Today’s Ransomware: 4 Things you Should Know
Recently, operations in the largest and busiest port in Japan were heavily disrupted due to a ransomware attack. For more than two days, the Port of Nagoya, which accounts for about 10% of Japan’s total trade value, was unable to move containers. The culprit, later identified as the notorious LockBit, managed to lock up the computer system that handled shipping containers. This attack underscores the growing threat of ransomware against critical infrastructure and business operations in general.
Here are 4 things you should know about today’s ransomware:
1. Ransomware-as-a-Service is turning every cybercrook and criminal into a ransomware operator
A big reason why ransomware attacks have been surging in the past few years is the emergence of Ransomware-as-a-Service (RaaS), a cybercrime business model that borrows the same principles of the Software-as-a-Service (SaaS) model. LockBit, for instance, is offered under the RaaS model.
In this model, ransomware creators develop the ransomware, build and manage all supporting infrastructure, and then offer the system as a service. Anyone who wishes to be a ransomware operator may purchase the service through either a one-time fee or a monthly/annual subscription.
Almost everything that you see in typical SaaS offerings are also included in RaaS offerings, and more. A typical RaaS “service” may include:
- The ransomware software that locks up files through encryption and then displays a message demanding ransom
- Command-and-control (C2) servers that receive data and send commands from/to deployed ransomware
- Payment systems for receiving ransom payments
- Tracking systems that allow you to keep track of current infections
- A tech support portal where you can request assistance
Some RaaS providers even offer additional services like victim assessment, penetration testing, ransom negotiation, etc.
In other words, any cybercrook who’s willing to pay the fee won’t have to worry about any heavy lifting. The RaaS provider will take care of all that.
With the barrier to entry into ransomware attacks substantially lowered, combined with other developments discussed in later sections of this post, it’s not surprising for criminals to be attracted by this type of cyber attack.
I say ‘criminals’ and not ‘cybercriminals’ because, indeed, RaaS can turn organized crime syndicates with no cyber skills into cybercriminals.
2. Organizations with critical systems and infrastructure are in grave danger
Critical systems and infrastructure are now under threat of ransomware, posing grave danger to the organizations that rely on them. These systems, such as those in healthcare, manufacturing, energy, transportation, and emergency services, are essential to key processes in society. If these systems are infected with ransomware, the ensuing downtime can have serious—even life threatening—implications.
The sensitivity of these systems to downtime make them particularly attractive targets for threat actors seeking to extort large sums of money. The impact of a ransomware attack on critical systems can be severe and infectious, often affecting other organizations linked to the main target. A ransomware outbreak can disrupt vital services, cause operational stoppage, endanger public safety, and potentially result in significant financial loss.
Threat actors recognize the high stakes involved and exploit the susceptibility of organizations to extortion. Organizations operating critical systems often face immense pressure to restore services quickly, as any delay can have far-reaching consequences. This urgency leaves them more vulnerable to extortion attempts, as the potential costs of prolonged downtime may outweigh the perceived risks and costs associated with paying the ransom.
3. Decoys and Double Extortions – Threat Actors are Getting Creative
Threat actors are continuously evolving their tactics to launch more sophisticated cyber attacks and to maximize revenue from a single attack. For instance, they’re now increasingly using ransomware as decoys and carrying out double extortions.
Ransomware as decoys
In this new tactic, ransomware is deployed as a distraction to mask the true intentions of the attackers and their broader objectives. By diverting the attention of incident responders on the ransomware incident, threat actors can carry out other malicious activities unnoticed.
For instance, while organizations are grappling with containing and eliminating a ransomware infection, threat actors may exploit the chaos to exfiltrate sensitive data, install additional malware, perform lateral movement, or conduct reconnaissance for future attacks. This multifaceted approach allows attackers to maximize the impact of their operations and extract greater value from compromised networks.
By using ransomware as a decoy, threat actors can take advantage of its disruptive nature and the stigma surrounding ransomware attacks. Threat actors can leverage it as a smokescreen to obscure their true intentions and extend their dwell time within targeted environments. This evolving trend underscores the need for organizations to be more perceptive and alert in the midst of a ransomware attack.
Double extortions in ransomware attacks
Some ransomware operations not only encrypt victims’ data but also exfiltrate sensitive information before deploying the encryption. This dual approach provides attackers with multiple leverage points to extract ransom payments.
By exfiltrating valuable data in a ransomware attack, threat actors hold organizations hostage in two ways:
- through the potential loss or exposure of sensitive information, and
- by encrypting the remaining data.
These combined tactics further intensify the pressure on victims to pay ransom, as they would now face the risk of data breaches and the associated consequences, such as regulatory penalties, reputation damage, or legal complications.
Double extortion attacks have proven highly lucrative for threat actors, as organizations become more inclined to pay the ransom to prevent the release of sensitive data. This approach also adds a layer of complexity for victims. They not only need to recover encrypted data, but also address the financial and reputation repercussions of a potential data breach.
