Ransomware Attacks, Trends and How to Protect Against It
What is ransomware?
Ransomware is the name for a type of malware cybercriminals use to block access to a computer system, files or data, demanding payment in order for the user to regain access. Documents, databases, pictures, videos and source codes are all targets for ransomware, with Bitcoin often used as ransom currency as it is untraceable.
Today, the FBI estimates that 4,000 ransomware attacks are launched every day, and it’s estimated that ransomware revenues in 2020 were around $20 billion.
The first ever ransomware virus, known as the AIDs Trojan or PC Cyborg, was created in 1989. It was made by Joseph L. Popp, a Harvard-trained evolutionary biologist, and targeted the healthcare industry.
Some other well-known examples of ransomware attacks include: CryptoWall, which has generated over $320 million in revenue since 2014; Jigsaw, which gives victims just 24 hours to pay the ransom demands before it starts deleting files; and Cerber, a Ransomware as a Service (RaaS) platform making over $1 million every year just from affiliate sales.
How does ransomware work?
Ransomware works by first gaining access to a victim’s computer. There are various tactics used by cybercriminals in order to gain access, including:
- Phishing scams
- Malicious email attachments
- Social media messages
- Exploiting security holes
- “Drive-by” attacks exploiting browser plugin vulnerabilities.
Once the malware has been downloaded and opened, the software encrypts some or all of the user’s files to prevent the user from accessing them. A pop-up or notification will inform the user that their files are locked and demand payment in order to regain access.
What is big game hunting?
Big game hunting in cybersecurity terms is when cybercriminals identify specific organisations as ransomware targets and commit a lot of effort into studying them closely, before employing sophisticated methods to gain access to and install ransomware on their network.
As the name suggests, big game hunters target large profitable corporations, looking to win big in a single attack with a high ransom. Big game hunters might spend months lurking within an organisation’s network waiting for the perfect time to strike before deploying ransomware or encrypting data.
Big game hunters most commonly gain access by exploiting Remote Desktop Protocol (RDP) servers. Hospitals and healthcare organisations often fall victim to big game hunting as they leave RDP accessible to third-party service providers, making it more vulnerable to attack.
Recent ransomware attacks made through big game hunting include Garmin, which was affected by the WastedLocker virus, and Cognizant, which fell victim to a Maze ransomware attack. Both brands reportedly paid out multi million-dollar ransoms after cybercriminals gained access to their data.
Recent ransomware trends
Ransomware is the most common form of cyber attack, and it’s becoming the go-to method of attack for cyber criminals. According to the Sophos State of Ransomware 2020 whitepaper:
- Almost three quarters of ransomware attacks result in the data being encrypted.
- 51% of organizations were hit by a ransomware attack in the last year.
- 94% of organisations whose data was encrypted got it back.
- 26% got their data back by paying the ransom.
Ransomware attacks rose in popularity as an easy way to make money, but gradually declined when large organisations began taking data security more seriously and it became increasingly difficult to gain access to computer systems. But ransomware attacks are on the rise again, with cybercriminals adopting more sophisticated strategies to target specific industries and companies with limited data security.
Increasingly, public-facing institutions and public utilities are being targeted by ransomware attacks. The healthcare industry is increasingly being targeted, as well as small town governments and councils. These types of organisations are seen as easy targets because they often have outdated hardware and software, and store large amounts of valuable confidential information, which they need access to in order to operate. This means they are more likely to pay the ransom in order to regain access.
Recent ransomware attacks
Some recent ransomware attacks include:
Users of Microsoft Exchange Servers have been heavily targeted recently with a ransomware dubbed ‘DearCry.’ DearCry is a new ransomware variant which actively exploits vulnerabilities within ProxyLogon across several Microsoft Exchange Servers, exploiting four zero-day vulnerabilities. DearCry has seen a surge in activity, due not only to its effectiveness, but also likely because it’s a big opportunity for criminal groups to deploy the ransomware before organisations implement patches to protect against it.
REvil is a well-known ransomware family who have been successfully operating as Ransomware-as-a-Service (RaaS) since at least April 2019, targeting organisations around the globe. Nine organisations across Africa, Europe, Mexico, and the US have been targeted.
REvil likely conducted an extensive and considered drive-by-download campaign during December 2020, with the goal of infecting business professionals’ devices with the ransomware and exposing their information on underground forums, including files, customer quotes and partial customer lists, among other documents.
In March 2021, computer giant Acer was hit by what is widely reported to be a REvil attack. The attackers announced on their data leak site that they had breached Acer and accessed financial spreadsheets, bank balances and bank communications. The threat actors demanded $50 million – the largest known ransom to date and a prime example of big game hunting.
How to protect against ransomware attacks
If you’re wondering how to defend against ransomware, here are some steps organisations can take to protect the network from ransomware attacks:
- Train employees to identify and avoid threats. This is known as security awareness training.
- Use security software such as Telesoft’s Malware solution.
- Periodically backup your data in secure servers or hard drives so you will never need to consider paying any type of extortion payment should an attacker compromise your infrastructure.
- Activate network segregation or active defence to identify threat actors as they trigger areas known to be off limits.
The future of ransomware in 2021/2022
Ransomware evolution happens incredibly quickly, so it’s important for organisations to stay aware of the latest ransomware trends and methods of ransomware detection, to prevent and protect against attacks.
In 2021 and into 2022, it’s expected that cybercriminals will continue to expand their targets and develop more sophisticated methods of attack. As artificial intelligence is integrated into more and more business models, AI in ransomware is likely to become more widespread.
It’s likely that healthcare will be targeted more heavily, especially following on from Covid vaccinations, as outdated systems and high-value data make it an easy and valuable target for cybercriminals.
The rise in RaaS – ransomware as a service – is also likely to continue, whereby ransomware companies lease their malware to malicious actors who lack the skills to develop their own. RaaS is big business, with RaaS operators marketing their ransomware in much the same way legitimate companies do.
The future of ransomware prevention and protection means it’s likely that we will start to see more ransomware response plans built into companies’ cybersecurity strategies, including ransomware insurance. We may also see specific ransomware legislation brought in from governments and law enforcement to deter cybercriminals and provide stronger protection to individuals and organisations who fall victim to attacks.
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification