How Menacing Are the Latest Trends in Ransomware?

10 minutes reading

by Ondrej Kubovic

Ransomware is one of the most common cyberthreats to small and medium-sized businesses. Despite the fact that you are already aware of the damage that ransomware can cause, the cybercriminals behind such attacks show persistent effort to discover any weakness in your defences. Attacks against databases, web servers and smartphones are on the rise.

What answers will you find in this article?
  • How much ransomware can cost your company
  • How ransomware techniques have evolved over the time
  • The common damages caused by ransomware attacks
  • What an IT admin can do to prevent ransomware

Even if you have already improved your data protection, your company may need to employ other security measures to tackle new ransomware variants that are trying to reach you every day. One in five SMBs fell victim to a ransomware attack in 2019, and new types of attacks also occurred during the COVID-19 crisis. According to the Cybersecurity Ventures report on global ransomware damage costs, ransomware attacks targeted businesses every 11 seconds in 2020

Even if you manage to protect your devices against these attacks, you can still lose the fight to other vectors, such as unpatched vulnerabilities that can be exploited by malware. A poorly secured Remote Desktop Protocol (RDP), too many online services open at the same time, unpatched operating systems, or outdated versions of security solutions – all of these are risk factors that need to be addressed as soon as possible.

Companies often use outdated security solutions, which might be missing some of the crucial protective layers necessary to fend off ransomware gangs.

To be sure that you have done all that you can, you have to choose a solution that is powerful under the hood and protects you with multiple layers. Also, effective IT security solutions call for investments. If you still haven’t managed to convince your board to raise your IT security budget, here are a few reasons to take ransomware more seriously. Feel free to share them with your superiors.

The cost of ransomware is increasing

In the news, we see examples of ransomware attacks almost daily. These attacks often lack ethics and compassion. This was particularly evident in the cases of hospitals that were paralysed by ransomware attacks for weeks during the coronavirus pandemic. 

Over the last couple of years, the cost of the damage resulting from ransomware has increased dramatically. In 2017, the WannaCry ransomware was able to infect more than 200,000 machines across the globe. Another huge outbreak was conducted only weeks later by the TeleBots group, which unleashed their ransomware-like data wiper called NotPetya. That incident started in Ukraine and hit major banks, utilities and telecommunications services, but also spilled over into global corporations’ networks, irretrievably destroying data. In this case, even paying the ransom did not help, due to a flaw in the decryption mechanism. To this day, NotPetya is described as the most devastating cyberattack in history, causing over $10 billion worth of damages.

The most widespread form of ransomware – cryptoransomware – encrypts user files stored on disk and network shares. It's worth noting that no company is too small for this type of cyberattack. A survey of more than 500 C-level executives from SMBs, conducted by Infrascale, found that 46% of respondents had already been hit by ransomware attacks. Among those, 73% admitted they paid the ransom in order to recover their data.

To put it simply, ransomware causes great damage to economies and businesses. Another story – the case of the Baltimore administration, which has been hit by ransomware – ended in the victim paying $10 million for data recovery and an additional $8 million in lost revenue. 

Municipalities, universities, airports and hospitals are often hit by ransomware because they are easy to target and often run vulnerable and misconfigured systems. The requested payments in such cases are often in the hundreds of thousands or even millions of pounds.

Furthermore, there is a gray zone of companies that do not report a ransomware attack, trying to avoid impending penalties by authorities and potential damage to their reputation. On top of that, they are often unwilling to admit that they had faulty security. Unfortunately for such companies, the ransomware gangs often publish the names of their victims and even leak their data via dark web sites. This forces most of the companies to acknowledge the incident and negotiate with the attackers. With ransomware, as with any other malware, prevention is the best defence – and also one of the main requirements of the authorities. 

Attackers are becoming more and more aggressive

How have attackers’ methods changed in the last few years? Well, cybercriminals have implemented quite a few innovations. 

Before ransomware started targeting organisations, hackers were using spam emails as its main distribution channel, hitting inboxes in massive campaigns. If victims were compromised, they were usually asked to a pay few hundred dollars to see their data decrypted – which sometimes didn’t happen. 

