It’s been widely reported that ransomware attacks have significantly increased over the last few months. In fact, recent research has shown that the daily number of ransomware attacks across the globe has increased by half over the past three months and has almost doubled in the US. The reason for the increase is simple; the dramatic surge in the number of people working remotely or from home has opened up a whole host of security issues.
Remote workers, for example, will often use personal devices, public Wi-Fi or shared internet sources, which can expose sensitive data to additional vulnerabilities. A recent IBM report suggests that the average cost of a data breach in 2020 is a staggering $3.86 million (or £2.99 million) - yet there is still a huge disconnect between security teams and senior management. With the negative effects of Covid-19 further impacting already overstretched budgets, businesses are not able to financially prioritize the issue, and hackers are taking advantage of that.
The ransomware game is changing
To make matters worse, it seems that cybercriminals are setting their sights on bigger prizes and we’re seeing a shift towards what’s known as Big Game Hunting TTPs (Tactics, Techniques and Procedures). Hackers are targeting bigger organizations and high profile individuals, in an attempt to steal high-value assets or data so they can hold the information at ransom.
Unlike older ransomware operations where threat actors would try to compromise as many systems as possible, irrespective of who owned those systems and what data sat on it, Big Game Hunting uses an extremely targeted approach. The attackers will usually target organizations that are particularly sensitive to downtime, as it increases the motivation to pay the ransom. As a result, the industries typically targeted by these particular cybercriminals include local governments, academic institutions, the technology sector, healthcare, manufacturing and financial services.
Big Game Hunters select and study specific targets, and usually employ sophisticated methods to install ransomware in their victims’ networks. As a result, groups can spend several months lurking in a victim’s network before deploying ransomware or stealing any data. One of the most common ways that these cybercriminals are gaining access is by exploiting the Remote Desktop Protocol (RDP) servers. It’s particularly common in attacks against hospitals and other healthcare organizations because these institutions often leave RDP accessible for third-party service providers to perform product support.
Another method of entering victims’ networks being used by these groups, is through known vulnerabilities in software. Common vulnerabilities in the network could be in the form of outdated/unpatched software that can be easily exploited by social engineering attacks and/or malware.
Who’s on the hunt?
Some experts believe that organized gangs in Russia and Eastern Europe, or state-sponsored hackers are those responsible for launching the attacks. One particular group, ‘DarkSide’ which has made headlines over the past couple of months, claims to have already made “millions of dollars of profit” from previous ransomware partnerships. The group announced itself in a press release as “a new product on the market, but that does not mean we have no experience and we came from nowhere”, and claims that it exclusively targets large profitable corporations. Allegedly, at least one victim has already paid a ransom of over $1 million (£765,000). The ransoms apparently range from $200,000 (£150,000) to $2 million (£1.5 million), but those numbers double if an initial payment window isn't met. If the ransom isn’t paid then Darkside will leak the company’s data online, via the dark web.
Defending against big game hunting
There are a number of different ways that businesses and organizations can safeguard against this kind of sophisticated ransomware attack. For example, as mentioned earlier, the disconnect between security teams and leadership is leaving organizations more vulnerable to cyber-attacks. But it’s not just leaders who are generally ill-equipped and under-educated to mitigate the risks. All employees need to be trained and obtain at least a basic understanding of the kind of threats which they might be facing and how to recognize them. As cybersecurity becomes an increasingly bigger problem for organizations, it needs to be acknowledged that it is simply the responsibility of everyone and not just security teams.
Additionally, if they don’t already have one in place, organizations need to develop and implement a robust cybersecurity policy, to outline their cyber defense strategy. This should include details such as which assets and data need to be protected, the particular threats to those assets and what security tools and processes have been applied to deal with them.
Finally, Cyber Threat Intelligence can be extremely helpful in optimizing your cybersecurity strategy. CTI driven security is the most effective approach as it is proactive, rather than reactive.
Preventive actions and mitigations can be put into place only if an organization is aware of the specific threat landscape they are facing. This strategic awareness comes from CTI and allows for informed decisions by stakeholders to adjust the organization’s security posture when and where necessary. CTI also gives the organization an edge when responding to ongoing threats by providing operational and tactical awareness. By understanding the TTPs (Tactics, Technics and Procedures) used by Threat Actors, IT departments can implement specific mitigations and finetune their security tools to prevent these attacks from being successful.
As demonstrated in this article, cybercriminals are becoming ever more creative and intelligent with their exploits, and their methods of attack are constantly evolving. Therefore, organizations need to understand the full implications of a cyber-attack and what it could mean both on a financial and reputation level, if they are to start prioritizing cybersecurity and take the necessary measures to protect themselves against these increasingly sophisticated attacks.
Ippolito Forni, Threat Intelligence Consultant, EclecticIQ