Ransomware is an ever-evolving type of malware that has been around for more than two decades. First appearing in the late 1980s and growing in popularity and complexity in the early 2010s, Ransomware has risen to an unprecedented level with multi-million dollar ransom demands in attacks against companies like Colonial Pipeline, JBS Foods and other critical infrastructure providers.
Ransomware purveyors exploit security weaknesses and hold the data of governments, businesses, and healthcare organizations hostage, sometimes demanding ever-increasing ransom payouts. Ransomware operations, or RansomOps, are also increasing in their sophistication, further blurring the lines between state-sponsored and cybercriminal activities.
These complex, low and slow attacks that seek to infiltrate as much of the targeted network as possible before detonating the ransomware payload, means the task of successfully defending against RansomOps attack has never been more challenging, and the stakes for organizations are high.
Ransomware by the Numbers
Our recent report, Ransomware: The True Cost to Business Study 2022, revealed that 73% of organizations suffered at least one ransomware attack in 2022, compared with just 55% in the 2021 study. Furthermore, the study found that 80% of organizations who paid a ransom demand were hit by ransomware a second time, with 68% saying the second attack came less than a month later and threat actors demanded a higher ransom amount.
The study also revealed that nearly one-third (31%) of businesses were forced to temporarily or permanently suspend operations following a ransomware attack, and nearly 40% of organizations laid off staff as a result of the attack, and that 35% of companies suffered C-level resignations following a ransomware attack.
According to the Harvard Business Review, ransoms paid to attackers increased by 300% in 2020 as the sudden spike in remote working combined with weak home security protections ransomware operators the additional pathways to infection they needed.
In 2021, we saw many significant attacks on firms and corporations across the country and around the world. Just six ransomware groups are responsible for breaching the cybersecurity defenses of nearly 300 organizations, raking in more than tens-of-millions for their efforts.
Healthcare Under Siege from Ransomware
With the start of the COVID-19 crisis in 2020, many hackers took advantage of the unrest and turmoil and attacked the healthcare sector. One study found that ransomware attacks had a substantial financial impact on the healthcare industry, with over $20 billion in lost revenue, lawsuits, and ransom paid in 2020 alone.
Over 600 clinics, hospitals, and other healthcare organizations were affected by 92 ransomware attacks. Marlene Allison, director of information security at Johnson & Johnson said the company experiences 15.5 billion cybersecurity events every day.
Of all the cyberattacks and Ransomware in 2021, the Colonial Pipeline breach in late April was the most publicized. The DarkSide gang was behind the attack and targeted the company's billing system and internal business network, causing widespread gasoline shortages in several states.
Colonial eventually gave in to the attackers and paid the group $4.4 million in bitcoin to avoid further disruption. Fortunately, the FBI was able to track and recover a large part of the ransom payment by monitoring the movement of cryptocurrencies and digital wallets.
In May 2021, computer maker Acer was attacked by the prolific REvil ransomware group, the same group responsible for an attack on London exchange firm Travelex. The $50 million ransom demand was noted as the largest known to date. REvil used a vulnerability in Microsoft Exchange to access Acer files and leaked images of spreadsheets and confidential financial documents.
While the spring of 2021 brought encouraging news about the end of the pandemic, the growing trend of cyberattacks since 2020 has shown no signs of slowing down. Another high-profile ransomware attack took place in May at JBS Foods, one of the world's largest meat processors, and it is believed that behind the attack is the same group of Russians that attacked Acer, REvil (CNN).
The CNA network was attacked on March 21, and the hacker group encrypted 15,000 devices, including many computers of employees working remotely. The attack was reportedly linked to the Evil Corp hacker group and used a new type of malware called Phoenix CryptoLocker.
REvil, the same hacker group that attacked Acer, Quanta, and JBS Foods, returned to the headlines in July with an attack on Kaseya. Although not a household name among consumers, Kaseya manages the I.T. infrastructure of the world's largest companies. Similar to the Colonial Pipeline and JBS Foods attacks, this hack had the massive potential to disrupt key sectors of the economy.
According to Kayesa, about 50 of its customers and nearly 1,000 businesses were affected. The hacker group demanded bitcoins worth $70 million. To illustrate the impact of the cyberattack, Coop, a Swedish supermarket chain, was forced to close 800 stores for an entire week.
Defending Against Ransomware Attacks
The only way forward for organizations is to prevent an infection from occurring in the first place. To do that, they need to invest in an anti-ransomware solution that doesn’t rely on Indicators of Compromise (IOCs), as not every ransomware attack chain is known to the security community.
They need a multi-layered platform that leverages Indicators of Behavior (IOBs) so that security teams can detect and shut down a ransomware attack chain regardless of whether anyone’s seen it before. IOBs detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.
Always keep a backup copy and recovery plan for all critical information. This ensures that you can clear all data storage space and work with the backup whenever your data is compromised due to Ransomware. Remember that Ransomware can also affect network-attached backups; critical backups should be isolated from the network for optimal protection.
But don’t depend on data backups alone to protect your organization. Ransomware operators have also implemented double extortion schemes, a tactic employed by some ransomware gangs that begins when they first exfiltrate sensitive information from the target before launching the encryption routine. The threat actor then makes the additional demand that victims pay up in order to prevent the attackers from publishing their data online.
NextGen Antivirus and Firewalls
Deploy NGAV anti-malware software and a firewall to ensure maximum security. Keep your antivirus software up to date and check all programs downloaded from the Internet before running it. NGAV can provide effective protection against the most common strains of ransomware in the wild.
Least Privilege Policy
Limit access to sensitive information as needed and limit users' ability (permissions) to install and run unwanted software applications. Restricting these privileges can prevent malware from executing or limit its ability to spread across the network.
Report Suspicious Activity to Your Security Team
Be aware of any suspicious activity and report it immediately to your local security and support team. Early warnings can give teams the ability to react quickly and slow the spread of malware, limiting damage to complete isolation.
By executing these simple steps, you protect your system and files and ensure that cybercriminals don't see this as another successful attack statistic.
Lock Down Critical Accounts for Weekend and Holiday Periods
Teams should create highly-secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack and take similar precautions with VPN access. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.
Ultimately, your multi-layered approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.
Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.