Thursday, August 26th, 2021
The Latest Updates On Critical Ransomware Threats
Updated 22nd July 2021
The number of organisations impacted by ransomware globally has more than doubled in the first half of 2021 compared with 2020 and it is showing no sign of slowing down. With ransomware attacks being extremely lucrative for threat actors, it is no surprise that a lot of the most well-organised gangs are earning millions per attack victim and that a new ransomware attack is detected every 11 seconds.
Although Ransomware is nothing new – the tactics, techniques and procedures (TTPs) used by threat actors have reached new levels of sophistication. This increased sophistication and growth has made it extremely difficult for networks to protect against such attacks.
The latest trends
When it comes to modern ransomware, threat actors are becoming more precise and more involved in the attack than ever before. They are spending a significant amount of time conquering different parts of the victim’s network (a process that may take weeks or months) before they execute the ransomware payload, making such attacks look more like nation-state advanced persistent threat (APT) attacks instead of traditional ransomware incidents.
Our researchers constantly see malware codes being upgraded and fixed – treated almost like well developed applications by their creators. We have seen instances where malware that once failed is being brought back, having and fixed the issues and improving on their execution. This allows the infused community to protect or even remove the damage made by this malware.
The malware that is being used by hackers is getting more “useable” and is gaining more features. With just a simple configuration file the operators can choose:
- What file types to encrypt
- Does it have to exfiltrate the data
- What process should be killed (AV/Anti Malware evasion)
- What Command & Control domains should be contacted by beacons
- Whether is should be persistent
- Should it wipe some data out of the targeted hosts
A very disturbing approach that our researchers have seen in recent weeks is that each host is encrypted with a different key. Therefore victims may end-up negotiating a ransom price per host and not per their whole environment, meaning they need to match the decryption to the specific host.
Top recent Ransomware attacks
With ransomware attacks being extremely lucrative for threat actors, it is no surprise that a lot of the most well organised gangs are earning millions per attack victim.
Over 600 touchscreen ticket machines were disrupted by a ransomware attack just two months after they were installed at stations across the north of England. Customers using the Northern rail company, which serves towns and cities across northern England have been affected as the website and ticket offices have been disrupted.
There is currently no indication as to when these self-service ticket machines will be restored or if a ransom demand has been made.
Ransomware attacks like these where cyber criminals hack into networks, encrypt data and demand payment in exchange for a decryption key, have been a major cybersecurity problem throughout 2021.
Even with hackers becoming more sophisticated, ransomware has never been as easy to use thanks to RaaS. RaaS services accounted for almost two-thirds of ransomware campaigns already this year. Ransomware as a Service (RaaS) is a business model used by ransomware developers, in which they lease ransomware variants. RaaS is proving very effective for cyber criminals who want a piece of the cyber-extortion action but without having or needing the skills to develop their own malware.
REvil (also known as Sodinokibi) is currently one of the most prolific RaaS operations out there. Recently, RaaS attackers like REvil have added data exfiltration to their dark list, along with threats to leak the stolen data if victims are able to recover from the encryption with their help.
At the beginning of the month, REvil made cyber crime history as they made the largest ransom demand of all-time, demanding $70 million to decrypt the 1,000-plus victims in the Kaseya ransomware attack. REvil have previously been responsible for a ransomware attack on JBS, the world’s largest meatpacker, which fetched a ransom of $11 million. In April, REvil stole and published blueprints from Apple supplier Quanta Computer. That attack reportedly claimed a $50 million ransom.
Conti ransomware is believed to be run by a Russian based cybercrime group known as Wizard Spider. This group uses phishing attacks to install TrickBot and BazarLoader trojans that provide remote access to the infected machine or machines. Then then use this remote access to spread laterally through the network while stealing credentials and harvesting unencrypted data that is stored on workstations and servers. Once they have stolen everything of value and gained access to Windows domain credentials, they wait – during this time they will remain undetected, until they strike and deploy the ransomware on the network to encrypt all of its devices. The Conti gang then use the stolen data as leverage forcing the victim to pay the ransom.
Some notable ransomware attacks conducted by Conti include the Scottish Environment Protection Agency (SEPA) last year and the attack on the HSE last month.
What is next?
The success of double extortion throughout 2020 was clear to be seen but some of the more prominent attacks that have taken place at the beginning of this year point at a new attack chain – essentially an expansion to the double extortion ransomware technique, integrating an additional, unique element to the process of threatening the victims customers, users and other third parties – leading to what is called Triple Extortion.
In February of this year, the REvil ransomware group announced that it was adding more tactics to its double extortion ploy, namely DDoS attacks and phone calls to the victim’s business partners and the media. Freely offered to affiliates as part of the group’s ransomware-as-a-service business, the DDoS attacks and voice-scrambled VoIP calls are designed to apply greater pressure on the company to cough up the ransom.
What do you need to do to protect against Ransomware?
1. Visibility is key
Visibility of what hardware and software assets you have in your network and physical infrastructure will help you gain a greater understanding of your organisation’s security posture.
2. User awareness
Regular cyber security awareness training will ensure that your employees are always up-to-date with the latest phishing scams and malicious attempts to access your data or systems.
3. Updating and Patching
Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. System patches also help avoid lost productivity.
4. Enable Multi-factor authentication
Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way.
5. Make sure you have an up to date Incident Response Plan in place
It is important to regularly test your incident response plan in order to simulate a real-life attack and document how your organisation is in a position to respond, should one occur.
6. Back- up your systems and data
Data loss is often as damaging, monetary and brand, to an organisation as a data breach. A copy of critical data in a secure offsite location is one small step that should not be overlooked.
7. Active Directory and Privileged Access Management
The last couple of years have seen ransomware like LockerGoga and Samas omitting a spreader. Malware usually includes a means of propagating itself from an initial infected device to other devices on the same network. But instead of writing and testing the extra code, which may be prone to failure, hackers are leveraging a mechanism that is already present in most organisations: Active Directory.
Ransomware attacks that use Active Directory to propagate or to perform reconnaissance require privileged access to the directory. Most organisations do not properly restrict or manage the use of privileged AD accounts, leaving IT systems exposed to ransomware and other kinds of attack. Here are six ways that you can protect access to privileged AD accounts and make it difficult for attackers to weaponise Active Directory:
- Reduce privileged AD group membership
- Restrict the use of privileged AD accounts
- Establish a Break Glass Account
- Manage end-user devices using a local account
- Protect privileged AD accounts with multi-factor authentication
- Monitor Active Directory for unusual activity
- Implement a tiered administration model for Active Directory
8. Security Intelligence and Monitoring
24/7 Monitoring can provide early warnings of cyberthreats and risk sensing that can detect patterns of criminal activity.
Unfortunately security is not implemented fast enough in organisations and so while researches are doing tremendous work to create new detection and prevention rules for anti-malware software, IT departments are not fast enough when it comes to implementing security solutions.
Our security teams at Smarttech247 are working to protect our customers and provide you with the relevant information you need to stay secure. For additional information and best practices for staying secure, please don’t hesitate to contact our experts