Ransomware

icon-ransomware-with-background-3

What is ransomware?

As its name suggests, ransomware is a type of malware that blocks a user’s access to an asset until a ransom is paid. The asset can be as small as a single file, or the ransomware could completely encrypt and block access to a user’s entire system. Ransomware attacks often encrypt a large volume of highly sensitive files, giving organizations strong motivations to pay the ransom and avoid further damage.

According to the ENISA Threat Landscape 2023 report, ransomware was the top reported threat between 2022 and 2023, accounting for more than 30 percent of all incidents globally. The report finds that ransomware attacks targeted business across every major sector, with manufacturing, health, public administration, and services among the most affected. While most of the reported attacks were financially motivated, some occurred for geopolitical or ideological reasons, or to facilitate espionage.

While ransomware attacks affect intended victims across the world, ENISA reports that nearly half of all recorded ransomware attacks are concentrated in the US.

The Internet Crime Complaint Center (IC3), which is headquartered in the US and conducts a global analysis of cyberattacks, found that ransomware attacks in 2022 affected businesses of all sizes and industries.

Losses reported to the IC3 in 2022 amounted to $34.3 million (USD). During this period, the IC3 observed an increase in extortion to get victims to pay, such as threatening to leak sensitive data or exfiltrating data before encrypting it (rendering reliable backup systems obsolete). The most targeted industries included healthcare and public health, critical manufacturing, government facilities, and information technology.

ENISA’s and IC3’s findings are consistent with those from other institutions. In the Cost of a Data Breach Report 2023, IBM found that ransomware attacks accounted for 24% of all malicious attacks. It also found that the average cost of a ransomware attack totaled $5.13 million (USD) in 2023, a 13% increase year-over-year (YoY). Ransomware attacks were $470,000 (USD) higher for organizations that didn’t involve law enforcement in resolving incidents. They also paid roughly 10 percent higher ransoms and experienced a 33-day longer delay identifying and containing a ransomware breach (306 days on average).

The costs of a ransomware attack go far beyond paying the ransom to hackers. The costliest aspects of being a ransomware victim include downtime, data loss, compliance issues, customer churn, bad publicity, and legal consequences.

The emergence of ransomware-as-a-service (RaaS) has increased the relevance of ransomware attacks. Through a subscription model, hackers receive a kit with everything they need to launch an attack, including ransomware code and a decryption key. RaaS means low-skilled hackers can present significant threats to an organization’s cybersecurity.

Ransomware attacks frequently surface in the news as hackers attempt to exploit vulnerable institutions. While numerous ransomware variants exist, several high-profile examples are notorious for exacting devastation on their victims, which are listed below.

ransomware-icon

LockBit

In recent years, LockBit has emerged as a dominant ransomware threat. Between 2022 and 2023, it accounted for nearly half of all incidents (46.78%) reported to ENISA. According to the Cybersecurity & Infrastructure Security Agency (CISA), LockBit was the most common ransomware variant used in attacks globally in 2022 and continues to be frequently used in 2023. 

LockBit affects organizations of all sizes and across sectors. The ransomware variant functions according to a RaaS model, where hackers use the threats and infrastructure of RaaS operators to carry out individual attacks. Since many of the threat actors using LockBit are disconnected from one another, their tactics, techniques, and procedures (TTP) vary significantly. 

BlackCat (ALPHV)

BlackCat, also known as “ALPHV” and “Noberus,” has become one of the most prolific cybergangs since it first emerged in November 2021. A RaaS threat, it was the second most common recorded ransomware variant between 2022 and 2023, according to ENISA. BlackCat affects businesses of all sizes and across industries. It uses ransomware code written in Rust, a programming language that offers enhanced evasion capabilities, security, and flexibility. The ransomware group also uses the triple extortion tactic. Sensitive data is exfiltrated prior to encryption (double extortion) and threat actors threaten to carry out a denial-of-service (DDoS) attack if their ransom demands aren’t met (triple extortion).

BianLian

Another ransomware group, BianLian has been targeting critical infrastructure sectors as early as June 2022. According to ENISA, it was the third most active ransomware group between 2022 and 2023, accounting for approximately 14% of reported incidents. CISA reports that BianLian works by stealing or using Remote Desktop Protocol (RDP) credentials to gain initial access, uses open-source tools for lateral movement and credential harvesting, and exfiltrates sensitive data. BianLian then threatens to leak data if their demands aren’t met. ENISA’s analysis finds that BianLian primarily targeted healthcare organizations during the 2022-2023 reporting period.

CL0P

CL0P is a Russia-linked ransomware gang also known as TA505. First emerging in early 2019, the RaaS operator is believed to be the largest phishing and malspam operator globally, according to CISA. CL0P is estimated to have compromised more than 3,000 organizations based in the US and 8,000 organizations worldwide. Most recently, the group seized global attention by exploiting the SQL injection vulnerability in MOVEit Transer, a managed file transfer solution. CL0P exfiltrates data from victims’ systems and demands payment to prevent them from leaking the data. According to ENISA, the ransomware gang was the fourth most active between 2022 and 2023, accounting for nearly 13% of reported incidents.

Royal

The ransomware group Royal has targeted more than 350 identified victims worldwide since September 2022, with ransomware demands surpassing $275 million (USD). Royal most commonly gains access via phishing emails, accounting for more than two-thirds of all reported incidents. Once hackers gain access, they move laterally and focus on exfiltrating data and extorting victims. If the group’s ransom demands aren’t met, they publish the sensitive data on a leak site. Royal was the fifth most active ransomware group between 2022 and 2023, accounting for nearly 10% of all reported incidents.

