Email has historically been the undisputed champion of ransomware attacks. Today, it is still the number one delivery method for an attack. But. as businesses shift to the cloud environment, so do emails and, so do attackers.
The days where ransomware attacks were sent to users directly are not that far gone, these direct or “first stage” attacks peaked in 2017 during the Locky ransomware outbreak and are still very much a threat to organizations today. At their height, one million such attacks were detected every day. Yet attack damage – and therefore ransoms – were limited, often ending in one infected machine that could be fixed by restoring from a previous backup.
To address these attacks, IT and information security teams in corporate settings would develop a runbook to deal with ransomware incidents on a single laptop or host, treating it in some ways as stolen hardware and simply reformatting and moving on.
But with the rise of cloud and connected devices threats to an organization became more sophisticated. On one hand, businesses toughen their systems and networks to increase protection; on the other, attackers also improved their tactics, looked for new ways of entry and developed new threat vectors.
The way that cyber attackers are working today, has evolved greatly since the one-off email into a random inbox. Attackers are becoming increasingly savvier and as with any industry, developing new ways to work in achieve their goals.
In 2018, ransomware attackers leveraged cybercriminal organisations – mostly banking trojan distributors – to install “access facilitators”. Access facilitators could be trojans distributed to an organization’s network frequently through email with malicious links or attachments. Although seamless these could get quietly downloaded into systems backdoors providing hackers with access to multiple entry points to an organization. On the face of it, it may look like there is no ransomware attack, or even a threat, as these would be operating unbeknownst to users.
This type of attack allowed hackers both choice and flexibility, deploying the ransomware if attackers have the correct target or use the access to move laterally and escalate privileges.
Today, the majority of large-scale ransomware attacks still starts out with access to a limited machine or identity and involve escalation or privileges or lateral movement, with the intention of remaining dormant until they are able to access information and machines that will allow them to command a high ransomware payment. This makes it imperative that organizations adopt a preventative outlook into their systems, policies and networks, instead of a reactive approach to a threat. This is increasingly more relevant as in many cases, attackers will sell on the access to other actors who do focus on ransomware.
Other avenues for ransomware deployment include software flaws, VPN’s, Remote Access Protocols, and other external-facing applications. However, attackers preferred initial access method remains email, especially where organizations have secured Remote Access and VPN vulnerabilities. The reason – it is easier to trick people than utilise software or configuration vulnerabilities. This highlights the need for organizations to train their employees against phishing and other cyber attacks ensuring that employees can recognize and avoid security risks.
Proofpoint, a BSI technology partner, has also observed Ransomware threat actors currently carry out “big game hunting,” conducting open-source surveillance to identify high-value organizations, susceptible targets, and companies’ likely willingness to pay a ransom.
Understanding the most common threats, setting up strict and up to date processes as well as technology, is the best way to prevent an attack and ensure that people and organizations are protected.
BSI’s latest webinar: “Ransomware: how to understand, mitigate and address impact” joined Stephen Bowes, Global Practice Director, Data Management and Security Technologies at BSI, with Nicola Orlandi, Head of Global Data Privacy at Bausch Health in a discussion about ransomware attacks. Together they analysed the anatomy of a ransomware attack, identified steps that can be taken to mitigate the risk and how can organizations reduce the impact when faced with an attack. The webinar recording is now available in this link.
Stephen Bowes
