Ransomware has always been there and is always evolving. Nevertheless, massive ransomware attacks have appeared less frequently than in previous years as attackers shift to targeted attacks. Ondrej Kubovic, ESET Security Awareness Specialist, introduces this insight in detail.
Less massive, more targeted
In the past, massive campaigns like WannaCry ended up in people’s mailboxes. Now, such attacks only occur exceptionally. “Our telemetry shows that the number of massively spread email campaigns that distribute ransomware has been decreasing,” explains Kubovic.
There is other positive news as well: more and more ransomware creators and operators are being tracked down and punished. In 2021, Darkside encrypted Colonial Pipeline’s data, triggering the White House administration and US law enforcement agencies to focus more on this issue and increase international cooperation to counter ransomware.
As Ondrej Kubovic elaborates, “International law enforcement agencies have found ways to track cybercriminals and their activities, to infiltrate and often break their infrastructure, and in some cases, even to arrest affiliates and core members of ransomware gangs, thus limiting the number of attacks. In some cases, authorities managed to obtain the encryption keys that allowed the victims to decrypt their data.”
More and more cybercrime gang members are being charged. Valuable information about the operations of such groups has sometimes been leaked, usually either by infiltrators or internal saboteurs, such as in the cases of Conti and Yanluowang. This supports the growing notion that organised digital crime is no longer inviolable. “The leaked data showed that such groups function similarly to normal businesses, having top and middle management, development, testing, and support departments, and even HR departments,” points out Ondrej Kubovic.
How the police hacked the hackers
At the beginning of 2023, the US Department of Justice disrupted the Hive ransomware group. For several months, the police analysed the group’s systems and functioning, and collected decryption keys that were later distributed to around 1300 victims. According to the US Department of Justice’s estimates, damage worth approximately 130 billion dollars was avoided – that’s how much the Hive group demanded from the victims. “Even though all victims can’t be helped, the number of punished perpetrators and the cases of recovering data have been rising,” says Ondrej Kubovic.
Ransomware should not be underestimated. Attackers have switched more to targeted attacks. They choose a victim, for example, a small business, according to the projected economic results – higher profit means the business could be more likely to pay the ransom. “Often, cybercriminals choose an interesting or critical sector. In such areas, it’s crucial to restore business operations as soon as possible if they are disrupted – and in some cases, the quickest solution is to pay what the attacker demands – even though paying up can’t be recommended as there is no guarantee you’ll get your data back,” adds Kubovic.
How do attackers choose their victims?
Cybercriminals watch for new vulnerabilities that are publicly reported, to analyse them. Subsequently, they scan the internet for vulnerable systems and try to identify the companies running them. From this pool, they select targets based on the most interesting mix of probable economic gains and access to potentially valuable or business-critical data. Breaches of the selected networks, along with data stealing, data encryption, and extortion typically follow.
If ransomware gangs compromise small businesses that are part of an interesting supply chain, this can be leveraged to gain access to further businesses and systems. For example, by infesting a web service provider, cybercriminals might be able to get to clients and their websites. “Managed Security Providers (MSPs) are also common targets – they have wide access and permissions in their customers’ systems. If the attacker compromises an MSP, they can go on to compromise dozens, if not hundreds, of its customers at the same time. The bad news is that supply-chain attacks are rising,” says Kubovic.
One attack, 1500 affected companies
In 2021, the enterprise tech firm Kaseya suffered a breach that targeted its remote device management software. The attackers used it to spread ransomware. About 60 of its customers and 1500 downstream businesses were impacted. “It appears that the attackers carried out a supply-chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers,” said ZDNet. Eventually, Kaseya got the decryption keys from a trusted source, which later turned out to be the FBI, which had infiltrated the systems of the REvil group.
So, what are the key takeaways for your business? Keep in mind that companies with attractive supply chains, such as MSPs, are popular targets of ransomware attacks. Also, since attacks have become more targeted, make sure your software and operating systems are patched as soon as possible, use a multilayered security solution that can detect and block an attack, and train your employees to identify social engineering. Also, don’t forget to back up your data and have a disaster recovery strategy in place. Find out more about how to prevent ransomware attacks and protect your company effectively. Even small steps matter.