Ransomware attacks are on the rise, causing more damage than ever. One would think that we have improved in backups, detecting lateral movements, admin account takeovers and encryption efforts. This should have defeated ransomware, but it has not.
I would argue that the ransomware attack vector that encrypts data on our networks has mostly dissipated in popularity and potency. It currently accounts for less than 25 percent of all ransomware attacks, according to our internal tracking based on visibility into several ransomware gangs. However, ransomware attacks involving data exfiltration and extortion over disclosure are causing more damage than ever. These attacks do not require full access to the victim’s infrastructure. Sometimes, these are just small-scale breaches that yield an unfathomable amount of confidential data. Our new level of defense should concentrate on detecting and stopping data exfiltration attempts.
A big change in ransomware is the propensity of companies not to pay the ransom demand. The change in philosophy is often based on legal requirements, insurance coverage, backup availability, risk management and industry standards. While there are very few guidelines against paying ransom, these stoic stances are admirable and a significant change from several years ago when ransom payments were common. Today, threat actors spend as much time breaching systems as they do in their attempts to get ransom payments. However, when a company or industry proves to be both vulnerable and more willing to pay ransom, many threat actors concentrate on it.
UnitedHealth is a good example of a company that paid a significant ransom to the Blackcat ransomware gang and then, just two months later, supposedly made another payment to the RansomHub threat group. This signals easy prey for other threat actors. The healthcare sector, which was mostly spared from cyberattacks during the COVID pandemic, is now being targeted more viciously and numerously as there is a perception of significant gains and infamy.
However, healthcare is a moving target. After breaches involving Caesars Entertainment and MGM, the entire hospitality industry was a target of attacks. Interestingly enough, it was not because of the MGM outage and response but because of the revelation that Caesars paid the ransom.
Another factor contributing to the increase in ransomware attacks is the mean time between a vulnerability and a breach. It used to be months until the bad guys paid attention to an infected system. Then days, then hours. Today, if something is highly vulnerable, some ransomware gangs measure their ability to get in and start data exfiltration and encryption efforts in minutes. Our defenses may struggle to keep up, and if you are relying solely on a human response, it may be too late by the time you get to look at the alert.
Velocity of exploitation can also be attributed to use of AI threat actors to qualify targets for attacks and consequent exploitation. Yet, our defenses are greatly benefiting from use of AI that can mitigate multiple factors, including lessening rate of infections, correlating attack patterns and seeing through stealthy approaches, and quickly isolating infections, encryptions or exfiltration ahead of human intervention.
Overall, as defenders, we are fighting a good fight, and it is amazing how far our awareness and technology have come to help our defenses. Still, we need to be more robust and keep up with the latest ransomware attack trends to minimize cybercriminals’ gains.