Monday, December 9, 2024

Tech News, analysis, updates, comments, reviews

Ransomware: Now and The Future

This is based on the 2022 Threat Report by Sophos

Ransomware is one of the most potentially damaging and costly types of malware attacks

Ransomware has staked its claim as a major element of the cybercriminal ecosystem. As one of the most potentially damaging and costly types of malware attacks, ransomware remains the kind of attack that keeps most administrators up at night, a Keyser Söze of the internet. As we move into 2022, ransomware shows no sign of slowing down, though its business model has gone through some changes that seem likely to persist and even grow over the coming year.

Ransomware-as-a-service subsumes attacks by solo groups

Over the past 18 months, the Sophos Rapid Response team was called in to investigate and remediate hundreds of cases involving ransomware attacks. Ransomware isn’t new, of course, but there have been significant changes to the ransomware landscape over this period: the targets have shifted to ever-larger organizations, and the business model that dictates the mechanics of how attacks transpire has shifted.

The biggest change Sophos observed is the shift from “vertically oriented” threat actors, who make and then attack organizations using their own bespoke ransomware, to a model in which one group builds the ransomware and then leases the use of that ransomware out to specialists in the kind of virtual breaking and-entering that requires a distinct skill set from that of ransomware creators. This ransomware-as-a-service (or RaaS) model has changed the landscape in ways we couldn’t predict.

Sophos Rapid Response, reason for incident response engagements 2020-2021

While ransomware attack response accounted for most of the incidents the Sophos Rapid Response team was involved in during the past year, it didn’t account for them all. Removal of Cobalt Strike Beacons, cryptominers, and even web shells also prompted extra attention, especially in the days following the revelations of the ProxyLogon, and later ProxyShell, exploits, which resulted in a lot of people quickly becoming familiar with how dangerous a web shell could be

For instance, when the same group crafted and attacked using their own ransomware, those threat actors tended to engage in unique and distinctive attack methods: one group might specialize in exploiting vulnerable internet-facing services like Remote Desktop Protocol (RDP), while another might “buy” access to an organization previously compromised by a different malware group. But under the RaaS model, all these distinctions in the finer details of how an attack takes place have become muddled and make it more difficult for incident responders to identify exactly who is behind an attack.

Expanding extortion

Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this statement became the basis for one of the most devastating “innovations” pioneered by some threat actor groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware attacks.
Increasingly, large organizations have been getting the message that ransomware attacks were costly but could be thwarted without the need for a ransom payment – if the organization kept good backups of the data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a manageable loss, completely survivable for the targeted organization, if they chose to restore from backups rather than pay the ransom.

Atom Silo, like many ransomware threat groups, engages in extortion with a threat of leaking sensitive information, as well as maliciously encrypting files

We have to presume that the ransomware groups were also getting the message because they weren’t getting paid. They took advantage of the fact that the average “dwell time” (in which they have access to a targeted organization’s network) can be days to weeks and started using that time to discover an organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal documents, customer information, source code, patient records, or, well, anything else, to the world.
It’s a devious ploy and one that put ransomware attackers back on their feet. Large organizations not only face a customer backlash – they could fall victim to privacy laws, such as the European GDPR, if they fail to prevent the release of personally identifiable information belonging to clients or customers, not to mention the loss of trade secrets to competitors. Rather than risk the regulatory (or stock price) fallout from such a disclosure, many of the targeted organizations chose to pay (or have their insurance company pay) the ransom. Of course, the attackers could then do whatever they wanted, including selling that sensitive competitive data to others, but the victims found themselves unable to resist.

As 2021 moved to a close, at least one ransomware group published a press release (of sorts) that stated they would no longer work with professional firms that negotiate on behalf of businesses with ransomware attackers. The overt threat leveled against ransomware targets was this: If you speak with or go to the police or work with a ransomware negotiation firm, we will instantly release your information.
There have been some bright spots on the horizon, however. In September 2021, the U.S. Treasury Department enacted financial sanctions against a Russia-based cryptocurrency broker and market, which the government alleges had been widely used as an intermediary for ransom payments between victims and attackers. Small steps such as this may offer a short-term solution, but for most organizations, we remain consistent on our basic advice: it’s far better to avert a ransomware attack by hardening your attack surfaces than to have to deal with the aftermath.
Sophos expects that threats of extortion over the release of data will continue to be a part of the overall threat posed by ransomware well into the future.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Salesforce Flaw Allows Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications, which could potentially lead to a full account takeover. The flaw was identified during a penetration test and is tied to misconfigurations within Salesforce Communities, specifically within the Salesforce Lightning...

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.