Even as Microsoft adds defensive tools targeting ransomware, attackers continue evolving new ransomware methods to effectively attack systems and compel payment.
To avoid joining the list of ransomware victims, you need to maintain awareness to implement effective cybersecurity defenses, alerts, and controls.
This week, we explore the evolution of ransomware in use, how gangs apply extra pressure, and how they affect the way you do business.
The Ransomware Attack Spectrum
Thankfully, the number of companies willing to pay ransoms is on the decline.
Yet simultaneously, the numbers of Ransomware-as-a-Service (RaaS) operations continue to grow, making it easier than ever to attack. Researchers also note that 86% of ransomware attacks now involve a double-extortion method. This particularly devastating attack involves both encrypting your local files and threatening to release stolen information.
Some executives continue hoping their organization might be too small to be targeted. As it turns out however, criminals are more than happy to attack victims of all sizes.
Ransomware gangs target organizations of all sizes world-wide. For example, hackers recently targeted several non-profits and smaller government agencies across the USA and Germany.
Here’s just a sampling:
- An Illuminate Education breach exposed data for 820,000 New York City school students
- A ransomware attack on a non-profit vendor exposes the data of 500,000 Chicago Public School students and 60,000 employees.
- The German Chambers of Industry and Commerce shut down by a ‘massive’ attack
School systems, non-profits, and businesses alike are all at risk of attack.
Attacks on Large Companies
Larger companies deploying more security resources aren’t immune either. Both within the US and internationally, such victims abound.
Take, for instance, the following.
- Global victims:
- The LV Ransomware gang steals 2TB from the German semiconductor manufacturer Semikron
- RansomHouse steals at least 600GB of data from Africa’s largest supermarket chain, Shoprite
- The Conti ransomware gang encrypts several Costa Rican government agencies and expresses their intent to overthrow the government through ransomware.
- US victims:
- Walmart denies an attack by the Yanluowang ransomware gang. However, the gang claims the encryption of between 40k and 50k devices, publishing data to their extortion site. The information shows indication the data came from inside Walmart.
- A ransomware attack forces a network shutdown for publishing giant Macmillan
- Attackers tricked a single employee at the BWI Airport Marriott, allowing them to steal 20 GB of guest PII and credit cards information.
- A cybersecurity company providing services to the US government, Entrust, suffered a data breach after hackers breached their internal networks.
It’s important to note that none of these events released ransom amounts. Even so, it’s easy to see the business disruptions and public embarrassment these attacks cause.
New Ransomware Methods
Ransomware models progress just like any other business.
Some competitors expand their market with new messaging, others develop new business models, and others invest in R&D.
For ransomware groups, new phishing messages perform the same role as new marketing messages: enticing new users to click.
For example, the Luna Moth ransom group found success using fake subscription renewals and invoices to deliver a remote access trojan (RAT). Meanwhile, the established LockBit ransomware group found success through emails warning of copyright violations.
Again, just like your own business, new ransomware methods never stop evolving.
Let’s take a look at some of the more notable examples.
New Ransomware Methods
When ransomware groups first began publishing company data to the public, the tactic evolved the business model for ransomware gangs. Many victims felt compelled to pay up, in order to avoid public embarrassment.
But then, the ALPHV/BlackCat ransomware group decided to improve upon that model and add a search engine feature to their attacks.
So, why go through all that trouble?
Because employees and consumers could then check if their personal information might be in an exposed data set. As more people found out their data was exposed, the more pressure rose on the company to resolve the issue. The more pressure, the more likelihood of a payout.
And thus, new ransomware methods evolved once again.
LockBit soon added a similar feature to their data exfiltration site, hoping individual victims will apply pressure upon the victim to pay the ransom.
As of late, LockBit remains one of the most aggressive groups to pursue R&D, developing new features in their ransomware.
Just consider the following new ransomware methods, and you’ll see how they push the boundaries of attack.
LockBit’s recently released version 3.0 can now:
- Use a key to obfuscate its main routines and prevent reverse engineering
- Enumerate available application programming interfaces (APIs)
- Abuse the Windows Defender command line tool to side-load malware onto compromised systems with malicious DLL files
Yet, that’s only one version of a single gang’s new ransomware methods.
Other notable ransomware innovations include:
- Abuse of unpatched Linux-based Mitel VoIP systems to deliver malware
- The Hello XD ransomware gang drops a backdoor onto compromised system to improve access, wipe system activity, and exfiltration
- Gangs moving away from the well-known Cobalt Strike toolkit to newer Brute Ratel toolkit, to avoid detection from endpoint defenses
Preparing In Advance
Every user and every data location needs layers of defense – even cloud resources.
Ransomware continues to be big business. As such, you should prepare in advance for possible attacks.
Simply contact us at 412-349-6680, or fill out the form below. With your guidance, our experts will outline various security tools, techniques, and services perfectly suited for your organization.