zephyr_p - stock.adobe.com
Ransomware is steadily shifting from opportunistic attacks to targeted attacks, according to researchers at security firm Flashpoint.
The emergence of ransomware-as-a-service offerings is driving more sophisticated strains of ransomware, and while basic cyber hygiene guidance on patching vulnerabilities, storing backups offline and whitelisting applications is still valid, the researchers believe this is far from adequate.
To reduce the potential impact of ransomware attacks, firms should also focus on ensuring they have tried and tested capabilities to backup and restore critical data as well as capabilities to gather intelligence on ransomware attacks, according to Christopher Elisan, director of intelligence at Flashpoint.
He believes the willingness of organisations to pay ransom to get back access to their files and restart business operations is giving ransomware threat actors motivation to shift to targeted attacks.
“With this shift comes changes when in their tools, techniques and procedures,” said Elisan. For example, opportunistic attack ransomware typically uses Tor sites that contain information on how to pay ransom and communicate with the threat actors, but these sites can be viewed by anybody who has the link.
As a result, attackers are changing the way they communicate with the victims as they shift to more targeted attacks. Instead of using Tor sites, he said the threat actors instruct the victims to contact them via email because this is a more discreet form of communication that does not set penalties for not paying within a set time period.
“The victim is able to talk throughout the ransom process with the threat actors about the situation and even negotiate the price of the ransom,” said Elisan.
For private sector organisations, he said, the effect of ransomware is lost business. “Depending on the nature of the business, every day the organisation is offline or non-operational can mean hundreds of thousands, or even millions, in lost business opportunity.”
For public sector organisations, Elisan said the effects can include disruption of vital services such as power, water and other utilities.
“The effects of ransomware can also be fatal. Imagine a healthcare provider whose life support equipment relies on systems that are compromised by ransomware and as a result ceases to function.”
In light of the fact ransomware is delivered via different infection vectors, Elisan said that when structuring an intelligence program regarding ransomware, it is important to not only have awareness of the trends of different infection vectors such as email spam, exploit kits, and others that deliver malware, but also the different tools, techniques, and procedures that they employ when infecting systems.
“Having up-to-date information based on open sources and those that can be found in the dark web will give organisations the threat intel they need to act appropriately to improve their organisation's security posture,” he said.
For example, Elisan said Flashpoint’s initial discovery of GandCrab ransomware, while it was being advertised, led researchers to collect actionable intelligence regarding the threat and deliver the necessary information to mitigate an attack.
“In case of an imminent attack, having the threat intel of how the ransomware works will give us the tools we need to stop its spread if its utilising lateral movement, or even create a vaccine if the ransomware employs encryption only if a condition is satisfied in the target system.
“But aside from having all of this intel and acting upon them to protect an organisation, when it comes to ransomware, having a good backup plan and restoration with minimal downtime is important. No matter how careful we are and how much information we have, there will always be victims. It is better to have in place preparations for the worst case scenario,” he said.
The importance of having a good backup capability was illustrated by the recent ransomware attack on Norwegian aluminium producer Norsk Hydro that was able to avoid paying ransom and restore business operations from data backups.
Depite using its own backups, initial estimates have put the financial impact of last week’s ransomware attack on the Norwegian aluminium producer of up to nearly $41m.