The ransomware checklist

The ransomware checklist

Mohammed Al-Moneer, Regional Director, Middle East, Turkey & Africa at Infoblox highlights four ransomware trends that companies should be aware of as part of their cyber security efforts.

1 – Ransomware attacks continue to grow

Ransomware is once again front and centre. This year has turned out to be one of the worst years for ransomware. Why? Because that’s where the big money is. Large potential return on investment makes ransomware extortion activities highly compelling for threat actors. Verizon’s 2021 Data Breach Investigations Report notes, “The novel fact is that 10% of all breaches now involve ransomware.”

Cybereason’s recent ransomware study of nearly 1,300 security professionals reveals that more than half of organisations have fallen victim to ransomware attacks. In addition, 80% of businesses that have paid ransoms have suffered second ransomware attacks, often from the same threat actors. Some 66% of organisations surveyed reported significant loss of revenue after a ransomware attack, 53% of organisations indicated that their brand and reputation were damaged as a result of a successful attack, and 32% reported losing C-level talent as a direct result of ransomware attacks. As many as 26% of organisations reported that ransomware attacks forced their businesses to close temporarily.

2 – Ransomware as a service expands

The ransomware attacks on JBS and Colonial Pipeline are examples of criminal organisations using RaaS platforms. Many potential threat actors lacking the skills to build and launch their own ransomware attacks can buy what they need through the dark web. Nearly two-thirds of ransomware attacks during 2020 came from RaaS-based platforms.

RaaS platforms include support, community forums, documentation, updates, and more. They are closely modelled after the type of support offered with legitimate SaaS products. Some RaaS websites offer supporting marketing literature and user testimonials. The cost is relatively low. In some cases, affiliates can sign up for a one-time fee or for a monthly subscription. Some RaaS platforms are set up without any initial fees and share the fees associated with a successful attack. Other platforms might have charges for special features, such as the view of a status update of active ransom infections, the number of files encrypted, and payment information.

The use of highly targeted RaaS attacks has been lucrative for threat actors. RaaS attacks that target large organisations can, in turn, ask for large ransoms. In these highly targeted cases, threat actors sometimes use carefully researched social-engineering tactics, such as well-crafted emails to entice targets to click dangerous URLs or open malicious attachments. In other cases, threat actors may target a vulnerability that is particular to or commonly used by their target victim group.

3 – Ransomware leak sites are a new threat actor tactic of choice

Threatening to post a victim’s data on a data-leak site increases the leverage of a ransomware threat actor and is another part of their strategy, in addition to encrypting a victim’s files. The damage of this exposure might be greater than the financial damage of agreeing to pay the ransom the actor has demanded.

4 – Ransomware distribution methods remain tried and true

Attackers continue to use tried and true ransomware distribution methods – their tactics, techniques, and procedures work well for them and these attack vectors continue to bring them success. The four distribution methods are malicious websites, malspam email, the remote desktop protocol, and USB memory sticks. Depending on the report cited, time period, and companies surveyed, the percentages of ransomware attacks that use these distribution methods have varied significantly.

  • A malicious website distributes harmful downloads to users socially engineered to click links to that site. In addition to setting up their own spoofed site, threat actors can find and exploit vulnerabilities in a legitimate website and implant malicious code on it. Alternatively, they may use it to redirect the target to another website under their control. Some of the most well-known media and sports websites in the world have at some point been compromised or hijacked.
  • Threat actors consistently use email campaigns employing social engineering tactics as distribution methods for their malware, downloaders or malicious links. Some attacks are highly targeted against one individual or organisation, a technique known as spear-phishing, but others are larger, broader campaigns.
  • RDP has become a highly effective and dangerous attack vector. Several years ago, one study noted that over 10 million online machines were configured with an open port, 3389. It has become a simple matter for threat actors to use search engines, such as Shodan, to locate these devices. Threat actors can gain access to RDP servers by using default passwords on servers that have not been updated. Alternatively, the actors can use brute-force techniques to break in, or they can use open-source password crackers.
  • USB memory sticks have been used to distribute many types of malware, including ransomware and that has not changed over many years. Threat actors leave USB drives in coffee shops, airports, mailboxes, and corporate lounges, for unsuspecting targets to pick up and use. Once a weaponised USB drive is inserted into a computer, the ransomware encrypts files on the device and propagates within the network.