Ransomware threats have more than doubled at start of 2021 compared with 2020 and show no sign of slowing down. With ransomware attacks being extremely lucrative for threat actors a lot of gangs are earning millions per attack victim. We are detecting a new ransomware attack every 11 seconds.

Although ransomware threats are nothing new – the tactics, techniques and procedures (TTPs) used have reached new levels of sophistication. This increased sophistication and growth has made it extremely difficult for networks to protect against such attacks.

The latest trends

When it comes to modern ransomware threats, actors are becoming more precise and involved in the attack than ever before. They are spending a significant amount of time conquering different parts of the victim’s network (a process that may take weeks or months) before they execute the ransomware payload, making such attacks look more like nation-state advanced persistent threat (APT) attacks instead of traditional ransomware incidents.

Our researchers are constantly seeing malware codes being upgraded and fixed – treating them almost like well developed applications by their creators. We are seeing instances where failing malware is being brought back, fixing the issues and executing them better. This allows the infused community to protect or even remove the damage made by this malware.

The malware hackers are using is becoming more “useable” and is gaining more features. With just a simple configuration file the operators can choose:

• What file types to encrypt
• Does it have to exfiltrate the data
• What process you should be killing (AV/Anti Malware evasion)
• What Command & Control domains you should be contacting by beacons
• Whether is should be persistent
• Should it wipe some data out of the targeted hosts

A disturbing approach our researchers have seen in recent weeks is that each host is encrypting with a different key. Therefore victims may end-up negotiating a ransom price per host and not per their whole environment. This means they need to match the decryption to the specific host.

Top recent Ransomware attacks

With ransomware threats being extremely lucrative for attackers, it is no surprise that a lot of the most well organised gangs are earning millions per attack victim.

A ransomware attack was disrupting over 600 touchscreen ticket machines just two months after being installed at stations across the north of England. Customers using the Northern rail company, serving towns and cities across northern England have been affected as the disrupting of the website and ticket offices is occurring.

There is currently no indication as to when these self-service ticket machines will be restored or if a ransom demand has been made. 

Ransomware attacks like these where cyber criminals hack into networks, encrypt data and demand payment in exchange for a decryption key, have been a major cybersecurity problem throughout 2021.

Ransomware-as-a-Service (RaaS)

Even with hackers becoming more sophisticated, ransomware threats have never been as easy thanks to RaaS. RaaS services accounted for almost two-thirds of ransomware campaigns already this year. Ransomware as a Service (RaaS) is a business model ransomware developers are using, in which they are leasing ransomware variants. RaaS is very effective for criminals who want a piece of the cyber-extortion action without having the skills to develop their own malware.

REvil

REvil (also known as Sodinokibi) is currently one of the most prolific RaaS operations out there. Recently, RaaS attackers like REvil have added data exfiltration to their dark list, along with threats to leak the stolen data if victims are able to recover from the encryption with their help.

At the beginning of the month, REvil made cyber crime history as they made the largest ransom demand of all-time. Demanding $70 million to decrypt the 1,000-plus victims in the Kaseya ransomware attack. REvil have previously been responsible for a ransomware attack on JBS, the world’s largest meatpacker, which fetched a ransom of $11 million. In April, REvil stole and published blueprints from Apple supplier Quanta Computer. That attack reportedly claimed a $50 million ransom.

Conti

A Russian based cybercrime group known as Wizard Spider are running Conti ransomware. This group uses phishing attacks to install TrickBot and BazarLoader trojans that provide remote access to the infected machine or machines. Using this remote access they are spreading laterally through the network while stealing credentials and harvesting unencrypted data that is stored on workstations and servers. Once they have stolen everything of value and gained access to Windows domain credentials, they wait – during this time they will remain undetected, until they strike and deploy the ransomware on the network to encrypt all of its devices. The Conti gang then use the stolen data as leverage forcing the victim to pay the ransom.

Some notable attacks by Conti include the Scottish Environment Protection Agency last year and the attack on the HSE.

What is next for ransomware threats?

Triple Extortion

The success of double extorting throughout 2020 was clear to be seen but some of the more prominent attacks that have taken place at the beginning of this year point at a new attack chain – essentially an expansion to the double extortion ransomware technique, integrating an additional, unique element to the process of threatening the victims customers, users and other third parties – leading to what is called Triple Extortion.

In February of this year, the REvil ransomware group announced that it was adding more tactics to its double extortion ploy, namely DDoS attacks and phone calls to the victim’s business partners and the media. Freely offered to affiliates as part of the group’s ransomware-as-a-service business, the DDoS attacks and voice-scrambled VoIP calls are designed to apply greater pressure on the company to cough up the ransom.

What do you need to do to protect against Ransomware Threats?

1. Visibility is key

Visibility of what hardware and software assets you have in your network and physical infrastructure will help you gain a greater understanding of your organisation’s security posture.

2. User awareness

Regular cyber security awareness training will ensure that your employees are always up-to-date with the latest phishing scams and malicious attempts to access your data or systems.

3. Updating and Patching

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. System patches also help avoid lost productivity.

4. Enable Multi-factor authentication

Most online services provide a way to use your mobile or other methods to protect your accounts in this way.

5. Make sure you have an up to date Incident Response Plan in place

You should be regularly testing your incident response plan in order to simulate a real-life attack. You should then be documenting how your organisation is in a position to respond, should one occur.

6. Back- up your systems and data

Data loss is often as damaging, monetary and brand, to an organisation as a data breach. You should be copying critical data in a secure offsite location as one small step that should not be overlooked.

7. Active Directory and Privileged Access Management

The last couple of years have seen ransomware like LockerGoga and Samas omitting a spreader. Malware usually includes a means of propagating itself from an initial infected device to other devices on the same network. But instead of writing and testing the extra code, which may be prone to failure, hackers are leveraging a mechanism that is already present in most organisations: Active Directory. 

Ransomware attacks that use Active Directory to propagate or to perform reconnaissance require privileged access to the directory. Most organisations do not properly restrict or manage the use of privileged AD accounts, leaving IT systems exposed to ransomware and other kinds of attack. Here are six ways that you can protect access to privileged AD accounts and make it difficult for attackers to weaponise Active Directory:  

1. Reduce privileged AD group membership 
2. Restrict the use of privileged AD accounts  
3. Establish a Break Glass Account 
4. Manage end-user devices using a local account  
5. Protect privileged AD accounts with multi-factor authentication 
6. Monitor Active Directory for unusual activity  
7. Implement a tiered administration model for Active Directory 

8. Security Intelligence and Monitoring

24/7 Monitoring can provide early warnings of cyberthreats and risk sensing that can detect patterns of criminal activity.

Unfortunately organisations are not implementing security fast enough and so while researches are doing tremendous work creating new detection and prevention rules for anti-malware software, IT departments are not fast enough when it comes to implementing security solutions.

Our security teams at Smarttech247 are working to protect our customers and provide you with the relevant information you need to stay secure. For additional information and best practices for staying secure, please don’t hesitate to contact our experts