Although ransomware attacks dropped by half in the first quarter of 2021, the decline simply means that these attacks have changed, not gone away. Research suggests that RaaS campaigns have begun shifting away from mass multi-target ransomware attacks with low returns. Instead, more are using customized ransomware against fewer but larger organizations — yielding more lucrative results.
Ransomware attacks are also becoming more sophisticated, transitioning from phishing to a spear-phishing strategy. Spear-phishing campaigns are highly targeted, harder to detect, and more frequently successful.
So what does this mean for you? Let’s review the latest targeted RaaS campaigns and how to keep your data safe.
Why Customized RaaS Campaigns?
Cybercriminals are moving away from extracting small payments from millions of individuals. Modern RaaS campaigns attack fewer, larger organizations and extort them for more money.
Customized RaaS campaigns also reduce the risk of large organizations’ cybersecurity technologies detecting the attack; that improves the chances that the attacks will work. Campaigns using a single type of ransomware to attack many organizations are often “noisy,” and victims’ systems eventually begin to recognize and block them. Targeted attacks avoid such detection.
Don’t be fooled by the decrease in prominent ransomware types, from 19 in January to nine in March: A proliferation of RaaS is occurring. Although the number of ransomware families is lower, the groups still operating are finding more innovative approaches and demanding higher payments.
For example, Colonial Pipeline, a company responsible for most of the gas distribution in the southeastern United States, had to shut down its distribution system in April 2021 when cybercriminals brought operations to a standstill by gaining access to Colonial’s networks.
The Russian-based group behind the attack, DarkSide, stole about 100 gigabytes of data from Colonial servers before the attack began.
The malware attack led to shortages and long lines at gas stations throughout the region, and gained nationwide attention from the press. It was so high-profile that the attack came up in talks between U.S. President Biden and Russian President Putin.
Colonial eventually paid close to $5 million (or 75 bitcoins) to the attackers in exchange for the decryption key. The decryption key, however, worked so slowly that the company had to rely on its own backups to restore service anyway.
Although the attack on Colonial Pipeline made headlines, ransomware groups like Babuk, Conti, Ryuk, and REvil actually preceded DarkSide’s campaign. REvil, which was behind the recent attack on JBS Foods, was the most detected ransomware group in the first quarter of 2021, according to the McAfee report.
As threat actors continue to execute more sophisticated attacks, your organization must know how to protect itself. Recognizing common ransomware attacks can help you better prepare for an attack when it occurs.
Common Customized Ransomware Attacks
According to McAfee, the first quarter of 2021 saw new malware threats at an average of 688 threats per minute, an increase of 40 threats per minute over the previous quarter.
Typically, ransomware attacks go like this: cybercriminals get hold of their victims’ data, encrypt it, and then demand payment with the promise (not always honored) that once the ransom is paid, they will send a decryption key.
Now, however, malicious actors are beginning to put another spin on their methods. A relatively new tactic, “leak sites,” allows ransomware groups to put more pressure on organizations to pay the ransom.
Cybercriminals steal data from their victims before encrypting it and threatening to publish it on leak sites; and then alert the media about the attack. Groups that are known for threatening to leak data include MAZE, AKO, REvil, DarkSide, Ranzy Locker, and Ragnarok.
The Internet of Things (IoT) and Linux are also at risk. A variety of new Mirai malware variants, including the Moobot family, are designed to exploit vulnerabilities in IoT devices such as DVRs, webcams, and internet routers.
Once exploited, the malware is hidden on the system, downloading later stages of the attack code and connecting with the command-and-control server. When compromised IoT devices are connected to their botnet, they can be commanded to participate in distributed denial-of-service (DDoS) attacks.
Coin Miner malware is becoming more common as well. The McAfee report shows a 117 percent spike in the spread of cryptocurrency-generating coin mining malware and a surge in 64-bit Coin Miner applications.
Coin Miner malware infects compromised systems and silently produces cryptocurrency, rather than locking up victims’ systems and holding them hostage until cryptocurrency payments are made.
