(The following is a guest post written by Natalie Page, threat intelligence analyst at Talion.)
The vast majority of modern businesses rely heavily on optimized computer networks utilizing shared drives and remote connections. The threat that ransomware poses to this network configuration is second to none.
2020 was tough. The world found itself in unfamiliar territory. We faced the challenges of remote working and while doing so ransomware found a gateway to thrive. Worldwide organizations found themselves under a new level of pressure, in a year where ransomware attacks not only grew drastically in numbers, but broke records for their reckless and damaging methods.
We observed gangs upping intimidation techniques, with companies being threatened over the phone if they refused to pay the ransom. The notorious Maze operators established the first ever large-scale ransomware cartel. Operators of Ryuk reached a staggering $150 million in bitcoin repayments from their attacks. Ransomware-as-a-service (RaaS) expanded its offerings, with never-before-seen products dedicated to phishing and espionage operations. And if that does not panic you enough, the world witnessed the first death and homicide case opened after a ransomware attack on a German hospital shut down lifesaving equipment.
The health care sector, already facing a colossal strain from the fight against COVID-19, became a leading target for attackers. Some thieves made the ethical choice and promised not to shut down emergency services, while others made no such pledge, notably the operators of Ryuk. Reports from the health care sector saw that half of the attacks launched against it in 2020 were linked to ransomware, which unfortunately in most instances could have easily been avoided if patching had been prioritized.
Weaknesses identified in the higher education infrastructure – due largely to its move to remote learning – saw the sector face more attacks than ever before, with state actors desperate to retrieve any information they could related to COVID-19 and the production of a vaccine. The National Cyber Security Centre (NCSC) issued a warning for higher education in the U.K. to be put on high alert, specifically against ransomware attacks. While sectors such as technology, which have traditionally been on the receiving end of a large portion of these attacks, continued to do so, previously unaffected sectors received a huge surge in ransomware attacks, reiterating the unselective and boundless nature this tooling now carries when infecting organizations.
Of what we did witness in 2020: Ryuk, Sodinokibi and – prior to its retirement –Maze accounted for the top 35% of attacks. Regarding infiltration methods, researchers found that nearly half (47%) of attacks seen last year took advantage of employees working from home and utilized remote desktop protocol (RDP). Further, 26% of instances were traced back to phishing emails, while 17% made use of known vulnerabilities, and the remaining 10% were attributed to account takeovers. Half of these attacks adopted an approach we have only recently seen become extremely popular: exfiltrating and publicizing stolen data regardless of a ransom being paid. Operators were still able to make large profits via hacker forums and other parties interested in the sensitive information compromised.
One of the major takeaways from 2020 is that the COVID-19 enabled an environment for ransomware operators to dominate the cyber landscape. As we move into 2021, we can begin to see a light at the end of the tunnel for the pandemic, but it is extremely sensible to assume that we still have a long way to go before we move from the ‘new normal’ back to the ‘normal,’ which begs the question – what does this means for ransomware in 2021? Many will argue that 2020 has only been a trailer for what will unfold in 2021.
In 2020, roughly 30% of Talion’s threat bulletins involved ransomware. These bulletins alerted our clients to new strains, but also developments in attack techniques, tactics and procedures of existing strains. This reporting saw the Talion SOC able to set up internal defenses for our clients, while also providing the necessary steps for our clients to take themselves, to defend their estate against these catastrophic and often bankrupting attacks.
So, what can you do about it?
Here are my top tips to avoid being the victim of a ransomware attack:
1) Prioritize Remote Working Security
Organizations can begin with some very simple steps, such as utilizing strong passwords and two-factor authentication across your network. Also ensure that your organization is using the latest versions of operating system and software by ensuring patching is implemented promptly.
2) Educate Users
Implement regular training teaching employees on how to recognize social engineering techniques and expose your users to planned phishing email tests.
3) Prioritize Patching
As mentioned above, patching will improve remote working security and the potential for attackers to utilize known exploits to infiltrate your system.
4) Update Passwords Regularly
To avoid attackers performing an employee account take over to access your network, ensure you enforce users to regularly update their password on your system, highlighting the importance of your employees not reusing or duplicating personal passwords on your system.
5) Keep a Close Eye on the Bad Guys
Finally, keep up to date with the latest techniques, tactics and procedures being utilized by attackers. At Talion, we monitor and alert threats to our clients as they emerge, advocating effective, timely procedures to defend their estate.