When the U.S. government began pressuring Russia to do more to stop ransomware groups originating from that country from attacking U.S.-based organizations, IT and cybersecurity professionals were hopeful that those actions would pay off.
Shortly after a meeting between the two country’s leaders, infamous ransomware group rEvil went dark, which some thought was a sign that political pressure and law enforcement activities were finally working.
However, the rEvil group has recently resurfaced, and there are no clear signs that ransomware actors are slowing down, says Christo Butcher, global lead for threat intelligence at cybersecurity and risk mitigation firm NCC Group.
Ransomware attacks analyzed by the consulting firm are continuing to increase as cybercrime takes on a model similar to most successful tech companies and ransomware actors ramp up the pressure on their victims.
Ransomware increases threefold in 2021
According to a recent NCC group report, the number of ransomware attacks analyzed by the team has increased by 288% between January-March 2021 and April-June 2021, which was even before the devastating rEvil attack that leveraged the Kaseya VSA product and a network of managed service providers.
Perhaps the biggest reason for the proliferation of ransomware is because the ransomware economy has matured to the point where these organizations are run as well as any other corporation. Organizations sell access to organizations’ networks, and ransomware developers sell their services to third party affiliates in what is known as the ransomware-as-a-service (RaaS) model.
“What we see causing this is that ransomware is just so successful,” Butcher said. “It’s great business.”
New actors are constantly joining the ransomware market, which is forcing the more mature groups to scale up their operations and remain competitive – much like any other vertical market.
“The bigger, more mature, more successful ransomware gangs really invest in that scale,” Butcher says. “You can compare it with traditional IT going into the cloud and letting things scale. Not only ransomware gangs, but also the whole ecosystem around that gearing up to scale well, and that brings in more money and makes it even more lucrative.”
According to NCC Group’s findings, most of these attacks are targeting organizations based in the U.S., followed by European-based entities.
New ransomware groups have emerged as leaders in the space, including Conti and Avaddon, which are linked to 39% of ransomware leaks analyzed between April and June.
Extortion threats are now standard
Ransomware gangs aren’t just holding data hostage in expectations of a big pay day. With organizations now investing in stronger backups and other technologies, ransomware gangs are threatening to release sensitive data unless the six-figure ransom is paid.
That trend continues to escalate, with double extortion becoming the standard practice, Butcher says.
In some cases, the typical encryption of files isn’t even concluded before the bad actor threatens to release the sensitive data, Butcher says.
That method has also given rise to triple extortion schemes in which ransomware operators threaten to tell stakeholders, stockholders, customers and the general public that the organization has been hacked with the goal of negatively influencing the victim’s value and public perception.
According to Butcher, ransomware actors are also threatening to conduct DDoS attacks to make the compromise more publicly visible. These are all indications that ransomware operators are taking the time to innovate and are no longer looking to make a quick dollar.
“From the criminal mindset, it’s very simple: they will just take whatever means they have to put you under pressure,” Butcher says.
Organizations must design IT with security in mind
If IT admins aren’t already implementing multi-factor authentication, air-gapped backups or phishing protections, they should look at their security posture and make some changes quickly. Those IT security practices should now be standard in most organizations, Butcher says.
“Getting all of that right is very important and is where a lot of mistakes are made,” Butcher says.
But now, organizations have to think about designing their IT systems with security in mind, including implementing a Zero Trust architecture to make it harder for an attacker to access the network, but also make it harder for an attacker to move laterally within an organization’s IT environment.
A successful Zero Trust implementation can limit what an attacker is able to do and keep the intruder’s actions isolated on one system, which was exemplified in a recent NCC Group investigation into a client.
However, the same threat actor attacked a different organization that didn’t have good network segmentation, and their entire network was compromised quickly.
Butcher also called on organizations to invest more in threat detection so they can respond immediately once an intruder gains network access. However, cybercriminals are getting better at studying white hat tools and finding ways to get around them, so IT administrators need to implement systems and practices that are better than the attackers’.
Other measures to help protect against ransomware attacks include:
- Developing a response plan. When an alarm bell does go off, IT departments need to follow a plan that can help them limit the threat actor, kick them out and repair any holes in their IT infrastructure.
- Vulnerability scanning and patching. Aside from phishing attacks, vulnerabilities in IT products are one of the most common intrusion vectors for ransomware actors. Keeping systems patched and up to date is one of the most important things to do to keep your organization secure.
- Understanding who is targeting your organization. Developing a profile of threat actors that may target your organization can help you implement the right security tools and protocols specific to how those actors operate. This can help you distinguish normal activity from suspicious activity.