How Ransomware Is Evolving
(December 11, 2020) Emboldened by past successes, cybercriminals are launching more targeted attacks and seeking more lucrative payments.
When it comes to ransomware, we may be our own worst enemies. Victimized organizations increasingly choose to pay the ransom in order to regain access to encrypted data — a strategy that appears to be backfiring. Multiple studies indicate that more payments are simply creating incentives for the ransomware industry.
A CyberEdge Group study finds that 58 percent of victimized organizations have paid ransoms, up from just 39 percent two years ago. The increased likelihood of payment seems to be inspiring more attacks — CyberEdge reports that a record 62 percent of U.S. companies have been hit with ransomware in the past year.
Meanwhile, research from Coveware and CrowdStrike suggests that increased payments have emboldened cybercriminals to increase their ransom demands dramatically. Coveware reports the average ransom demanded in attacks during Q1 2020 was $111,605 — triple what it had been in the previous quarter. CrowdStrike predicts global ransomware damages will reach $20 billion by 2021 — a 5,697 percent increase since 2015!
The U.S. government has taken action by imposing economic sanctions on several cybercriminals and cybercrime groups, freezing all their property and interests in the U.S. Under various laws and regulations, U.S. companies and citizens are prohibited from engaging in any sort of direct or indirect transactions with sanctioned groups or individuals. That includes ransomware payments.
A global study from Sophos finds that paying the ransom dramatically increases recovery costs without substantially improving an organization’s chances of regaining access to its data. Some organizations have discovered that their data was still inaccessible after paying the ransom. Others have found that the data was infected with additional malware.
According to Sophos, 94 percent of organizations eventually get their data back — 56 percent by restoring data from backups, 26 percent by paying the ransom, and 12 percent by other means.
“For unprepared organizations, it can require a significant amount of time and effort to recover your systems and files. Paying the ransom just adds to the expense, and there’s still no guarantee you will get your data back,” said Mark McClelland, co-founder of Mainstream Technologies. “If you’re the victim of a ransomware attack, restoring your data from a recent good backup is the best way to minimize downtime.”
Additionally, the FBI warns that ransomware attacks are becoming more sophisticated and dangerous. Earlier attacks tended to employ tactics in which criminals sent spam messages or fake ads in an attempt to infect large numbers of victims indiscriminately and generate quick payouts. Many of today’s attacks target specific organizations in an attempt to generate larger payoffs.
Targeted ransomware attacks typically combine the usual encryption techniques with data theft. Once a target is infected, these threats quietly move laterally throughout the network, accessing many systems and encrypting data. However, they don’t stop there. They will also exfiltrate some data, creating a threat of exposure that increases pressure on victims to pay larger ransoms.
A well-designed data backup solution remains an essential element of ransomware mitigation. However, it is important to remember that ransomware can impact backup systems. Backups must be immutable and isolated within a protected environment.
The FBI also offers these additional suggestions for minimizing exposure to ransomware attacks:
- Focus on awareness and training. Since end-users are often targeted, employees should be trained on how to spot suspicious emails or files.
- Regularly patch operating systems, software, and firmware on devices. This can be made easier through a centralized patch management system.
- Ensure antivirus and antimalware solutions are set to update automatically and that regular scans are conducted.
- Implement least-privilege file, directory, and network share permissions. If a user only needs to read specific files, consider revoking write access to those files, directories, or shares. This can significantly limit the impact of a ransomware attack.
- Secure your applications. Implement software restriction policies to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular web browsers.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policies.
“Monitoring and management of your systems coupled with a properly architected data protection and malware prevention strategy will minimize downtime and associated expenses,” said Mark McClelland. “Each dollar spent on prevention provides a significant return on investment.”
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of IT services in Arkansas and the surrounding region including IT management and consulting, custom software development, and cybersecurity. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public- and private-sector customers across the United States
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile