November 12, 2020//Tony HowlettLast Updated: January 15, 2021
Winter is coming and ransomware is well underway with a brutal second wave. And while some may call this just a natural evolution, there is no doubt that attacks are picking up steam and shifting to a far more aggressive and brutal mode. With the confirmed death of a patient in a hospital in Duesseldorf attributed to a ransomware attack, we can now add “deadly” to the list of dangers to this virulent form of cyberattack.
In this article, we will go over the attributes of this new wave of ransomware and how you can protect your organization from these newer, more vicious attacks.
For one thing, ransomware is becoming the most popular type of cyberattack, with it making up 30% of attacks of the incidents that the IBM X-Force team responded to in September 2020. The hackers are also focusing on schools and universities to take advantage of the switch to most relying on online options because of the COVID-19 pandemic.
We’ve also seen the size of these attacks increase, with threat actors starting to employ “shock and awe” mass attacks in an attempt to overwhelm organizational and government resources. We saw this in the 22 Texas cities mass ransomware attacks in 2019 and most recently in the UHS hospital network attack that affected more than 400 hospitals nationwide. The bottom line is that if networks are connected in almost any way, hackers can take advantage of those links to spread and expand their attack.
Along with attacking at a larger scale, this new wave of ransomware attacks features a higher level of sophistication than previous ones. Firs, they are waiting longer, achieving great “hang” time in a victim’s network, to gather more credentials, find more data caches and to exploit more connected networks. The average time hackers are inside a network before springing their trap has risen to an average of about seven months. They are also starting to skip negotiating with the victim entities and going straight to the cyber insurance provider since they know who will actually be paying the ransom. They now offer discounts and even customer service to process ransom payments and answer questions, like regular businesses.
On the attack method side, they are often perpetrating dual-pronged attacks, both locking up systems and threatening to release data that has been exfiltrated. This puts double the pressure on organizations to cave and pay the ransom, as they would be facing the implications of a massive data breach even if they manage to recover systems.
This is the scariest part of ransomware 2.0. Hackers have been messing with critical systems for a while, but now they seem to be going for the jugular. The above mentioned UHS attack started in the emergency room IT systems. Emergency room operations are the most time-sensitive systems in a hospital, in which minutes matter. Having systems go down could mean doctors and nurses are momentarily unable to read vitals, administer medications or get other important data in treating a patient in critical condition.
Even though no one actually died in that attack (hopefully that is the case), certainly patient care was impacted. And this will only continue as the criminals find more and more devious ways to inflict pain to extract their extortion payments. Expect this terrible trend to diversity with attacks on other critical infrastructure, such as power plants and dams. Imagine power going out citywide during a blizzard. The hackers are getting more and more “kinetic”—in other words, going for real-world effects to generate real-world payments.
As the storm is rising, companies are scrambling to put in place new protections and improve on existing ones. But with budgets and staff strained during this unprecedented time, what areas should be focused on?
Given that almost all ransomware infections start with a phishing attack or similar delivery of the malware payload, focusing on better user education can be highly effective in fending off these attacks. Enhanced security awareness for your staff can be the best bang for the security buck. Adding seminars on the latest ploys in phishing as well as phish test simulations and other tests will make sure your people are your front line of defense.
Another way to get an early indication of possible ransomware in your system is by tracking backups closer. Anomalies or issues with them might indicate that hackers are trying to corrupt your backups. Some backup companies are even starting to offer features that look for this kind of activity. And doing regular live recovery exercises will also uncover any issues with your backups, ransomware or otherwise, before you actually need them.
Finally, increased monitoring and vigilance is one of the best weapons you can use to avoid becoming a victim in this new wave. Most companies don’t review their logs until there is some incident—at which point, it’s probably too late. Having regular review cycles and also setting up alarms and notifications when certain thresholds are reached in the logs are good ways to keep your eye on the ball and catch an incident before it becomes a breach.
There are many more methods to strengthen your ransomware defenses, mostly wrapped up in following best practices for information security. And certainly, as hackers continue to evolve and advance their attacks, new ones will be needed. Hopefully, as 2020 closes and a new year starts, we can start to turn the tide against ransomware, in all of its forms.