Ransomware broke new records in 2021, as cyber-criminals continued to exploit corporate security gaps and new trends associated with pandemic-era working. One estimate claims the volume of global attacks reached 470 million by Q3, a 148% increase on the same period in 2020. If IT and security leaders thought the worst may be over, they’ll need to think again. In fact, in the first few weeks of 2022 alone, threat actors have been out in force. Organizations as diverse as fashion giant Moncler, marketing leader RRD and storage firm QNAP were among the first to suffer.
The question is what happens next? While recent high-profile arrests have caused shock waves to ripple through the criminal underground, they’re unlikely to be a sign of things to come. In the meantime, the bad guys will continue to innovate to make cybercrime pay. Corporate security teams must find more effective ways to defend their most-prized assets.
Brand new year, same old threats
The three ransomware breaches that kicked off the year illustrate well the diversity of threats facing organizations today, and the different routes victims take when faced with a worst-case scenario.
- Moncler decided it would not be engaging with its extorters or paying the reported ransom demand of $3m. That led to data on employees, former employees, suppliers, consultants, business partners, and customers being published on the dark web. New ransomware group AlphV/BlackCat is threatening to release more info on the firm’s high-value customers to the highest bidder.
- Multibillion-dollar revenue firm RRD was hit by the prolific Conti gang, which alleged to have stolen 2.5GB of data from its servers. It’s unclear whether the incident was timed to coincide with the firm’s pending merger with Chatham Asset Management. However, the FBI has warned that such tactics are increasingly common as a way to force payment. According to reports, RRD has entered into negotiations with Conti to prevent the release of any sensitive data.
- The final major ransomware breach of January 2022 involved network-attached storage (NAS) vendor QNAP. Another new variant, DeadBolt, infected thousands of the company’s global customers through what appears to be vulnerability exploitation. Like the notorious supply chain attack on Kaseya last year, in this campaign, the threat actors are extorting small sums (of around $1000) from the firm’s customers, as well demanding a larger multimillion-dollar ransom from the vendor itself.
What happens next?
If nothing else, January has shown us that the ransomware industry is still thriving in 2022. Ransomware persists for several reasons:
- Gaps in corporate security allow the bad guys to get in time and again.
- Victims keep paying their extorters, encouraging them to repeat the trick.
- Ransomware-as-a-service (RaaS) allows even non technically proficient “affiliate” groups to get in on the act, sharing the spoils of attacks with malware developers.
- Hostile nations like Russia shield such groups from prosecution (and extradition) as long as attacks are directed outside the country.
Of these, the last point is one of the most important. That’s why many commentators were excited by the news in mid-January that the Russian authorities had “dismantled” an infamous ransomware group known as REvil—in collaboration with the FBI. However, there are reasons to be skeptical as to whether this is the start of a new trend. It is more likely, as some have argued, that REvil was scapegoated by the Kremlin to ease diplomatic relations with the US at a time when Russia is under intense geopolitical pressure over its war-mongering with Ukraine.
The incident has certainly got some cyber-criminals feeling nervous. But it’s unlikely to change things long-term. It’s not even clear that the Russian security forces (FSB) actually arrested the REvil kingpins and not just some lowly affiliate groups.
Ransomware actors keep innovating
In the meantime, the men and women behind ransomware will continue to find new ways to turn the screws on their victims. Some recent trends are illustrative:
- The new White Rabbit variant threatens to send stolen data direct to privacy regulators, the better to extract a ransom.
- The new BlackCat variant which compromised Moncler makes negotiation chats accessible only to those with an access token key or ransom note. That makes it harder for investigators to see what’s going on.
- Ransomware groups are increasingly recruiting disaffected employees to help them infiltrate corporate networks.
- Ransomware groups that have accumulated large sums of money are openly discussing the possibility of “renting” zero-day exploits, which would enable them to compromise victims even if they were up-to-date with patches.
How to mitigate the threat of ransomware
In the face of these trends, it’s probably a case of “when” not “if” your organization is targeted by ransomware. But it’s by no means assured that the bad guys will succeed. Consider the following to keep them at bay:
- Deploy risk-based patching to keep endpoints secure.
- Update security policies to ensure they’re aligned with remote working practices (ie demanding all user devices are patched and fitted with anti-malware before connecting to corporate networks).
- Use XDR for rapid threat monitoring, detection and response across networks, endpoints, servers, etc.
- Tighten authentication by mandating least privilege policies and multi-factor authentication (MFA) everywhere.
- Consider Zero Trust: an approach currently being rolled out by the US federal government. This will mandate many of the above best practices. But crucially it also requires network segmentation, which will contain the “blast radius” of any ransomware attack, ensuring hackers can’t move laterally to find your crown jewels.
These aren’t just nice-to-have best practices. Increasingly, they’re a prerequisite for cyber-insurance policies. In fact, by raising the bar for security among its customer base, the insurance industry may end up doing more good for global cyber protection than any government.