While 2020 brought about expected advancements in technology and in cyber threats, it combined that with a global pandemic that turned the world on its head. This swift change led to a growing divide between organizations with more advanced security processes like automation and formal incident response teams, and those with less advanced security postures in those areas.
In 2021 this divide has been exacerbated as ransomware attacks and cyber threats continued to accelerate, garnering front-page headlines and costing companies billions. In fact, these attacks show no signs of stopping because they’re so lucrative. Ransomware has proven to be a good revenue stream for all threat actors, including nation-states. Ransomware is an equal opportunity offender; like phishing, anyone, from the CEO to the Receptionist, can be susceptible to ransomware attempts.
Ransomware is a type of malware designed to encrypt a victim's information upon activation, thereby leaving the files, applications and systems on a device unusable. Malicious actors then demand a ransom in exchange for decryption, which is the only way to regain control over the information. In a sense, ransomware "kidnaps" your data, and demands money from you to return it.
This form of cybercrime is particularly insidious because it's designed to spread across a network to continue infection, quickly crippling small and large businesses alike.
History of Ransomware
The first documented ransomware attack was the AIDS trojan (PC Cyborg Virus) which was released by floppy disk in 1989 and demanded that victims $189 to a P.O. box in Panama to restore access to their systems. It was initiated by Joseph Popp, PhD, an AIDS researcher, who carried out the attack by distributing 20,000 floppy disks to AIDS researchers spanning more than 90 countries, claiming that the disks contained a program that analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire. However, the disk also contained a malware program that initially remained dormant in computers, only activating after a computer was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and another $378 for a software lease.
While ransomware capabilities existed for decades, it was the advent of cryptocurrency and its ability to provide an easy and untraceable method for receiving payment from victims that created the ransomware explosion we see today.
While cryptocurrencies like Bitcoin remain untraceable, they are far from ubiquitous, and are not easy for non-tech-savvy targets to obtain and send to their hackers. Still many organized crime gangs have shifted investments and resources towards ransomware to take advantage of this new, lucrative, endeavor.
Ransomware will cost its victims more around $265 billion (USD) annually by 2031, around the worth of the entire video game industry, Cybersecurity Ventures predicts.
This increase in ransomware crime coincided with a shift from ransomware attacks spread far and wide across the internet's pool of users to what is called "big game hunting" (BGH). Big Game Hunters in ransomware study specific targets they believe will be lucrative before using sophisticated methods to install ransomware on their victim's systems.
Furthering this discord is the fact that most attackers aren't developing their own encryption code, but are using off-the-shelf tools found and sold on the dark web. This has led to the rise in prominence of well-known ransomware like CryptoLocker, CryptoWall, Locky, and TeslaCrypt.
2021 has been an eventful year for ransomware attacks. In July, ransomware group named “Hello Kitty” was responsible for the attack on the video game company “CD Projekt RED”, where they stole the source code for their games and uploaded them to their leak site. Also this month, Kaseya, an international company that produces remote management software for the IT industry, released an emergency communication via their website about a compromise of their VSA system being used to spread ransomware to client systems. Most infamously, Colonial Pipeline, the largest fuel pipeline in the US, was a ransomware victim and paid 75 Bitcoins ($4.3 Million USD) to regain control of their systems in order to avoid a prolonged shutdown.
Eva Velasquez, president and CEO of the ITRC, said 2021 is just 238 breaches away from tying the all-time record for a single year.
In August, two of the biggest wireless carriers in the US (T-Mobile and AT&T) were breached, resulting in millions of records of customer information being stolen and sold on the dark web.
Signs of a Ransomware Attack
Typically when investigating an instance of ransomware, you’ll want to look out for a variety of “indicators of compromise”, or things that look out of the ordinary in your network. Here are a few things to look out for if you’re not sure if ransomware is in your system, or if you’ve noticed something suspicious.
- Suspicious/unexpected money transfer
- Suspicious/unexpected vendor account change request
- Multiple failed login attempts (brute force)
- Abnormal remote login sessions
- Unauthorized email forwarding rules
- Logins from an unfamiliar domain
- Unopenable files
- Abnormal information system behavior
- Increased quantity and quality of phishing attempts
- Duplicate invoice complaints from multiple customers
How Does Ransomware Spread?
Typically, ransomware attacks begin with an infection spread through phishing emails that contain malicious attachments. However, there are several ways that ransomware can reach your system.
Despite the hours and resources spent training employees, email attachments remain a dangerous ransomware threat because bad actors know that a naive end user can be relied on to open and interact with a convincing enough phishing email. While sometimes these emails are general, many bad actors conduct extensive research on their target (often a specific company or high-ranking individual in an organization) to create credible and very believable emails.
As the name suggests, a malicious URL is a clickable link that directs users to a fraudulent website or webpage. These links are often embedded in email, but can be found anywhere a user can click a link, including on social media. After the user interacts with the URL, the ransomware will often attempt to auto-install itself onto the victim's machine, where it can begin to propagate and spread to multiple systems.
Remote Desktop Protocol
The Remote Desktop Protocol (RDP) is a protocol, or technical standard, for using a desktop computer remotely. Bad actors who find computers with exposed ports can then gain access to the machine by exploiting security vulnerabilities. Once the attacker has access to the machine, they can move laterally to other critical assets, applications, and data.
Third-party vendors are also targets for phishing attacks. A successful attack can potentially enable bad actors to then deploy ransomware on the vendor’s entire customer base.
Ransomware entities are ever evolving their tactics to circumvent cybersecurity efforts and to maximize pressure on victims to pay the ransom. Building a proper ransomware prevention strategy is key, and requires a proactive defense strategy and a vigorously tested plan.
A high-quality security awareness and training program is a great method at shoring up one of your organization's biggest weaknesses. This training should teach your employees to spot phishing attacks, create strong passwords, secure their laptops and mobile devices, and to notify the right IT team member if they spot something suspicious.
Organizations need a way to in the event of a successful ransomware infection. With this in place, an organization can restore their information on a computer that's been wiped to eliminate ransomware or even on a newly purchases replacement device.
Strict Access Management Policies
Strict identity and access management policies, such as the principle of least privilege, , and multifactor authentication give employees only the access necessary to do their jobs. This means that in the event an employee's device is compromised, lateral spread of the malware can be contained.
Responding to an Attack
In the event of a ransomware attack, an effective response plan can mean the difference between panic and a company-wide infection or decisive action and a contained incident. If preventative measures fail, organizations should take the following steps immediately after identifying a ransomware infection.
- Isolate the affected systems
- Identify lateral spread
- Find last know "good state"
- Secure backups
- Restore data from backup to minimize loss
Dataprise Can Help
To learn more about how Dataprise can help you with your Zero Trust architecture and overall cybersecurity strategy, contact us to set up a discovery call.
Interested in gauging your cyber posture? Take our short Cyber Hygiene Assessment today and receive personalized recommendations from our experts.