By Bob Maley, CSO at Black Kite
After last year’s good fight against ransomware gangs, CISOs thought they won. Overall attacks were down and ransom payments dropped 40%. In fact, this year even brought some false hope: several reports indicated ransomware was in decline. Rumors spread that hackers were actually being laid off due to the reduction in extortion money.
We were wrong, again – and the hackers capitalized on our complacency. While we celebrated the decline, they regrouped and got stronger. With the start of the new year, new players emerged and mass-ransomware attacks plagued major businesses. In fact, the number of ransomware victims announced in March 2023 was nearly double that of April 2022 and 1.6 times higher than the peak month in 2022.
CISOs can’t afford to be blindsided again. It’s time to understand the complexities of the ransomware landscape to close the agility gap once and for all. By recognizing today’s top vulnerabilities, culprits and strategies for resilience, leaders can get ahead of attacks and never underestimate a quiet period again.
The Evolving Landscape: New Trends and Targets
According to the new Ransomware Threat Landscape 2023 Report, ransomware attacks experienced a period of stagnation last year as several major ransomware groups were shut down. Various other external factors also contributed to a decrease in attack frequency. However, the lull came to a sudden end in 2023 as new ransomware gangs such as Royal, BianLian, and Play hit the scene. The time was ripe with opportunity, with advanced AI and ML technology creating new vulnerabilities, as well as geopolitical tension and economic turmoil rising. Coupled with mass-ransomware attacks that were executed by major players like Lockbit and Clop and new trends like encryption-less ransomware, the battlefield has gotten serious.
The rise in ransomware should be on every organization’s radar – but several industries are at particular risk. From April 2022 through March 2023, Manufacturing and Professional, Scientific, and Technical Services accounted for nearly 35% of all ransomware victims. Educational Services, Retail Trade, and Health Care and Social Assistance accounted for 17%. The United States was the top targeted country, accounting for a staggering 43% of all victim organizations.
The report also uncovered ransomware groups often target companies with annual revenues of around $50M to $60M, as they may have the financial resources to pay ransoms but potentially lack the robust security and resilience measures of larger corporations. However, organizations of all sizes must still beware; many are targeted through third-party vendors that fit this profile. In fact, ransomware was the second most common cause of third-party cyber breaches in 2022.
Whether your organization fits the bill or not, chances are a vendor (or a vendor’s vendor) does, and in turn, is vulnerable to ransomware attacks that could cripple your own operations. Ignorance may be bliss in some situations – but here, it’s expensive and devastating. The first step toward preparation is understanding warning signs and thinking like a hacker.
On The Radar: Top Criminals Seek Common Vulnerabilities
According to the report, LockBit Ransomware Group, which was responsible for 29% of attacks over the last 12 months, remains the top player in the cyber-criminal space. What makes them so effective: LockBit has a dedicated team of hackers and operators responsible for ransomware development and deployment. They view themselves as a business rather than a criminal operation.
The other top ransomware gangs in the last year include AlphaVM (BlackCat), responsible for 8.6% of attacks, and Black Basta, a ransomware-as-a-service (RaaS) group responsible for 7.2% of attacks. Lastly, Clop was responsible for 4.8% of attacks. The group resurfaced this March, announcing over 100 victims and launching a mass-ransomware campaign that exploited a high-severity Fortra GoAnywhere vulnerability.
No matter the gang, the vulnerability criteria remain mainly the same. Poor email configuration (such as missing DMARC records) is present for 67% of victims, leading to successful phishing and spear-phishing campaigns, allowing attackers to gain an initial foothold in the organization’s network. Sixty-two percent of victims saw leaked credentials as a component of their attack, which provides attackers with easy access to systems and networks, enabling them to bypass security controls and move laterally within the organization. Lastly, public remote access ports account for 42% of victim attacks.
In today’s rapidly evolving threat landscape, organizations must remain vigilant to these common vulnerabilities. It is crucial to note that many ransomware victims are also third-party vendors for other organizations. Monitoring these common ransomware indicators in third parties is essential to reduce the risk of being targeted by ransomware via a distant entry point in your extended network.
The Three Phases Toward Agility & Resilience
Ransomware groups are evolving into new-age tech companies with sales teams, customer success departments and more. Every action is geared toward expanding their illicit businesses – and they’re moving faster than the good guys can keep up with.
Getting informed with the latest data on ransomware trends is the first line of defense – but your approach shouldn’t end there. Ensuring agility and protection can be broken into three main phases: prevention, response, and recovery.
Prevention is proactive: Taking a proactive approach to internal security measures can greatly reduce the likelihood of a ransomware attack. There are a number of best practices to ensure your organization is not an attractive target for ransomware groups, such as to monitor your ransomware indicators (such as checking for open critical ports or leaked credentials), regularly backup critical data and systems to allow for quick recovery, and develop a comprehensive incident response plan.
However, implementing internal measures alone still leaves the door half open. To mitigate the risk of ransomware attacks due to third-party vendors, organizations should also evaluate the cybersecurity posture of third-party vendors using sophisticated tools, require vendors to adhere to industry best practices, perform regular audits of vendors’ security practices and more.
Response is rapid: In the event of a ransomware attack, taking immediate action is critical to mitigate the damage. Steps to take when hit by a ransomware attack include isolating affected systems to prevent spread, notifying relevant authorities and stakeholders, engaging with cyber experts for remediation options and documenting the incident for future reference and potential legal actions.
Recovery is resilient: After a ransomware attack, it is crucial to learn from the experience and strengthen your organization’s cybersecurity defenses. Post-attack steps include conducting a thorough analysis of the incident to identify root causes and vulnerabilities, implementing recommended security measures to prevent similar attacks in the future, and sharing information about the attack with relevant parties and collaborating with industry peers to improve overall cybersecurity.
Looking Ahead: Remaining Vigilant Amid Resurgence
Don’t let any lull fool you – the current state of ransomware is growing more dangerous by the month. With new players, bigger attacks and economic volatility that’s causing some businesses to cut staff and innovation, we can expect disruption to continue throughout 2023.
It may feel as though there’s no way to beat the adversaries. Ransomware criminals have no ethics, and therefore, can increase agility without the concerns of a responsible business. But when examining the data, you’ll find the answers for agility and resilience right in front of you. By implementing a combination of internal security measures and third-party risk management, organizations can stay off the radar of ransomware groups, protect sensitive data, and minimize the potential damage caused by ransomware attacks. It takes a village — let’s work together to ensure resurgences are a thing of the past.
About the Author
Bob Maley, Inventor, CISO, Author, Futurist and OODA Loop fanatic is the Chief Security Officer at Black Kite, the leader in third-party cyber risk intelligence. Prior to joining Black Kite, Bob was the head of PayPal’s Global Third-Party Security & Inspections team, developing the program into a state-of-the-art risk management program. Bob has been named a CSO of the Year finalist for the SC Magazine Awards and was nominated as the Information Security Executive of the Year, North America. His expertise has been quoted in numerous articles for Forbes, Payments.com, StateTech Magazine, SC Magazine, Wall Street Journal, Washington Post, Dark Reading and more.
Bob can be reached on LinkedIn and at our company website https://blackkite.com/
Source: www.cyberdefensemagazine.com