Today, the No More Ransom (NMR) project turns three years old. Anomali joined the No More Ransom partnership on the 25th of March, and since then, organizations and the information security community at large continue to observe devastating ransomware incidents around the world. These incidents typically cause challenging remediation efforts, operational headaches, and potentially large revenue loss. The most recent ransomware activity springs no surprises as to what has been seen previously: victims span all industries and verticals of all sizes, across the globe.
Figure 1. Notable publicly observed ransomware incidents from 26th March 2019
Ransomware will remain a popular attack type for financially-motivated cyber threat actors due, in most cases, to its ability to scale and automate for maximum impact. In addition, there are multiple online locations where one could utilize Ransomware-as-a-Service (RaaS) and pay others to conduct cyberattacks. The scale of this threat is evident as we look at active observable data (domains, IPs, hashes, URLs, etc.) from the last 90 days in the Anomali ThreatStream platform that shows ~460k indicators that have been marked with a “ransomware” tag from Anomali Threat Research and the wider Anomali Preferred Partner network.
Recent confirmed ransom payouts will also appeal to cyber threat actors and groups with the capability and potential intent. Although, at the recent U.S. Conference of Mayors which took place on June 28th to July 1st, a resolution was agreed to stand against “paying ransoms in the event of an IT security breach.” We await to see whether this move is further pursued by other bodies and communities. The resolution follows the general advice from the information security industry and law enforcement as a ransom payment is providing validation that the infection was successful, there are no assurances that the decryption process will work or keys will be provided, and ultimately this is further funding cyber threat actors and potentially other illegal activity.
Figure 2. No More Ransom third anniversary progress infographic
We look forward to continuing the supporting partnership with No More Ransom.
Ransomware prevention guidance:
Ensure you have a back-up plan. For data and files which you consider important or sensitive, create and store back-up copies securely.
Enterprise should maintain an effective defense-in-depth posture that is aligned to satisfactory risk management principles. This will encompass, but is not limited to, the usage of asset and software inventories, robust endpoint protection, patch management, network segmentation and perimeter controls, operationalize cyber threat intelligence, finally, manage accounts and authentication mechanisms appropriately.
Everyone should be wary of links and attachments in emails, particularly those arriving from unknown senders or with unusual requests.
Stay abreast of the latest cyber threat information. Subscribe to the Anomali Weekly Threat Briefing, and actively participate in trusted industry and regional threat intel sharing communities.
Figure 3. No More Ransom third anniversary partner infographic