Defending against double extortion ransomware attacks requires a multi-faceted cybersecurity strategy, including robust backup solutions, applied threat intelligence (ATI), network segmentation, employee training, and advanced threat detection capabilities.
4. Even SMBs are at risk
Ransomware attacks have significant impacts on small and medium-sized businesses (SMBs) with critical systems. Despite having less valuable assets than large enterprises, SMBs are increasingly targeted by threat actors due to their vulnerabilities.
The financial constraints faced by many SMBs make it challenging to invest in robust cybersecurity solutions, leaving them more exposed to attacks. Furthermore, the lack of technical expertise and cybersecurity personnel within SMBs hinders their ability to improve their security posture.
Threat actors specifically target SMBs because they perceive them as easier targets with weaker defenses compared to larger enterprises. Smaller organizations offer quick wins for attackers, as cyber attacks are more likely to encounter less resistance there.
Moreover, some SMBs have business relationships with larger enterprises, providing threat actors with a pathway to target the larger organization through a supply chain attack. Exploiting the weaker security of an SMB can serve as an entry point into the systems of their larger business associates.
The impacts of ransomware attacks on SMBs can be devastating. Operations can be disrupted, leading to financial losses, reputational damage, and potential closure. Since many SMBs lack the ability to quickly recover from an attack, impacted customers may lose trust and seek business elsewhere.
Recommended read: Level Up Your Cybersecurity: 5 Tips for SMBs
How to beat Ransomware
Despite the seemingly sophisticated nature of ransomware, there are ways to defeat it. Here are some of the things you can do.
Detect and act on ransomware early in the cyber kill chain
It’s almost impossible to defeat ransomware that’s already on the brink of or, worse, in the process of encrypting your files and systems. Some ransomware variants can carry out that part of the attack in just a few minutes. LockBit, for example, can encrypt 100,000 files in less than 6 minutes.
As such, detecting and responding to a ransomware attack early in the cyber kill chain is of utmost importance. It will mitigate the potential damage and minimize the impact on an organization. Early detection can also significantly reduce the dwell time of the attack.
By identifying the initial stages of the attack, such as phishing emails, malicious links, or suspicious network activity, organizations have a better chance of preventing the ransomware from spreading throughout their systems.
Early response allows organizations to isolate affected systems, halt the encryption process, and prevent further compromise of critical data. It also provides an opportunity to initiate incident response procedures, notify stakeholders, and engage the appropriate cybersecurity professionals for containment, investigation, and remediation.
More importantly, timely detection and response can limit financial losses, prevent data exfiltration, maintain business continuity, and protect the organization’s reputation.
Look for solutions that are immune to decoys and distractions
Ransomware attacks employed as diversions become even more effective when organizations have to sift through the noise caused by tools that generate alerts. Alerts generated by ransomware that are actually just used as decoys can divert attention and resources away from more sinister malicious activities happening within your network
While security teams are preoccupied with addressing the ransomware incident, threat actors can take advantage of the chaos to carry out stealthy actions like data exfiltration, lateral movement, or deploying additional malware.
Moreover, as the volume of alerts grows, security staff can become overwhelmed and ultimately succumb to alert fatigue. This can cause stress, discontentment, and the desire to seek opportunities elsewhere.
Recommended read: The Hidden Costs of False Positive Security Alerts
It’s important to look for security solutions that don’t have to alert security staff. Look for solutions that leverage artificial intelligence (AI) and machine learning (ML) to tackle threats on their own. This will allow your security staff to focus more on strategic initiatives.
How Intrusion helps
Intrusion’s innovative approach to cybersecurity offers a robust solution to combat ransomware. Leveraging artificial intelligence and machine learning, Intrusion’s solutions can detect and neutralize threats automatically, reducing the need for alerts that can only worsen staff fatigue. Intrusion operates by learning your network’s patterns, enabling it to detect anomalous behaviors indicative of a potential attack early in the cyber kill chain. This way, Intrusion prevents ransomware from reaching the encryption process, mitigating potential damage.
Not only does Intrusion provide real-time threat detection, but it also autonomously responds to detected threats. With your security team relieved of a big part of threat detection and incident response, it can focus on more strategic initiatives. Intrusion’s advanced approach to incident response makes it less susceptible to malware distractions and decoys. It can maintain relentless vigilance against other malicious activities within your network even when faced by a highly sophisticated attack.
Moreover, Intrusion’s solutions are scalable, making them suitable for organizations of all sizes, whether large enterprises or SMBs.
Intrusion is not just a tool but also a strategic partner in your organization’s battle against ransomware. Our solutions can help you avoid operation-impacting downtime, protect your reputation, and limit financial losses.
Would you like to take the next step in your cybersecurity strategy? Our team is eager to assist you and ensure your organization is well-equipped against ransomware threats. Let’s talk.