Ransomware: why it’s still a big threat and where gangs go next


Image: Getty

Ransomware has long been a cybersecurity issue, but last year it became mainstream.

Major ransomware attacks, such as the Colonial Pipeline, Irish Healthcare Executives, and many others, have shown how serious the problem has become as cyberattacks have disrupted people’s lives.

Once based on the encryption of files on personal computers, the small cybercrime industry, which requires hundreds of dollars in ransom for decryption keys, was designed around keeping critical services and infrastructure in ransom. It has evolved into a large ecosystem and demanded blackmail for millions of dollars.

look: What is ransomware?Everything you need to know about one of the biggest threats on the web

It’s no wonder Lindy Cameron, head of the National Cyber ​​Security Center (NCSC) in the United Kingdom, describes ransomware as “the world’s biggest cyber threat.”

Ransomware is constantly evolving, with new variants emerging, new ransomware groups emerging, and new technologies and tactics designed to maximize the benefits of attacks.

And, as the recent Conti ransomware leak showed, the most successful ransomware gangs are organized as if they were a group of other software developers.

“They really behave like businesses. They really do, except for the fact that they are not legally registered. They are functioning like real businesses and sometimes within these organizations. There are more people than some startups, “says Christine, CTO of Bejerasco, WithSecure.

“They have shown a lot of resilience and agility in adapting to new things,” she adds.

This resilience and adaptability has triggered a series of ransomware attacks around the world, often with cybercriminals spending millions of dollars to flee.

And that only explains the ransomware incident we hear-many are simply not reported.

“The main challenge is that most companies don’t disclose incidents, so they don’t know what the trend really is,” said Brett Callow, threat analyst at Emsisoft. “You can’t control what you don’t measure.”

No ransomware attacks have been reported against minor victims

Ransomware attacks on large organizations are notable, but ransomware attacks on small businesses and local businesses that victims feel like they have no other choice and pay the ransom immediately may not be reported at all. I have.

Individual attacks on small targets do not result in as large a payday as a successful attack on a large company, but by chaining a series of attacks on a series of small victims, ransomware attackers are still quite significant. Can make a profit.

Larger companies are less likely to invest in cybersecurity, which can make it easier for them to break into your network. This means that a ransomware group can reach multiple targets in a short period of time. This is important if you want to make as much money as possible.

“Obviously, they won’t get as much payment as they would get from a big company, which means they need to go much faster from the first penetration to the success of blackmail,” chases small businesses. Callow suggests that. It also brings another benefit to cybercriminals.

“Attack on small businesses may not get the same level of attention. Targeting local grocery stores may mean that the risk of being tracked by the U.S. Cyber ​​Command is somewhat lower. No, “he says.

After the Colonial Pipeline attack, the US Department of Justice managed, seized, and returned most of the multi-million dollar ransom payments made. Individuals involved in ransomware attacks are still rarely tracked or arrested, but this direct action on the DarkSide ransomware gang’s ability to make money may have changed the outlook for cybercriminals.

“Since that event, threat actors have changed their understanding of the world a bit, with results they have never seen before,” said Sherrod De Grippo, senior director of threat research. Direction at Proofpoint.

“Since then, I’ve seen other major ransomware events, but I haven’t hit the mallet everywhere, as I’ve seen in the past,” she adds.

Ransomware is loud – some criminals may turn to quieter alternatives

Gangsters may still be laying the groundwork for a new wave of ransomware attacks. Or, as DeGrippo suggests, some hacking groups may be paying attention to other low-noise but profitable cyberattacks.

“It could be the final stage payload of ransomware because of the large scale of initial access. It could be something else. It could be a big win for banking Trojans. There is sex, “she says. It’s much quieter under the radar and still offers a fair payday, but it doesn’t get the attention of law enforcement agencies. “

Trojan malware allows cybercriminals to steal sensitive information such as bank account details from victims, providing an opportunity to steal money directly from victims.

look: Ransomware Attack: This is the data that cybercriminals are really trying to steal

There is another issue that could convince some cybercriminals to follow this path with ransomware: cryptocurrencies are volatile. Therefore, ransom payments made in Bitcoin can be much less valuable by the time the attacker chooses to monetize. Cybercriminals may want to pay attention to using malware to steal cash again.

“Today, you can get $ 1 million worth of Bitcoin, or you can get $ 1 million in hard currency from a bank Trojan that has been transferred to a place where you are doing money laundering. Tell the threat actors that they will receive cash now, “says De Grippo.

But that doesn’t mean that ransomware will be gone soon. While some may look elsewhere, ransomware attacks are still a lucrative way to make illegal money, and ransomware attacks continue to evolve.

For example, ransomware groups are now regularly targeting cloud applications as entry points for attacks.

It is inevitable that some of the most sophisticated and resource-rich ransomware gangs will endanger cloud service providers with attacks that affect not just one company, but thousands of companies. It doesn’t seem to be.

This approach creates a lot of leverage for attackers to demand large ransom demands from their targets. This can be paid quickly due to widespread confusion.

“If a ransomware attacker goes in that direction, effectively encrypts the data in the cloud and demands a ransom, he has accessed the organization and encrypted all the data, so all the customer data in the service. Can you imagine that was encrypted? It would give in to the organization, “says Bejerasco of WithSecure.

How to protect your network from ransomware attacks

Ransomware is a major cybersecurity threat, but there are steps that organizations of all sizes can take to avoid becoming a victim. In most cases, ransomware gangs don’t want to track specific targets, they just exploit security vulnerabilities wherever they can be found.

Therefore, it is important to apply security updates and software patches as soon as possible. If you have particularly serious vulnerabilities, you can prevent cybercriminals from exploiting them to gain access to your network or maintain network persistence. Applying security updates to your entire network can be difficult, but it’s one of the most important things IT departments can do to keep their business safe from cyberattacks.

Multi-factor authentication (MFA) is also an important defense against ransomware and other cyberattacks. Many ransomware campaigns begin with cybercriminals stealing usernames and passwords and misusing them to move around the network. Publishing MFA to users makes it difficult for cybercriminals to use stolen passwords. Unexpected login notifications may indicate something is wrong and needs investigation.

It can also help make your network as robust as possible against unauthorized intrusions by ensuring that employees use unique and complex passwords that cannot be easily guessed or cracked by brute force attacks. increase.

Also, because ransomware is based on data encryption, it’s important that your organization backs up your data on a regular basis and backs up offline. Second, if the worst happens and your network is hit by ransomware, you have the option to recover your data without paying the ransom to the cybercriminals, but the increase in double blackmail attacks is due to the lack of ransom. Paid, which means that the stolen data may continue to be published.

Law enforcement and government officials strongly discourage businesses from demanding ransom. Not only does it encourage further ransomware attacks, you also don’t know who you are paying for-and your cash can go to sanctioned or rogue nations.

But regardless of whether the victim decides to pay the ransom, according to DeGrippo, it’s important to plan ahead of what to do-it’s better to plan ahead and panic later. You will be the victim of a ransomware attack because it is much better than falling.

“Each organization needs to decide how to handle a ransomware event before it happens. Yes, this includes the amount, whether or not you pay. “She says.

“These are not fun discussions, but they are incredibly devastating and painful during the ransomware event.”

Cyber ​​security details

Read An Article Like This

Watch the video here: Ransomware: why it’s still a big threat and where gangs go next

Ransomware: why it's still a big threat and where gangs go next