Cloud Hosting

For organizations around the world, ransomware continues to be a growing problem, with many well-known companies and institutions falling victim. Within the last year, the Medusa ransomware group breached Minneapolis Public Schools and leaked the personal identifiable information (PII) including medical records of children. Additionally, the attack conducted by an individual associated with the REvil ransomware group on the Colonial Pipeline demonstrated the vulnerability of critical infrastructure. Amid increasing risks of ransomware attacks and data theft, global leaders created the Joint Ransomware Task Force in 2022 and recently held a summit at the White House to unveil additional cybersecurity funding for K-12 educational institutions.

Unfortunately, there is no immediate end in sight to the problem. A recent WatchGuard Internet Security Report found that endpoint ransomware detections increased 627% in Q4 last year. Attacks came in various styles, including IcedID infections, phishing campaigns, data exfiltration, pseudo-ransomware, and more.

As ransomware attacks continue to evolve, its clear that more work is needed from security teams to protect against these threats. Vigilance is key, and security teams must monitor the strategies and tactics of ransomware operations to better defend their organizations. Below, we walk through three emerging ransomware trends that every security team must monitor and tips on how teams should respond to maintain and protect network security.

Ransomware attacks appear to be growing more frequent, as a recent report by Chainalysis, an analysis firm that monitors the blockchain, observed ransomware extortion payments increasing in frequency and amounts. In tracking the inflow of cryptocurrency wallets owned by ransomware groups, Chainalysis found a pattern of increasing payments from victims ranging from thousands of dollars to millions. They also found that ransomware attackers extorted at least $449.1 million in payments in the first half of 2023, an increase of approximately $175 million over the same period in 2022.

However, the number of known victims and cryptocurrency payments dont cover the total number of victims and extortion cases. Some of the wallets ransomware operators use are unknown and difficult to track, especially if operators use cryptocurrency mixers that make tracking cryptocurrency on the public ledger significantly more difficult. As a result, the total number of payments is likely higher than $449.1 million, and the total number of victims is likely higher as well.

Another recent trend is the emergence of attacks that target VMware ESXi, which is a hypervisor that manages and deploys virtual machines within networks. Many active ransomware groups have a VMware ESXi encryptor, which allows them to target virtual machines as well as endpoints and servers. Some active groups using this tactic include Abyss, Akira, Black Basta, LockBit, RansomExx, and Royal. This trend illustrates how modern ransomware groups adapt and evolve to bypass defenses and target the machines that organizations use. It also shows why ransomware groups began to use programming languages like Rust and GoLang more frequently to avoid defenses.

Attacks on VMware ESXi servers made headlines when ransomware dubbed ESXiArgs breached thousands of servers worldwide in a few days. The servers were unpatched instances of VMware, and the attack was automated. This trend underscores why organizations must keep their systems updated and patched and avoid unnecessary internet exposure, as taking these steps can help mitigate such attacks and keep them from getting out of hand.

Ransomware operators can employ various blackmail and extortion tactics to coerce victims into delivering payment. Recently, theres been an increase in cases of data theft without file encryption. Ransomware operators are foregoing data encryption on a victims machine, instead choosing to exfiltrate data to perform a double-extortion attack. Presumably, some groups dont want to bother with deploying an encryptor and know they can use sensitive PII as a bargaining chip. Organizations can combat these double-extortion tactics by having a solid data backup and incident response plan.

Some notorious examples of ransomware data theft include the recent acts of the CL0P ransomware group. In early 2023, the GoAnywhere MFT file transfer software contained a zero-day vulnerability that the CL0P group exploited. Researchers found that after exploiting the software, the group exfiltrated data from dozens of companies that used it, subsequently extorting their victims on the groups double extortion page. Whether the group used an encryptor in its efforts is unknown. Additionally, the group exploited a zero-day vulnerability with MOVEit software, a secure file transfer service. As MOVEit is trusted software for major organizations and governments, hundreds of these entities were exposed to this zero-day vulnerability, and the number continues to grow.

Security teams looking to combat ransomware threats should focus on strengthening their network perimeters, endpoints, and incident response plans. They should also implement regular social engineering training, as more than 90% of all malware attempts begin with a social engineering attack.

Bolstering network perimeters and using technologies such as zero-trust networks are vital steps in ensuring protection. Additionally, ransomware attacks can be thwarted by a well-trained employee or heuristic-based anti-virus that detects abnormal behavior on the endpoint. If those initial security layers fail, an effective incident response plan can stop attacks from becoming too damaging. Combining these layers in a defense-in-depth approach delivers more effective security. Other preemptive steps that organizations should take to protect against ransomware include:

Also, the Joint Ransomware Task Force offers a detailed Blueprint for Ransomware Defense, which provides scores of actionable tips that security professionals can leverage to combat ransomware. Its tips cover a range of categories, including knowing your environment, secure configurations, account and access management, vulnerability management planning, malware defense, security awareness and skills training, and data recovery and incident response.

Ultimately, ransomware is similar to malware, as threat actors in both instances look to gain unauthorized access to your network. Therefore, many tried-and-true security practices apply. Its important to protect your network perimeter, monitor your endpoints for anomalous behavior, back up your systems regularly, and keep all systems up to date. If your organization adopts a broader focus on stopping malware and security breaches in general, deterrence to ransomware will follow suit.

To stay ahead of ransomware threats, security teams must focus on the tactics, techniques, and procedures (TTPs) employed by threat actors that lead to ransomware. Utilizing a defense-in-depth strategy can deter malware from touching your network. If an attack gets through, security teams must have protections in place to neutralize it as soon as possible. Although ransomware threats continue to increase in complexity, adopting a multi-layered security approach will serve as your best defense and help keep out the bad guys.

Original post:
Combating Ransomware: 3 Growing Trends That Security Teams Must Watch - TechSpective