The advantage of Coin Miner malware to cybercriminals is that it requires zero interaction between the perpetrator and the victim. While a victim’s computer may operate more slowly than usual due to the coin miner’s workload, most victims never become aware that their system is creating monetary value for criminals.
“Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk,” according to Raj Samani, McAfee fellow and chief scientist.
To prepare your organization for the possibility of a customized RaaS attack, consider the following best practices and recommendations.
Best Practices and Recommendations for Ransomware Attacks
As suggested by the agenda item concerning DarkSide and Colonial Pipeline during talks between Biden and Putin, the U.S. government is increasingly involved in pushing back against ransomware.
For several years, the Department of Homeland Security (DHS) has urged ransomware victims not to pay ransoms, fearing that the money will be used to help fund even more attacks.
On May 12, 2021, President Biden issued an executive order on improving the nation’s cybersecurity and in June, the administration released a memorandum reminding corporations of their “critical responsibility” to protect against ransomware threats.
The memo highlights immediate actions that private-sector organizations can take to protect themselves, their customers, and the broader economy. Here are a few of the U.S. government’s recommended best practices:
- Back up your data, system images, and configurations, regularly test them, and keep the backups offline. Many ransomware variants will attempt to find and encrypt or delete accessible backups. Regularly testing backups and making sure they are not connected to the business network is critical. If your organization’s network data is encrypted, current backups kept offline can restore your systems.
- Update and patch systems promptly. Maintain the security of your operating systems, applications, and firmware in a timely manner. A risk-based assessment strategy will help drive your centralized patch management program.
- Test your incident response plan. The best way to identify gaps is to test them. Explore some core questions and use them to build an incident response plan. For example, are you able to sustain business operations without access to certain systems? For how long?
- Check your security team’s work. Using a third-party penetration tester to test the security of your systems and your defense against sophisticated attacks can better prepare you to take on aggressive ransomware criminals.
- Segment your networks. The recent shift in ransomware attacks from stealing data to disrupting operations means that your organization’s business functions should be separate from your manufacturing or production operations. You should also carefully filter and limit internet access to operational networks, identify links among these networks, and develop workarounds or manual controls to assure that networks can be isolated and continue operating even if your corporate network is compromised.
The memo implores organizations to “take these steps to protect your organization and the American public.” It goes on to say: “the U.S. government is working with countries around the world to hold ransomware actors and the countries that harbor them accountable, but we cannot fight the threat posed by ransomware alone.”
The recent actions by the federal government and corporate initiatives have clearly changed the narrative from response to prevention of ransomware attacks.
Here are some other things you can do to protect your organization from a customized RaaS attack, in addition to the suggestions from the Biden Administration:
- Enable multi-factor authentication on all user accounts, especially anywhere requiring privileged access.
- Implement a proxy for outbound internet traffic, as HTTPS is the top command-and-control technique.
- Detect and alert on systems that continually call out to a particular domain, as this is behavior of command-and-control traffic.
- Monitor the amount of traffic going outbound to detect exfiltration.
- Detect and alert when new scheduled tasks are created.
If you do become the victim of a ransomware attack, you should take a snapshot of your system, shut it down, identify the attack vector, block network access to any identified command and control servers, and notify the authorities.
The best way to protect your organization against the threat of ransomware is to be prepared. Especially as RaaS contributes to its rise in efficacy and popularity, you might want to consider a governance, risk, and compliance (GRC) tool to help protect your data.
Protect Your Data with ZenGRC
ZenGRC from Reciprocity is risk and workflow management software with an intuitive, easy-to-understand platform that keeps track of your workflow and identifies areas of high risk before they manifest into a real threat.
ZenGRC also helps you stay compliant with cybersecurity frameworks, which in turn protects you from RaaS.
A team of cybersecurity professionals is always looking out for your organization and its assets, and ZenGRC makes sure you get the best protection against security breaches and cyberattacks.
For more information about how ZenGRC can help your organization protect itself against ransomware and RaaS, contact us for a demo today.