Ransomware attacks soar and boost more malicious
Threat actors target victims for more money in 2021, according to many vendors’ reports, this year ransom paid by victims jump 200%+ to more than $300K. Also, ransom demands increased during last year, multiplying both the ransom demand — to $50–75 million — and the last one I’ve heard from the news, threat actors demanded $50M from Acer Computer.
Cybersecurity amidst uncertainly
Since last year unforeseen vulnerabilities have risen and impacts security stacks more than known vulnerabilities. While security and business transformation continue, the nature of the SecOps opened the door to threat actors due to ineffective configurations and lack of measurement of the stack.
Throughout the pandemic, organizations have focused on ensuring core business functions and need to know their infrastructures not disrupted by attacks — at the same time, executives are looking more automation as an essential part of their operations
The ransomware part, one of the critical attack vectors still. Among the thousands of victims, threat actors do not demand money all the time, they also exfiltrates whose company data was posted by ransomware gangs on data-leak black market sites. In the end, cleaning up ransomware outcome is not affordable for many companies — and the average cost of a compromise assessment engagement exceeding $100K+ per incident.
Same Story, Different Episode
Malware through ransomware-as-a-service called (RaaS) has contributed to a proliferation of activity from national state actors’ sophisticated attacks.
To increase their profits state-sponsored groups, once infiltrate the target- they’ve started selling initial access to corporate networks to other threat actors or malware loaders parts of the malicious tools.
In many of the attack campaigns, the initial threat actor offered access to networks — good examples are Airbus and Boeing attacks. Cyber-criminals have essentially used two post-exploitation methods to increase their persistence by moving laterally and gain control over targeted networks.
Unfortunately, it is difficult to discover the severe incidents attacked by ransomware groups. As it is, the ransom fee should be paid by victims- even if the payment has been made. 1% paid the ransom but didn’t get their data back. According to Sophos Ransomware report 2020, Sweden has the second-highest rate of ransom payments. One of the interesting parts of the same finding is that paying the ransom exceeds overall remediation costs versus not paying or getting data back from the backups. Maybe not paying the ransom fee make you feel more comfortable because you haven’t paid money to cyber-criminals.
Focusing a successful attack on networks requires tools for the east-west bridge to weaponizing lateral movement and privilege escalation in the wild. Criminals have led to post-exploitation frameworks being used more often- such as frameworks are used by ransomware affiliates/partners and state-sponsored actors.
Fighting against Ransomware
- Be regularly practice to identify and classify signs of initial compromise, methods, tools, tactics used to gain persistence in the networks, and lateral movement. Average attack techniques are usually simple and they can be discovered with human expertise and tools. More sophisticated attacks can be identified only by threat hunters.
- Regularly check your infrastructure for known and bad indicators of compromise by utilizing red-teaming activities and continuous pen-testing.
- The success of ransomware bug bounty and crowdsourced pen-testing programs will harden your network and security practices against the threat actors.
- Strongly recommends using actionable CTI context and threat attribution.
- Ensure that your security investments can detect/prevent attacks against emerging TTP’s and post-exploitation attacks.
- Ensure that sufficient number of trained security members are involved your SecOps tasks.
References
- Sophos Ransomware 2020 Report
- Group-IB HighTech eCrime Trends Report 2021
- Synack 2020 Trust Report