However, such a 'business model' didn’t bring much payoff and the attackers had to alter their strategy. Today, these highly organised gangs are mostly targeting misconfigured services and their victims’ remote access. Criminals also started to negotiate individual ransoms, whereby each company is asked to pay a different price. To increase the effectiveness of their distribution, these gangs also began using botnets, which present a better delivery method for their nasty packages. 

Ransom notes have changed too. Formerly, it was a short message with some general information, instructing you to pay £300 to a bitcoin wallet. Now the attackers leave simple text files on your computer, which lead you to their landing page or email address, where you have to negotiate the price for decryption. To keep their operators anonymous, most of these landing pages are only available on the dark web. 

Another big trend appeared in November 2019, when ransomware gang Maze began doxing its victims instead of only encrypting their data. Doxing is a technique in which criminals steal sensitive information and threaten to publish it. This provides the attackers with leverage, as the possible fines under data protection legislation such as GDPR can be enormous, not to mention the reputational harm or possible leak of know-how.

Unsurprisingly, since this technique has proven so effective, many other ransomware gangs followed suit and are using it today.

Ransomware Trends That Shaped the Cybersecurity Landscape in 2020

Unsurprisingly, open ports – in particular, the remote desktop protocol (RDP) – were a key vector for ransomware attacks. Hackers have been actively performing brute-force attacks on RDP, but they have also used other vulnerabilities in different solutions – Pulse Secure or Citrix VPNs – to breach corporate networks.

Ransomware attacks have become more demanding. In addition to encrypting and stealing your data, attackers now might also launch a DDoS attack against your website, increasing the pressure to pay.

Ransomware gangs won’t let organisations hide the breach to save their reputation. On the contrary – to make the shame as public as possible, the names of the victims appear on a dark web leak site and, if they refuse to cooperate, so does the stolen data.

To increase the pressure, some of the ransomware groups print-bomb their victims. This means that the attackers force all available printers in the company’s network to print the ransom request.

Since August 2020, ransomware gangs have been cold-calling victims who try to avoid the payment. These calls are mostly performed via contracted call centres. Some cybersecurity firms believe that ransomware gangs are likely using the same outsourced call centre group.

The losses caused by ransomware might destroy your company

The price of ransomware does not end with paying the ransom. Additional costs emerge as the affected company experiences a loss of business productivity or business-threatening downtime. The resulting disruption and financial losses can be debilitating for your company. 

Once ransomware strikes, it can be very difficult to rebuild your IT systems and recover your brand’s good name. You might spend thousands of pounds and hundreds of long hours of remediation work and still not completely recover from the losses. All your projects are on hold until you are able to secure your systems and reaccess the files you need. 

A new trend making ransomware incidents even more dangerous is the combination of data encryption with data exfiltration. Not only do the attackers encrypt and thereby deny access to, for example, prototypes or your company’s patents or research, but they can also exfiltrate and sell that information on dark web marketplaces. What's more, as well as from having your data compromised, your organisation may be fined for failing to protect its employees’ and customers’ sensitive data. 

As for the scale of this nasty “business”: In an interview for a Russian OSINT tech blog, Sodinokibi ransomware developers claimed that they made over $100 million in one year. The operators of the Ryuk ransomware have earned even more. It is estimated that with companies all over the world following instructions and paying the ransom, the Ryuk gang received around $150 million in bitcoins.

What can you do as an IT admin to prevent ransomware?

Don’t wait for a ransom note to show up on your screen. Instead, protect your RDP with a strong password and multifactor authentication.

Back up your data and operating systems on a regular basis, and keep at least one full backup of your most valuable data offline.

Keep all software and apps – including operating systems – up to dateUse a reliable, multilayered security solution that is patched and properly configured for the best protection against ransomware.

To reduce the attack probability number to as close to zero as possible, add another defensive layer – a cloud-based sandboxing solution. The sandbox technology detonates suspicious files in a controlled environment, outside of your network.

Last but not least, train your employees to know and understand the cyberthreats they might encounter.