This guest post was contributed by Ryan Estes, Intrusion Analyst, WatchGuard Technologies
Ransomware continues to be a top cybersecurity threat facing all organizations. The 2022 LockBit attacks on the U.K.'s Royal Mail and Canada's Hospital for Sick Children show that any organization can be targeted regardless of a company's industry or philanthropic cause. Earlier this year, the Medusa Ransomware group breached Minneapolis Public Schools and leaked the personal identifiable information (PII) of children, including medical records. There were also attacks against critical infrastructure such as the Colonial Pipeline, which was conducted by an individual associated with the REvil ransomware group. The heightened risks of ransomware attacks and data theft prompted global leaders to create the Joint Ransomware Task Force in 2022 and a recent summit at the White House to unveil additional cybersecurity funding for K-12 educational institutions.
A recent WatchGuard Internet Security Report found that endpoint ransomware detections increased by 627% in Q4 of 2022. The attacks came in various styles, including IcedID infections, phishing campaigns, data exfiltration, pseudo-ransomware, and more. It must be noted that the ISR numbers are of a tiny subset of all ransomware attacks, and must be considered with other data to show a holistic view of the ransomware threat landscape.
Given these ongoing events, security teams across all verticals must monitor ransomware attackers’ strategies and tactics and prepare for combatting against them. But in fending off these attacks, what threat patterns should enterprise security teams look for? And how can they use this knowledge to protect their organizations? Below are three ongoing ransomware trends that enterprise security teams must closely monitor.
Frequency of Ransomware Attacks Increasing
A recent report by Chainalysis, an analysis firm that monitors the blockchain, illustrated how ransomware extortion payments are increasing in frequency and amounts. The firm monitored the inflow – and outflow – of cryptocurrency wallets owned by ransomware groups. The firm observed an increase of small quantities of payments (in the thousands) and large amounts (in the millions) going into cryptocurrency wallets from victims. In the first half of 2023, Chainalysis tracked that ransomware attackers extorted at least $449.1 million, an increase of approximately $175 million in ransomware extortion payments over the first six months of 2022.
It's important to note that the number of known victims and cryptocurrency payments don't cover the total number of victims and cases of extortion. Some of the wallets ransomware operators use aren't known or are difficult to track, especially if the operators use cryptocurrency mixers that make tracking cryptocurrency on the public ledger nearly impossible. Because of this, the total number of payments is likely higher than $449.1 million, and the number of known victims follows this same trend.
An Increase in Data Theft without File Encryption
Ransomware attacks aim to extract exorbitant payments from companies in return for their data. To ensure payment, ransomware operators perform various blackmail and extortion tactics to coerce victims into paying these large amounts. However, there has been a recent pattern of ransomware operators not always encrypting data on the victim’s machine and, instead, exfiltrating data to perform double-extortion attacks. The reasoning is some groups don't want to bother with deploying an encryptor and know that the reputational damage from exposed PII is a better bargaining chip. Most large organizations have some data backup and incident response plan, which can help combat these double-extortion tactics.
It is impossible to mention data theft from ransomware groups without mentioning the acts of the CL0P ransomware group in 2023. Toward the beginning of the year, the GoAnywhere MFT file transfer software contained a zero-day vulnerability that the CL0P group exploited. Researchers found that after exploiting the software, the group exfiltrated data from dozens of companies that used the software and were subsequently extorted on the group's double extortion page. Whether the group used an encryptor in these efforts is not definitively known. Additionally, the group exploited another zero-day vulnerability, this time with the MOVEit software, a secure file transfer service. Since this is trusted software for major organizations and governments, hundreds of these entities have been exposed to this zero-day vulnerability, and the number appears to grow daily.
Attacks Targeting VMware ESXi Servers
A large portion of current active ransomware groups have a VMware ESXi encryptor. Some active groups with VMware ESXi encryptors include Abyss, Akira, AvosLocker, Black Basta, LockBit, RansomExx, and Royal. This shows that modern ransomware groups adapt and evolve to circumvent defenses and target the machines organizations use. It's why we saw ransomware groups begin to use Rust and GoLang programming languages more frequently to avoid defenses better. If you are unfamiliar with VMware ESXi, it's a hypervisor that manages and deploys virtual machines within networks. In other words, ransomware groups target not only your endpoints and servers but also your virtual machines.
This trend of attacking VMware ESXi servers made headlines when ransomware dubbed ESXiArgs breached thousands of servers worldwide in a few days. The servers were unpatched instances of VMware, and the attack was automated. This trend illustrates why organizations must keep their systems updated and patched and avoid unnecessary internet exposure.
How Can Enterprises Safeguard Their Data in the Face of These Trends?
While these emerging trends represent the latest in ransomware, enterprise security teams should focus on a few tried-and-true practices: bolstering network perimeters, endpoints, incident response, and employing social engineering training. Zero-trust frameworks can go a long way toward preventing ransomware attacks and maintaining security in today's cybersecurity landscape. Other preventative actions organizations can take include:
Implementing email security measures such as automatically scanning attachments for ransomware and malware.
Decrypting traffic at the network perimeter (as an increasing percentage of malware is being delivered via encrypted channels).
Regularly backing up systems and copying data to different servers and networks. The backups must be intermittently performed (as often as possible) and stored on a separate network or offline. This ensures that an encryption event doesn't destroy backups.
Keeping your company's software and systems up to date with latest patches and updates.
Leveraging anti-virus tools on endpoints with a heuristic engine – not just signature-based matching.
Training employees to recognize phishing attempts and other security threats. It's also essential to implement phishing training that is both ongoing and tangibly interfaces with the user (e.g., not a mere question-and-answer test).
Knowing your areas of exposure to the internet and the related risks (such as monitoring network ports and the chances of data exposure, for example) and solidifying these areas where possible.
So far, 2023 hasn't seen seismic changes in ransomware trends and practices. Ransomware threat actors are still operating within the same ecosystem, leveraging initial access brokers (IABs), DDoSing victims and coercing payments from not only the victims but their customers and clients.
Enterprise security teams can position themselves to recognize and respond to ransomware threats by keeping abreast of attackers' tactics, techniques and procedures (TTPs) and adopting a defense-in-depth security posture. While ransomware operations have grown in complexity, a multi-layered approach remains the best defense. ###