What Every CEO Should Know About Modern Ransomware Attacks
Written by Yaki Faitelson, Co-Founder and CEO of Varonis.
Like most businesses, cybercriminals have adapted and adjusted over the past two years. Modern attackers have learned to launch more destructive ransomware campaigns while becoming more efficient and adept at evading law enforcement.
We now see ransomware gangs quickly rebrand themselves after a disruption, with new names and new infrastructure. DarkSide, the ransomware group behind several prominent attacks, seems to have rebranded as BlackMatter.
With each reinvention, ransomware gangs can come back stronger, learn from their experiences and take advantage of new techniques and vulnerabilities. They have a wealth of evolving tools in their arsenals, many vectors to get to the data they’re after and myriad ways to avoid detection after infiltrating victim organizations. Different names, same potent punch.
The takedown of the REvil ransomware gang and a hacker allegedly behind the Kaseya supply chain attacks, along with the reported shutdown of BlackMatter, are notable and encouraging.
But there’s no time to relax. Keeping cybercriminals down is like putting out a fire in a dry forest — you can extinguish one, but flare-ups can happen anywhere, at any time.
The Business Of Ransomware
Attackers mean business. There is a lot of money to be made, fueling development and innovation. Regulating cryptocurrency to make them less anonymous is a logical tactic, but cybercriminals are already switching to digital currencies that are harder to track like Monero. Until the incentives change, business leaders should expect that successful ransomware gangs will continue to reinvent themselves, refine their techniques and go after critical data.
No matter what name they go by, these cybercriminal groups typically use an efficient ransomware-as-a-service (RaaS) model that allows independent attackers to get up and running quickly. Attackers can leverage a RaaS platform, along with their own tools and tricks, to target victims and hold their data hostage — twice. Attackers now use a double extortion model, where victims must pay to get their data back and pay again for the promise that the attackers won’t leak stolen data.
Today’s cybercriminal gangs are doing more than stealing and encrypting victims’ data. Attackers have been known to delve through a company’s files to uncover how much their cyber insurance will pay in the event of an attack; they then set the ransom to that amount.
Cybercriminals Sharpen Old Tricks, Surprise with New Ones
BlackMatter tampered with access controls — the security settings that determine who can access what data on your network — and broke them so that every employee could access massive amounts of data. In other words, they’re not just breaking into the vault; they are blasting it open and leaving companies even more vulnerable to future attacks.
Nation-states and cybercriminal groups, like one identified as FIN7, are actively recruiting corporate insiders — employees and others who are already on the company’s network. The FIN7 group also reinvented themselves and sharpened old tricks. Other attackers, like the OnePercent Group, leak small amounts of stolen data to pressure organizations to pay. Attackers are also getting personal by threatening to release mental health records if clients don’t pay up.
How to Make Yourself a Tougher Cybersecurity Target
With so much money to be made, attackers are not going to quit. Your mission is to make your cyber defenses just as resilient as the ransomware gangs. Here are four ways to make your organization more resilient to data-related threats:
- Check for weak and reused passwords and enable multi-factor authentication (MFA). This critical step is one of the simplest steps you can take to protect your company. The BlackMatter gang (and other groups) are known to grab user names and passwords found in data breach dumps on the dark web. They try out every credential in an attempt to brute-force internet-facing systems and gain access.
- Be on alert for unusual activity. If your company is like most, your employees and contractors stick to daily work schedules, access the same files and use the same devices from known locations. Unusual activity — like logging in from a new location and accessing files that are not needed for work — can indicate compromised accounts or devices. Unusual activity, especially if it is associated with administrative and service accounts, should be investigated with high priority.
- Watch your data for signs of ransomware attacks. Ransomware doesn’t behave like your HR specialist or your accounting team. When ransomware is deployed, it will rapidly begin to encrypt files it can touch. The account activity may be associated with an employee, but it could be a compromised user account. An automated ransomware program will usually touch and change files sequentially and quickly, behaving differently than a human user.
- Take a data-first approach. Even with the explosion of endpoints, most data now syncs with and “lives in” large, centralized repositories on-prem and in the cloud. Since there are so many vectors to get to your data, even if you could anticipate and monitor them all, you’d drown in security alerts. Instead of starting from the outside in with all the endpoints and vectors, it’s much more practical to start by protecting your large, centralized repositories — and work from the inside out.
Most organizations don’t realize how much data is overly accessible and unwatched. One compromised user has the potential to access and put so much sensitive data at risk — an unacceptably large blast radius.
If you want your business to become as resilient as ransomware groups, you need to start with your biggest advantage. You know what attackers want — your data. By systematically making data harder to get to and watching it more closely, you make the attacker’s job far trickier.
This article first appeared on Forbes.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.