How does ransomware work? 

Sophisticated malware can adapt its behavior according to the environment it detects, allowing it to lie dormant, change its code, and even morph into new structures.

Common delivery methods for ransomware include:

  • Phishing emails. Emails that impersonate a well-known brand and trick the recipient into clicking a malicious link or downloading a malware-infected attachment. 
  • RDP brute force attacks. Hackers use programs to try and guess the password of a remote desktop protocol (RDP) account to gain unauthorized access.
  • Server vulnerabilities. Attackers exploit vulnerabilities or weaknesses in server environments to deploy threats, gain unauthorized access, and more. 
  • Exploit kits. A malicious suite of tools, exploit kits find and exploit vulnerabilities in applications or systems. 
  • Compromised accounts. Accounts that attackers have direct access to via leaked or stolen credentials, or other means. 

While ransomware attacks can take a variety of forms, email remains the primary method for distributing the threat. That’s why most email security solutions offer some form of protection against ransomware attacks.

Technologies like secure email gateways (SEGs) use reputation-based scanning and fingerprinting to detect malicious emails. In response, hackers have developed sophisticated filter-bypassing techniques to evade detection, including:

  • Code obfuscation. Manipulating code in files and macros to either render the code incomprehensible or conceal the true purpose of the code.
  • Excess “noise.” Adding non-essential and otherwise useless code to files and macros, altering the “fingerprint” of a known threat and confusing a filter. Excess noise can include millions of bytes of useless data designed to exhaust a sandbox.
  • Environmental awareness. Creating anti-analysis capabilities that initiate an environmental scan before execution. Environmentally aware malware is designed to execute only in certain environments, detecting sandboxes and remaining dormant for the duration of the analysis.

How to protect your organization against ransomware?

Protecting against a ransomware attack requires a comprehensive approach to cybersecurity.

1. Adopt an integrated email security solution

To protect against the top vector for ransomware attacks, a best practice is to adopt an integrated, third-party email security solution. An alternative to SEGs, this solution can augment the native security features of your internal environment and provide security against insider attacks. Most importantly, these solutions perform a behavioral analysis of emails to protect against dynamic and unknown threats that fingerprinting solutions miss.

For optimal protection, prioritize solutions that combine advanced AI algorithms with real-time intelligence from a global network. At the same time, look for solutions that prioritize incident response and threat intelligence activities via a single, unified dashboard. This includes automatic and cross-tenant remediation, integration with other cybersecurity tools, safe file download and inspection, and more.

2. Provide phishing awareness training

Phishing is the most common tactic used to carry out ransomware attacks. This illustrates the importance of phishing awareness training, which teaches users how to effectively spot and report email threats for remediation.

To get the best results, look for training programs that offer simulation-based instruction, administer automatically whenever users need it, and personalize instruction to the unique role and context of each user. Prioritizing these features provides the most relevant training to your users and ensures it can happen on-demand without human intervention.

3. Layer your security with remote browser isolation (RBI)

Remote browser isolation (RBI) solutions provide extended ransomware protection for Internet browsing, especially for mobile devices. When users click or tap an email link, RBI launches a secure container that is entirely separate from the local device and hosted on remote server. In the event users travel to a malicious site, they are protected from compromise.

RBI is especially important given the vulnerability of mobile device use. According to Statista, users check approximately 43% of their emails on a mobile device. Meanwhile, the Verizon Mobile Security Index 2022 survey found that nearly one in every two organizations experienced a mobile device-related compromise in 2021. Of those that did, 73% described their incident as major.

4. Adopt a vulnerability management (VM) system

Vulnerability management (VM) solutions help you evaluate your IT infrastructure for existing or potential flaws that hackers can exploit. VM systems offer continual vulnerability scanning, prioritization, remediation, verification, and reporting capabilities. VM solutions are important for identifying weaknesses in your security posture and addressing them efficiently and effectively.

5. Regularly update software and operating systems

Regularly update your software and systems to fix known or potential vulnerabilities. This enables you to take advantage of the latest patches, which fix security issues in your IT infrastructure.

6. Adopt anti-virus software

Anti-virus software provides endpoint protection against known ransomware threats. This solution scans your local devices, network, and applications for threats with known malware signatures. While offering limited protection, organizations like CISA recommends adopting an anti-virus solution and keeping malware definitions up to date.

7. Use a firewall

Firewalls scan and control network traffic based on pre-determined rules and can block ransomware threats from reaching users. While traditional firewalls have significant limitations, the emergence of next-generation firewalls (NGFW) provide effective security against sophisticated ransomware threats. This includes deep packet inspection (DPI), intrusion prevention systems (IPS), and more.

img03_m365

How Vade protects against ransomware

Vade’s cybersecurity solutions protect against today’s most dynamic and advanced ransomware attacks. Our integrated email security solutions provide advanced threat detection and response capabilities, including catching and neutralizing the most advanced ransomware variants, whether known or unknown.

Additionally, Vade Remote Browser Isolation (RBI) provides robust protection from mailbox-to-browser, on any device. Vade RBI enables users to safely browse webpages via email links with no risk of compromise. Vade Threat Coach™ also provides users with automated phishing awareness training that personalizes instruction and administers whenever a user encounters a phishing threat.