Ransomware_Here_Stay.pdf
Comments