It was the famous English novelist John Galsworthy who said that “The beginnings and endings of all human undertakings are untidy.” Although these seem to be words reflecting general life scenarios, this is very much true for the world of cyber security.
With the greater enhancements of the cyber security scene, there is an increase in sophisticated, high-impact global ransomware incidents against several organizations including the ones that manage critical infrastructures. However, even if there were seasonal reduction in ransomware attacks across December 2021 and January 2022, the number of ransomware attacks continue to rise. Operations of law enforcements and closures of some notorious ransomware groups do not decrease the number of ransomware attacks.
Ransomware Groups Stop Operations! Too Early to Be Happy
To give an example, the AstraLocker ransomware gang announced that it is ceasing operations and will instead resort to crypto jacking. AstraLocker is based on Babuk Locker (Babyk), a ransomware strain that left the market in September 2021 but was still hazardous despite its flaws.
Going backwards, the Conti group recently took down their internet-based infrastructure. Leaders at Conti have said that the “brand” will vanish. In the summer of 2020, the Conti ransomware gang first surfaced (along with their malware). As they absorbed additional members and took advantage of new chances, Conti gradually changed into a syndicate and became the largest known ransomware operation.
Calling back the “untidy beginning and endings”, the closure of operation of some number of ransomware groups did not facilitate the change of the overall situation. Let us really dive into the details as the specific data does reflect that the impact of the attacks is as great as it’s ever been.
· The Ransomware attacks increased by 52.89% compared to January, with the number of incidents rising from 121 in January to 185 in February.
· The most targeted regions were North America (42.16%), Europe (42.16%), and Asia (10.27%).
· The most targeted sectors were industrials (35.68%), consumer cyclicals (21.62%), and technology (8.11%).
This increase represents a marked exit from the seasonal reduction in ransomware behavior observed across December and January.
With ongoing advances and enhancements by ransomware operators, ransomware has turned into a nightmare for the whole cybersecurity sector. To outpace attackers and defenders, cybersecurity experts find it tough and time-consuming to research each ransomware gang and follow their progress.
Numerous ransomware groups have been monitored for a long time, and there has been a significant amount of study. The activities of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat are the main subject of their attention. Between March 2021 and March 2022, these companies mostly operated in the United States, Great Britain, and Germany and targeted more than 500 enterprises in the manufacturing, software development, and small company sectors. This reveals some outcomes.
Similarities Between the Attacks:
Ransomware organizations often target a victim’s business network or computer, deploy malware, wait for it to be discovered, access passwords, delete backups, and then complete their mission. Ransomware organizations merely offer data encryption services; they do not really distribute viruses. By leveraging automated tools or template distribution techniques to acquire access, the senders of the malicious files save themselves time and effort.
· Attackers’ lives are made simpler and the amount of time it takes to prepare an attack by reusing old and comparable tools.
· Hacking is made simpler by reusing standard TTPs. Although it is feasible to identify these methods, it is considerably more challenging to do so in a proactive manner across all potential threat vectors.
· Patch and update installation is sluggish for victims.
Protection Against the Ransomware Attacks:
· Use strong passwords for any remote desktop services (like RDP) and avoid opening them up to the public unless it is essential.
· Install any fixes that are readily accessible for commercial VPN systems that serve as network entry points and give distant workers access.
· To stop ransomware from exploiting vulnerabilities, keep all software updated on all devices. Also, use email gap analysis tools to test your email security.
· Focus your defense approach on identifying lateral data movement and exfiltration to the Internet and pay close attention to phishing emails and security awareness training.
· Regularly backup your data, and make sure it can be readily retrieved in an emergency.Also have an incident response procedure to respond to ransomware attacks.
Learning from the analysis, continued vigilance and adherence to best practices -like zero trust and managed detection and response capabilities- and having a tested, validated backup and restoration process, solves a big piece of the problem. Backups don’t address the fact that a system was compromised; nor does it mitigate the source of that compromise. However, operationally, it gets a resource to get back up and running more quickly.
Therefore, conclusively, the data and the practices that are yet to implement almost globally doesn’t signal that there should be a smile across our cyber-spaces that are yet so vulnerable and fragile.
Let’s consider the current state to be a wake-up call to organizations without adequate security postures.