I’ve seen a number of reports over the past few months saying that ransomware attacks are on the decline. The IBM X-Force Threat Intelligence Index, for example, saw a significant drop in ransomware, as cybercriminals aren’t using this type of attack as the primary vector for financial gain.
On the surface, this appears to be really good news—ransomware attacks are down!—but it is also misleading. The type of ransomware most of us are most familiar might be decreasing, but cybercriminals have shifted their focus to network file encryption and going after cloud services.
According to new research from Vectra and announced at the recent Black Hat conference, malicious encryption of shared network files is now the biggest threat from ransomware.
“Early in its life ransomware focused on the consumer market,” said Chris Morales, head of security analytics at Vectra. “The network file encryption is the same as what was used in attacks like WannaCry except it is now targeted and dropped as an encryption module instead of a full-featured propagating malware with worm behaviors.”
The Peril of Downtime
No matter the type of ransomware, its most devastating effect on an organization is the downtime. Yes, the hackers may demand thousands to millions of dollars in bitcoin, but when a system is down for any length of time, organizations and governments (as cities are an increasingly frequent target for attack) lose millions in lost and rescheduled business operations.
“Organizations hit by a ransomware outbreak find themselves in an all-hands-on-deck emergency that requires complete attention to restore systems immediately while business functions are held hostage,” the Vectra report stated. “Downtime becomes worse when the target is a cloud service provider and the systems encrypted are those of its customers.”
In 2019, Morales noted, cloud hosting firms DataResolution.net and iNSYNQ were hit by ransomware attacks that caused the business operations of more than 30,000 customers to come to a screeching halt. In 2019, the opportunistic tactics of ransomware evolved into well thought-out targeted attacks with strains including LockerGaga, Ryuk (which hit DataResolution.net), MegaCortex (which hit iNSYNQ), GrandCrab and Dharma.
“Ransomware is introduced to already-compromised networks instead of randomly searching for targets,” he said. “Attackers can cause significantly more damage and make far more money by encrypting multiple file servers and databases.”
Getting the Most From Ransomware Attacks
The goal of a ransomware attack is to hit quickly and spread a wide net. Optimally, the ransomware will encrypt beyond local files. This is why network file encryption is so attractive to cybercriminals.
“In a volume-sharing system, a single infected host could encrypt an entire networked volume, resulting in a global impact on the target organization’s business and systems,” the report stated.
Backup systems, the lifesaver for any organization hit with a ransomware attack, is also at risk in enterprise file encryption. The more data that can be shared across the enterprise, the more vulnerable it is to exposure, and that includes exposure to an infected system. And when cloud services are under attack, backup systems are at risk. A well-executed ransomware attack with these new strains can take down the data on your network and the backup, leaving your organization paralyzed.
The best form of protection is to identify the early signals of a ransomware attack before it starts encrypting network file shares, advised Morales.
“If files do start to encrypt, organizations need a way to detect that network file encryption as it occurs,” he said. “More importantly, they should already have an incident response plan and playbook on how to react including who is involved and what countermeasures are available.”
It is difficult to stop, Morales added, but it can be defeated.
“There are many precursor signs to a ransomware attack that can be detected and responded to, before a ransomware attack succeeds. Continuous monitoring for network behaviors to proactively detect and respond to attacks does give an organization an opportunity to save themselves from the loss of data.”