• Ransomware attacks are going to become more dangerous next year than in 2020.
• Attacks surged 40% globally while the US saw a staggering 139% year-over-year increase in the third quarter.
• Attacks against healthcare organisations, hospitals and pharmaceutical firms increase.
• Ransomware operators to use retained data in other ways as they digest the content and could return with more demands or publicly embarrass an organisation.

Bengaluru: Nation-state actors or advanced persistent threats (APTs) are likely to use ransomware as a weapon of choice and they will become more dangerous next year than in 2020. Industry experts said.

“APTs are going to take ransomware and use it as a tool as well. We have already seen Russian-based intelligence groups behind great destructive ransomware events. One troubling trend is that attackers are increasingly moving to ransomware-as-a-service, which includes offering malware and the skills to deploy it on a one-time or ongoing basis,” Sandra Joyce, Executive Vice-President and Head of Global Intelligence at FireEye, said.

Ransomware has gone from a nuisance to a national security issue globally; she said and added that it has become a popular method among advanced threat groups and cybercriminals. 

Ransomware attacks, in general, are considered one of the more serious types of threats facing companies.

Not only they can disrupt critical business operations but they can also lead to massive financial losses and, in some cases, even bankruptcy due to fines and lawsuits incurred as a result of violating laws and regulations.

For example, the WannaCry attacks are estimated to have caused more than $4 billion in financial losses, according to Kaspersky.

However, newer ransomware campaigns are modifying their modus operandi: they’re threatening to take stolen company information public.

Ragnar Locker and Egregor are two well-known ransomware families practising this new method of extortion. 

According to a report from cybersecurity firm SonicWall, even though the overall malware volume declined for the third consecutive quarter, ransomware attacks globally surged 40 per cent to reach 199.7 million hits.

While sensors in India, the UK and Germany recorded decreases, the US saw a staggering 145.2 million ransomware hits in the third quarter – a 139 per cent year-over-year increase, said the report.

SonicWall researchers observed a significant increase in Ryuk ransomware detections in 2020, detecting 67.3 million Ryuk attacks – a third of all ransomware attacks this year.

 “If organisations don’t pay the ransom, the threat actors will post the data online. Targeted attacks against medical facilities during a pandemic crossed a new line when the use of ransomware was linked to the death of a woman,” she said.

Hospitals become high-value targets

A hospital in Germany was experiencing a ransomware attack and they had to turn away a patient. The patient was diverted to another hospital and ended up passing away in the ambulance.

The FBI and the US government had issued a warning about ransomware attacks targeting the healthcare sector.

In 2019, 22 Texas cities had mass ransomware attacks and recently, United Health Services, a Fortune 500 hospital and healthcare services provider in the US and UK, had managed to restore systems after a Ryuk ransomware attack in September.

According to a threat intelligence data by Check Point, the healthcare sector was the most targeted by ransomware in the US in October, with attacks increasing by 71 per cent compared with September 2020. Similarly, ransomware attacks against healthcare organisations and hospitals in October increased by 36 per cent in EMEA and 33 per cent in APAC.

Jim McGann, Vice-president of Marketing at enterprise information management and archiving solutions provider Index Engines, said that hospitals have become high-value targets for cybercriminals in 2020.

 “Cybercriminals are looking for quick and easy paydays. Healthcare seems to be 2020’s target, unfortunately. What we are seeing is smarter and more sophisticated approaches to infiltrating the datacentre. 

“Fortunately, we are now deploying innovative solutions to combat these terrorists. It will take some time, but we will win these battles. Patient data is the prize here,” he said. 

However, he said that cybercriminals know that if they steal it and threaten to publish it to the world they will be faced with fines and lawsuits. 

Lucrative business

“Innovation allows these organisations to inspect the data, find signs of attacks, and understand the sensitivity of the content. It will take time for hospitals to deploy this technology, but without it, they will continue to be victims and vulnerable to significant disruption,” he said.

During Covid-19, Joyce said that they saw a post that said that these groups are not targeting hospitals and organisations related to the pandemic but they made pharmaceuticals not part of the promise.

Because pharmaceutical companies make a profit, she said that they [ransomware operators] have decided that they [pharmaceutical companies] are not to be protected.

“The lucrative business and the huge payouts that have been involved in these operations tend to drive an increase not only in operations scope and scale but also in the amounts. We have seen threat actors continue to evolve their techniques and sell the stolen sensitive information to their competitors,” she said.

Charles Carmakal, Senior Vice-President and Chief Technology Officer at FireEye Mandiant, said that they have seen threat actors targeting healthcare organisations in the last few months.

“Most threat actors are reliable as the business model depends on it and they provide the decryption tools after getting the ransom. Most threat actors end up moving to the next victim after getting the ransom from the previous customer but there is no guarantee that the threat actor won’t come back or a different threat actor won’t end up coming back and do the same environment. We have seen different actors attacking the same target multiple times and asking for more,” he said.

While many organisations pay ransoms and do regain access to their data, he said that they often forget that the attackers still have their data.

“Ransomware operators are becoming increasingly aggressive, and in 2021 we expect to see attackers use retained data in other ways as they digest the content. This could include returning with more demands or publicly embarrassing an organisation,” he said.

Hackers started naming and shaming websites by the end of last year.

In 2021, he said that threat actors will increasingly target the most critical assets held by organisations.

Rise of ransomware 2.0

“Through post-intrusion reconnaissance and the deep enumeration of networks, we currently see threat actors locking up the most relied on and sensitive data and architectures, which leads to much higher ransom amounts. Ransoms have already reached the tens of millions of dollars, and we expect these demands to get worse,” Carmakal said.

Dmitry Bestuzhev, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, said that what the industry is seeing now is the rise of ransomware 2.0, which means that attacks are becoming highly targeted and the focus isn’t just on encryption; instead, the extortion process is based around publishing confidential data online.

Doing so puts not just companies’ reputations at risk but also opens them up to lawsuits if the published data violates regulations like HIPAA or GDPR, he said.

“Often, the ransomware is only the final stage of a network breach. By the time the ransomware is deployed, the attacker has already carried out a network reconnaissance, identified the confidential data and exfiltrated it,” Fedor Sinitsyn, security expert at Kaspersky, said.

Carmakal said that organisations need to be prepared for a ransomware attack and they should have an incident response service-level agreement (SLA) in place as they are going to be targeted and they are going to be compromised, so it is crucial to have prevention and recovery strategies in place.

How to protect against attacks: 

• Do not expose remote desktop services (such as RDP) to public networks unless necessary and always use strong passwords for them. 
• Always keep software updated on all the devices you use. To prevent ransomware from exploiting vulnerabilities, use tools that can automatically detect vulnerabilities and download and install patches.
• Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network. 
• Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
• To protect the corporate environment, educate your employees. Dedicated training courses can help. 
• For personal devices, use a reliable security solution that protects against file-encrypting malware and rolls back the changes made by malicious applications.
• If you’re a business, enhance your security protection. 
  

Related posts:

• Group-IB detects financially-motivated attacks by Iranian newbie threat actors
• FBI thwarts $1m ransomware attack on Tesla factory
• Carnival detects ransomware attack on one of its brands
• Will Space 4.0 become next battleground for security experts against hackers?