Over recent years there has been an alarming evolution in the ransomware scene. eCrime gangs have moved from targeting single endpoints to compromising entire corporate networks before deploying increasingly sophisticated ransomware variants. In the last quarter, the average ransom increased a staggering 33% to $173,000 NZD. Looking at it with a wider lens, there has been a tenfold increase in the average ransomware payments in less than two years. A reason for this increase is a change in strategy, coined the ‘double-tap’. Attackers will first steal sensitive data before encrypting the network. They will prove ownership of this data and use it as leverage to coerce the victim into paying the ransom.
Every industry is now a target. Threat actors do not care whether your business supports essential services like finance, critical infrastructure, or health care. Nor do they care if you operate in the retail, logistics, or manufacturing sector. In the media we have seen organisations like Mersk, FedEx, Toll Group, Lion brewing and VetEnt – multinational conglomerates through to a New Zealand based veterinary chain. To bring it firmly into a New Zealand context, in recent times we at InPhySec have responded to numerous ransom attacks. From global exporters and professional service companies, to clothing boutiques and panel beating workshops. The narrative that a business is only a target if it transacts millions or keeps sensitive data is not aligned with reality. A business will go to great lengths to continue to operate, and that mentality is the true target of ransomware crews.
Who are these eCrime gangs and how do they get in? The names of the big players and the strain of malware they drop varies each month. To name them is counterproductive as it adds credibility to their group, however knowing their tactics is the best way to defend an organisation. Over 50% of ransomware attacks occur through compromise of exposed Remote Desktop services. Organisations need to ensure they have secure remote access solutions in place to support staff and business functions, such as a VPN and Two-Factor Authentication. The second most common breach vector for ransomware crews is the social element – email phishing. Having a secure email gateway that scans email attachments on their way through will help to mitigate this threat, along with security awareness and training for staff. The third is through software vulnerabilities. Patch, patch, patch.
Even with a strong remote access solution, strong email hygiene and a solid patching process, organisations may still get breached. A staff member might own a compromised machine that has connectivity into the corporate network, Dave may open an attachment, or an attacker might be exploiting a recently disclosed vulnerability that has not been patched yet. In all three cases, which equate to more than 90% of total ransomware cases globally, there is a single control next in line that can stop the crew in their tracks. Endpoint Detection and Response. The best security investment is the most powerful EDR you can buy. With EDR’s ability to detect both known and unknown attack behaviours, most ransomware are easily identifiable and can be terminated before any damage is done to a system. In all of the cases we have responded to in New Zealand recently, the ransom would have been prevented with EDR. This is reinforced by the many attacks we have defeated.
These threat actors gravitate towards the weakest links. Make sure your Endpoint Detection and Response capabilities are as strong as possible, and supported by specialists who care about the continued success of your organisation.
Link below for further info
Written by Thomas Crisp, Technical Director, Offensive Security
