Ransomware payouts are trending upward once again. According to Chainalysis, a cryptocurrency tracing firm, 2021 saw ransomware payments reach nearly $1 billion—a record high. While there was a decline in 2022, the trend reversed in 2023, with estimated payouts approaching $900 million. This increase in ransomware activity can be attributed to the intensified operations of ransomware groups and a surge in extortion efforts. To mitigate the risk and defend against these threats, organizations must develop a robust backup plan that accounts for the myriad ways attackers can infiltrate their networks.
Ransomware Attack Strategies
Strategy 1: Malware Spray Attacks
Malware spray attacks involve purchasing malware from the dark web as part of ransomware-as-a-service operations or from brokers of individual components. These tools require minimal skill, enabling attackers to launch attacks without specifically targeting any particular company. This “spray and pray” approach makes organizations with unpatched vulnerabilities, limited monitoring, inconsistent backups, and other security hygiene issues particularly vulnerable. The hope is that one of the many victims will pay the ransom.
Key Characteristics:
- Low Expertise and Capital: Requires little skill or investment.
- Short Dwell Time: Attackers begin encryption quickly after gaining access, with the ransom demand appearing soon after.
- Lower Ransom Demands: Due to the lack of specific targeting, ransoms are typically lower.
Defense: Protection in Layers To defend against this strategy, organizations should implement a layered defense. This includes educating end-users about ransomware risks, applying automated patches, updating servers, routine network monitoring, and implementing robust data protection for backups. The goal is to stop attacks with the initial layers of defense, with the backup serving as the last line of defense.
Strategy 2: Targeted Recon
Targeted recon involves conducting detailed reconnaissance on a specific organization. Attackers gather information about the software and cloud infrastructure in use, social media posts of employees, network vulnerabilities, and financial data. They may also research key personnel for targeted phishing attacks. Once inside the network, attackers move laterally, conducting further research to develop a sophisticated ransom demand.
How to start to create your plan
Key Characteristics:
- High Skill and Investment: Requires financial investment and skilled personnel.
- Longer Dwell Time: Attackers may remain undetected for an extended period, gathering information.
- High Ransom Demands: Demands are based on extensive research and tailored to the victim’s financial status.
Defense: Document a Plan To protect against sophisticated attacks, organizations should document a detailed defense plan. This plan should identify potential entry points and outline strategies to defend against evolving threats. Regularly updating and testing the plan is crucial to ensure its effectiveness.
Strategy 3: Exfiltration
Exfiltration involves encrypting data, then exfiltrating it and demanding either a decryption ransom or an extortion payment. Extortion, especially involving personally identifiable information, is becoming more common. Even after paying the ransom, there’s no guarantee that attackers will delete the data; they may reuse it in future attacks or sell it.
Defense: Encrypt Your Backups Encrypting data, whether on-premises or in the cloud, in flight or at rest, makes it much harder for cybercriminals to misuse it. Modern best practices recommend encrypting all backups to safeguard against unauthorized access.
Dwell Times
Dwell time refers to the period an attacker spends in a network before initiating an attack. Research indicates that attackers often have surprisingly short dwell times, averaging nine days in 2022 for Sophos and Mandiant. During this time, attackers may elevate their privileges, move laterally through the network, assess the value of data, and look for ways to corrupt backups.
Defending Against Hidden Ransomware
Sophisticated ransomware can remain dormant for months, embedding itself into daily backups. To avoid reinfecting systems with compromised backups, organizations should plan and regularly test their disaster recovery procedures. This ensures that they can restore systems confidently and effectively in the event of a ransomware attack.
Conclusion
The rising trend of ransomware payouts highlights the ongoing threat to organizations. Defending against these threats requires a comprehensive defense strategy, a robust backup solution, and an understanding of potential entry points. As cyber threats continue to evolve, organizations must adopt a proactive and adaptive approach to defend against ransomware effectively.
Source: https://blog.quest.com/crucial-backup-strategies-to-defend-against-ransomware-attacks/
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
