For organizations around the world, ransomware continues to be a growing problem, with many well-known companies and institutions falling victim. Within the last year, the Medusa ransomware group breached Minneapolis Public Schools and leaked the personal identifiable information (PII) – including medical records – of children. Additionally, the attack conducted by an individual associated with the REvil ransomware group on the Colonial Pipeline demonstrated the vulnerability of critical infrastructure. Amid increasing risks of ransomware attacks and data theft, global leaders created the Joint Ransomware Task Force in 2022 and recently held a summit at the White House to unveil additional cybersecurity funding for K-12 educational institutions.
Unfortunately, there is no immediate end in sight to the problem. A recent WatchGuard Internet Security Report found that endpoint ransomware detections increased 627% in Q4 last year. Attacks came in various styles, including IcedID infections, phishing campaigns, data exfiltration, pseudo-ransomware, and more.
As ransomware attacks continue to evolve, it’s clear that more work is needed from security teams to protect against these threats. Vigilance is key, and security teams must monitor the strategies and tactics of ransomware operations to better defend their organizations. Below, we walk through three emerging ransomware trends that every security team must monitor and tips on how teams should respond to maintain and protect network security.
Ransomware Attacks Becoming More Frequent
Ransomware attacks appear to be growing more frequent, as a recent report by Chainalysis, an analysis firm that monitors the blockchain, observed ransomware extortion payments increasing in frequency and amounts. In tracking the inflow of cryptocurrency wallets owned by ransomware groups, Chainalysis found a pattern of increasing payments from victims – ranging from thousands of dollars to millions. They also found that ransomware attackers extorted at least $449.1 million in payments in the first half of 2023, an increase of approximately $175 million over the same period in 2022.
However, the number of known victims and cryptocurrency payments don’t cover the total number of victims and extortion cases. Some of the wallets ransomware operators use are unknown and difficult to track, especially if operators use cryptocurrency mixers that make tracking cryptocurrency on the public ledger significantly more difficult. As a result, the total number of payments is likely higher than $449.1 million, and the total number of victims is likely higher as well.
A Rise in Attacks on VMware ESXi Servers
Another recent trend is the emergence of attacks that target VMware ESXi, which is a hypervisor that manages and deploys virtual machines within networks. Many active ransomware groups have a VMware ESXi encryptor, which allows them to target virtual machines as well as endpoints and servers. Some active groups using this tactic include Abyss, Akira, Black Basta, LockBit, RansomExx, and Royal. This trend illustrates how modern ransomware groups adapt and evolve to bypass defenses and target the machines that organizations use. It also shows why ransomware groups began to use programming languages like Rust and GoLang more frequently to avoid defenses.
Attacks on VMware ESXi servers made headlines when ransomware dubbed ESXiArgs breached thousands of servers worldwide in a few days. The servers were unpatched instances of VMware, and the attack was automated. This trend underscores why organizations must keep their systems updated and patched and avoid unnecessary internet exposure, as taking these steps can help mitigate such attacks and keep them from getting out of hand.
More Instances of Data Theft without File Encryption
Ransomware operators can employ various blackmail and extortion tactics to coerce victims into delivering payment. Recently, there’s been an increase in cases of data theft without file encryption. Ransomware operators are foregoing data encryption on a victim’s machine, instead choosing to exfiltrate data to perform a double-extortion attack. Presumably, some groups don’t want to bother with deploying an encryptor and know they can use sensitive PII as a bargaining chip. Organizations can combat these double-extortion tactics by having a solid data backup and incident response plan.
Some notorious examples of ransomware data theft include the recent acts of the CL0P ransomware group. In early 2023, the GoAnywhere MFT file transfer software contained a zero-day vulnerability that the CL0P group exploited. Researchers found that after exploiting the software, the group exfiltrated data from dozens of companies that used it, subsequently extorting their victims on the group’s double extortion page. Whether the group used an encryptor in its efforts is unknown. Additionally, the group exploited a zero-day vulnerability with MOVEit software, a secure file transfer service. As MOVEit is trusted software for major organizations and governments, hundreds of these entities were exposed to this zero-day vulnerability, and the number continues to grow.
Security Tips Every Enterprise Should Adopt
Security teams looking to combat ransomware threats should focus on strengthening their network perimeters, endpoints, and incident response plans. They should also implement regular social engineering training, as more than 90% of all malware attempts begin with a social engineering attack.
Bolstering network perimeters and using technologies such as zero-trust networks are vital steps in ensuring protection. Additionally, ransomware attacks can be thwarted by a well-trained employee or heuristic-based anti-virus that detects abnormal behavior on the endpoint. If those initial security layers fail, an effective incident response plan can stop attacks from becoming too damaging. Combining these layers in a defense-in-depth approach delivers more effective security. Other preemptive steps that organizations should take to protect against ransomware include:
- Implementing email security measures such as automatically scanning attachments for ransomware and malware.
- Decrypting traffic at the network perimeter (as an increasing percentage of malware is being delivered via encrypted channels).
- Regularly backing up systems and copying data to different servers and networks. The backups must be intermittently performed (as often as possible) and stored on a separate network or offline. This practice ensures that an encryption event doesn’t destroy backups.
- Keeping your company’s software and systems up to date with the latest patches and updates.
- Leveraging anti-virus tools on endpoints with a heuristic engine – not just signature-based matching.
- Training employees to recognize phishing attempts and other security threats. It’s also essential to implement phishing training that is both ongoing and tangibly interfaces with the user (e.g., not a mere question-and-answer test).
- Knowing your areas of exposure to the internet and the related risks (such as monitoring network ports and the chances of data exposure, for example) and solidifying these areas where possible.
Also, the Joint Ransomware Task Force offers a detailed “Blueprint for Ransomware Defense,” which provides scores of actionable tips that security professionals can leverage to combat ransomware. Its tips cover a range of categories, including knowing your environment, secure configurations, account and access management, vulnerability management planning, malware defense, security awareness and skills training, and data recovery and incident response.
Ultimately, ransomware is similar to malware, as threat actors in both instances look to gain unauthorized access to your network. Therefore, many tried-and-true security practices apply. It’s important to protect your network perimeter, monitor your endpoints for anomalous behavior, back up your systems regularly, and keep all systems up to date. If your organization adopts a broader focus on stopping malware and security breaches in general, deterrence to ransomware will follow suit.
To stay ahead of ransomware threats, security teams must focus on the tactics, techniques, and procedures (TTPs) employed by threat actors that lead to ransomware. Utilizing a defense-in-depth strategy can deter malware from touching your network. If an attack gets through, security teams must have protections in place to neutralize it as soon as possible. Although ransomware threats continue to increase in complexity, adopting a multi-layered security approach will serve as your best defense and help keep out the bad guys.