A ransomware attack on a food-logistics firm in the Netherlands that caused six days of disruption to supplies at the country’s largest supermarket chain is thought to be the result of a vulnerability that was widely reported in March, when Microsoft revealed it had uncovered zero-day bugs being used to attack on-premises Microsoft Exchange servers.
The attacks are believed to have originated from a Chinese state sponsored hacking group, who were able to access email accounts, exfiltrate data and plant malware to enable long-term remote access, as well as launch a new strain of ransomware.
The last 12 months has seen an explosion in cyber-attacks as criminal networks have exploited confusion around the pandemic and opportunities created by the sudden mass transition to remote working. As a result, nearly 50% of organisations fell victim to some type of breach last year and one of the fastest growing threats in cyber security is ransomware. Deep Instinct’s 2020 Cyber Threat Landscape Report found that ransomware attacks had increased by 435% in 2020.
Below, we look at some of the latest trends in ransomware and how it is evolving:
In the past ransomware attacks might have just resulted in data being encrypted, but we are now seeing a significant increase in data exfiltration – the unauthorised of removal sensitive data from an organisation’s network.
Exfiltration is also linked to the growth of double extortion attacks, where threat actors will look to maximise their chances of profiting from an attack. As well as encrypting confidential information and then demanding a ransom to decrypt it, cyber criminals will then either threaten to sell the data they have harvested, such as customer credentials, or release it into the public domain unless an additional fee is paid.
Ransomware groups are increasingly maintaining their own dedicated leak sites on the surface web or dark web where they can publish confidential information of targeted organisations not willing to meet their ransom demands or threaten to make the data public on the leak sites as part of a double extortion strategy.
Threat actors are now engaging in big game hunting, whereby high-value organisations that are most likely to lead to big pay-outs are specifically targeted. After an initial compromise, cyber criminals are no longer immediately deploying ransomware to a single device. Instead, they are taking time to understand the company’s operations, exploit additional vulnerabilities, exfiltrate data, and gain access to critical systems that will enable them to cause maximum damage by disabling the entire network.
Ransomware as a service (RaaS) is growing in prevalence as new, smaller variants become available on the dark web. These are usually offered via a monthly subscription service, as a one-off charge, or may involve sharing a percentage of the profit with the provider, but in all cases these business models are particularly appealing to hackers as there are low entry costs and minimal technical skills required to launch attacks.
We are also increasingly seeing new sectors targeted. Over the past year there has been a sharp rise in attacks on local government, hospitals, and other healthcare organisations, as well as educational institutions, with the University of Portsmouth reportedly having to close its campus just recently due to a ‘ransomware attack.’
Unsurprisingly, the cost of ransomware is growing, and it is not just limited to the financial costs of paying ransoms. There are a multitude of other costs that can result from an attack, such as the cost of disruption and lost productivity, damage to a company’s reputation, loss of customer confidence, and the possibility of legal costs and fines from regulatory bodies. All are in addition to any costs associated with incident response and remediation, which can be particularly significant for organisations with large networks and complex infrastructure.
With the frequency and sophistication of ransomware attacks predicted to grow significantly companies need to take a proactive approach to protecting their business.
Alongside taking pre-attack activities to prevent ransomware from bedding into your systems, ensuring a comprehensive and a robust incident response procedure is in place. This is essential to effectively manage and minimise their damage, and enable the business to recover quickly – reducing financial impact to revenues. In the event of a security incident, the immediacy and effectiveness of the initial response has a direct and significant impact on the level of disruption and costs to the business.
With advanced threats increasing rapidly, organisations also need to thoroughly investigate any Indicators of Compromise (IOCs) and breaches to help determine the cause and source of the incident and ensure that it has been dealt with effectively. It is possible a full digital forensics investigation could have helped the Dutch food-logistics company identify any indicators of compromise, identify exploitation activities and ensure no backdoors were left open to enable the hackers to access their network again and deploy ransomware.
Fortis offers comprehensive, certified and experienced Incident Response and Digital Forensic services that can be tailored to suit your organisation’s specific requirements, including investigations mentioned in this article. For more information about how Fortis can help protect your business from ransomware and other threats please contact enquiries@fortiscyber.co.uk