Arraya Insights | December 16, 2020
The ransomware playbook used to be fairly straightforward. Attackers would gain access to an organization’s data, lock it down, make their demands, and then wait to see if the bitcoin would roll in. And roll in it did. Ransomware has become a multi-billion dollar industry, one with an alarmingly low barrier to entry thanks to widespread proliferation of highly user-friendly malware. Not content to rest on their laurels, cyber criminals have added a few new wrinkles to their winning playbook, hoping to make their campaigns more effective for them and more expensive for their victims.
One such change is the rise of data exfiltration tied to ransomware infections. One team of researchers analyzed more than 100,000 attacks and linked more than 1-in-10 incidents to groups known to practice data exfiltration as part of their ransomware campaigns. It’s worthy acknowledging that number could actually be higher as not all groups looking to steal data do so overtly.
What happens to the data sets these groups nab? That depends. Sometimes criminals will use the threat of leaking data to encourage victims to pay up. Such a threat can be particularly persuasive among organizations that traffic in large volumes of highly sensitive data, including those in legal, healthcare and finance. Publicly losing data could land these organizations in hot water with both regulators and with their customers, clients, patients, etc. In other cases, attackers may covertly exfiltrate data and then simply sell it off to bolster their profit margins. Whatever the motivation, cyber security experts believe exfiltration has become part of the “new normal” for ransomware.
Another recent evolution of ransomware involves backups. Maintaining regular backups has long been viewed as key to mitigating the fallout of a ransomware attack. After all, why pay up when all you need to do is restore from backups? Attackers, likely tired of being thwarted by good backup practices, have responded by redesigning ransomware to target backups first. Some strands of malware will alter or encrypt backups, rendering then unavailable. Others take a “seek and destroy” approach. Both will then move on to production files. The goal is to leave organizations without their safety net, making them more willing to listen to and comply with attackers’ demands.
Defending against the next generation of ransomware
You can find a deep dive into ransomware best practices from both the admin and user level in our blog post “Ransomware Attacks Spike Against Healthcare Facilities: How to Keep Yours Safe.” While that post is ultimately geared toward those in healthcare, the defensive strategies suggested can be leveraged by organizations in any industry. However, we can recommend a few additional steps here to short-circuit the advanced attacks methods outlined above. Organizations are advised to:
- encrypt data, both at rest and in transit. Doing so ensures that, even if attackers manage to get their hands on and steal any data, it will be unreadable and therefore of no value to them.
- be vigilant of workload behavior, looking for any unusual patterns that could be a sign of an attack. Organizations must be ready to address and, if necessary, remediate anomalous activities, like unexpected movements of data, quickly, through the use of powerful, intelligent automation.
- keep back-ups offline or use microsegmentation to keep them distanced from production files. Without the appropriate separation, backups will provide little security against a rapidly-spreading ransomware infection.
Next Steps: Practice for your organization’s worst case scenario
Need help preparing your organization for the evolving realities of today’s ransomware environment? Arraya Solutions can help. Our cyber security experts can help you design and walk through a fully customizable worst-case scenario. These exercises can stress test the security response mechanisms you have in place for when attackers are knocking on your door – or when they’re already inside your network. They can help you discover and close procedural or technological gaps that allow attackers greater opportunities to succeed. Reach out to the Arraya Cyber Team (ACT) to learn more.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Comment on this and all of our posts on: LinkedIn, Twitter, and Facebook.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.