Ransomware had its humble beginnings as a common threat to the average Joe, but the statistics show that not only are the attacks growing more complex but they also provide an even bigger threat to businesses. The spoils from a successful cybercriminal campaign on a business are proving to be much more rewarding, as the FBI notes that ransomware numbers have stayed more or less the same for regular citizens, but rose over 300% in businesses.
This number reported by the FBI is even more staggering because private businesses have no obligation to report these attacks, meaning the actual number is likely significantly higher. But the other major target for ransomware has been publicly funded institutions. In 2019, cybercriminals hit over 100 government agencies, 89 universities and over 1200 public schools, at least 700 healthcare providers. They learned that not only did these institutions continuously get funded, but also the deficiency in these funds meant that their budgets could not afford higher tiers of cyber security.
The ransomware attacks on business began very primitive but has since grown into a far more dangerous enemy. For example, in 2015 a hacker group called Chimera targeted countless citizens with their scareware programs. These people were locked out of their devices and forced to pay up if they did not want their data leaked online. These were in fact empty threats though, and Chimera didn’t actually siphon any data from these people; but the threat itself was usually enough to get them to open their wallets. The problem years ago with actually extracting data was that doing so would take hundreds of terabytes of data on the magnitude of these attacks. The new Cloud infrastructure available these days allows hacker groups to mine data in a way that is much more affordable and easy to manage. In 2019 when a group called Maze successfully stole the data of countless citizens of Pensacola, Florida; these were no longer empty threats we were dealing with, as the peoples’ information was published on multiple websites on ISPs in Ireland and then Singapore.
Although vintage “spear-phishing” and insecure RDP connections remain as active methods of distribution for ransomware, there are new attacks proving to be very fruitful. Many attackers buy access already achieved by other attackers in deep web marketplaces. Having access to hacked PCs and servers makes it a walk in the park to deploy your own malicious ransomware on the victim. A relationship became very clear between hacker groups Emotet, Trickbot, and Ryuk. The organizations were found to attack the same victims, in that respective order. Emotet and Trickbot would stick to the simpler stuff, fraud and theft and such. But when Ryuk would worm its way in, the attack became a lot more composed and tactical. Their program would begin messing with administration tools and disabling endpoint malware detection. After getting comfortable in the environment Ryuk’s viruses would be able to identify the most lucrative targets and stage a massive hit in hopes of a huge payout.
When helping infected victims recover their files without giving in to the ransom, security companies and finding it harder and harder to decrypt the files. This may be due to the open source nature of ransomware viruses. If you’re deep in the dark side of this cyber warfare, you know where to look to find the bare code of malicious programs. This allows the hackers to work together and combine their strengths to make an unbreakable code. The most popular ransomware programs have become the most dangerous because their strong encryption algorithms have no solution. Therefore, businesses should backup all of their files, and those backups must be kept off site/off network in case of an attack.
There are several ways to augment your defenses to these new and improved cyber attacks. Internal and external penetration tests can help you identify systems that are vulnerable. Networks should always be patched up to date in their operating systems and the programs they run. Furthermore, a hierarchy should be established so that an employee cannot get infected and the virus work it’s way up for a full network takeover. Most ransomware infections start with a single employee’s workstation, so limited privileges and removing unnecessary plugins is a must. Finally, if you do get infected, know who to call for help and who to report the incident to. Don’t take ransomware lightly and always act fast.