Ransomware trends in 2020
The FBI has recorded a sharp increase in ransomware reports in 2020. The main causes can be linked to the pandemic, as more organizations are asking employees to telecommute, cloud applications are multiplying, and online shopping has become the norm in order to avoid crowded retail stores. And the most direct link to COVID-19? Fraudulent emails designed to deliver ransomware and other malware, disguised behind messages that resemble updates on the coronavirus.
Ransomware attacks are getting more targeted
They are taking the form of phishing and spear phishing, to be more effective and personalized. One of the primary attack vectors is the Remote Desktop Protocol (RDP), typically used to manage a computer remotely through Internet connections. Today, cybercriminals use these channels for identity theft, stealing connection information and launching ransom attacks.
What is ransomware?
Ransomware is a kind of malicious software designed to block access to a computer system or specific files on a PC, followed by a ransom demand. Depending on the target, the amount can be anywhere from $100 to millions of dollars.
Most variants of ransomware encrypt the files on the affected device, rendering them unavailable until a payment is made to the attackers. The threat message typically specifies that if the amount demanded is not paid within a specific amount of time, the files will either be permanently deleted, or if they are of an embarrassing nature, published online to the public domain. Theoretically, once the ransom is paid, access to those files is restored.
Ransomware is often a relatively crude piece of code, mostly because a sophisticated program is not required to achieve the desired results. Unlike other forms of conventional malware, it does not need to stay undetected for very long. Because of the relative ease of implementation, combined with the high-profit potential, it attracts both sophisticated actors of cybercrime, as well as novice actors (AKA hackers).
How most systems are being compromised
The main attack vectors, or path through which hackers gain access to a system, include RDP compromise, other open communication port compromises, and phishing.
The volume of RDP compromise cases increased tenfold over June and July of this year. This is due in part to the fact that a large number of organizations are now relying on the maintenance and servicing of IT systems to be conducted remotely. This, in turn, has meant that RDP ports have remained enabled over the Internet, and that has left them vulnerable.
Historically, between 2018 and 2019, when we talked about ransomware, it was a very clear path to system infection. Here is how it worked:
- Malware would get into the system, via email or open ports.
- It would find its way across file systems, and encrypt data.
- A ransom demand would appear in the form of a modal window displayed to the end user.
However, what we are experiencing now, as we move towards the end of 2020, is a much more sophisticated and stealthier mode of attack. Even with the relatively basic skills required for ransomware attacks, interconnected apps and the cloud model have opened potential new vectors.
As part of a two-stage attack, we see organizations targeted initially with the intention of getting into the system, and then the hackers escalating privileges and access-control settings. This is where they can find the organization’s most confidential and critical data. They then copy that data to a remote repository, extracting it from the target systems, and then follow up with the encryption.
Cloud computing has its shortcomings
As safe as cloud computing can be, it is only so when properly secured, and this remains the focus of attackers. With proper security protocols in place, the majority of attacks would be mitigated. But unfortunately, most organizations do not have the training, skills, or procedures in place to ensure that their systems are open to end users to promote proper remote collaboration, while being sufficiently and consistently secure against malware and ransomware.
How to protect yourself and your organization
The first and most basic piece of advice we give everyone is to implement a reliable backup solution; make sure that the data being backed up includes not only your important files, but also your system configuration settings. Choose a reliable solution, and ensure it is on a completely separate system.
That recommendation is still very relevant, but no longer sufficient on its own, especially when we talk about protecting organizations and helping them avoid paying hefty ransoms.
Not surprisingly, ransom demands and their corresponding payouts have risen dramatically in the last 18 months. All of this leads to yet another headache for targeted organizations: how to be prepared to potentially pay out large sums of cryptocurrency in such a short period of time.
We now recommend constant system monitoring, with preventative measures ready to launch at the first sign of a malware signature.
Cybercrime experts understand this evolving threat landscape, and how cyber criminals and the ransomware threat landscape is changing over time.
Organizations are subscribing to cyber-threat intelligence communities to access data related to how cybercriminals operate, and the indicators of compromise.
But that also is not enough on its own. You need to take a much more proactive approach, and some organizations are even going so far as actually deploying hired threat hunters to look out for threat actors, or cybercriminals.
We will continue exploring this topic in the next two blog articles in our ransomware series. We will cover the legal and forensic impact, among others, of a typical ransomware attack.
A random sample of ransomware attacks
- The first ransomware attacked occurred in 1991. Named “PC Cyborg,” it was propagated by a biologist via floppy disks to colleagues on an AIDS research project. Since then, a lot has changed—including the use of floppy disks!
- The University of Utah was stung by cybercriminals for almost $500,000 in ransom following a July attack. The attack gave the state’s flagship institution the choice of sacrificing private student and employee data, or paying up and hoping the information was not compromised.
- On June 10, 2017, criminal hackers infected more than 153 Linux servers hosted by South Korean web provider Nayana, shutting down 3,400 websites. Nayana’s chief executive, Hwang Chilghong, revealed that the hackers initially asked for $4.4 million, but the organization negotiated the ransom down to $1 million.
- In May 2017, we saw the first worldwide ransomware cyberattack by the WannaCry ransomware cryptoworm. It targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
We encourage you to read our next ransomware blog article when it becomes available. And in the meantime, we invite you to think about the following question: “Is it always a good idea to pay a ransom?”
Learn more about DigitalTrace, our ransomware solution: Download the brochure
Also, watch a recording of our ransomware webinar, with special guest panelists: Access the webinar on demand
