Ransomware In 2021

Ransomware is a type of vicious malware that locks users out of their devices or blocks users from the ability to access their files until a specific amount of money is paid. Ransomware attacks are responsible for significant downtime, data loss, and the potential for intellectual property theft.

Stories of businesses and organizations debilitated by ransomware continue to dominate the IT news headlines, and accounts of six-figure demands and seven-figure demands are not uncommon. Do you always hear or read about the full stories in the news?

To understand the truth behind the headlines, the Herjavec Group performed an analysis of the most active ransomware operations in the first two fiscal quarters of 2021. The findings provide new insight into what actually occurs once ransomware hits. The findings reveal the percentage of victims of data-leak ransomware operations in the first half of 2021. The report also reveals an increased risk of double-extortion attacks, which often demand larger payouts — in the eight-figure range.

While the number of businesses and organizations being hit by ransomware has dropped since 2020, the financial impact of an attack has increased. One of the key reasons the financial impact has increased within the last year is because attackers are now using more advanced and complex attacks that are not easy to recover from.

The Prevalence of Ransomware

Companies that produce manufactured goods accounted for the highest number of ransomware attacks in the first half of 2021. In the Herjavec Group report, it was revealed that 39% of the victims of ransomware groups were part of the Manufactured Goods industry. This was more than double the number of Technology and Technology Service providers that were attacked, which accounted for 18% of the victims. Public Sector & Legal Services organizations accounted for 16% percent of the attacks, followed by Finance (11%), Healthcare (6%), Education (4%), Entertainment (3%), and Energy (3%).

The Herjavec Group analysts discovered that ransomware adversaries have continued to use a specific toolset that allows them to exfiltrate data from a victim’s network. There are some toolsets of utilities that anyone can have that will not be detected by endpoint security protocols. The list of ransomware families that participate in the practice of ransomware continues to grow, and now includes the following:

  • Conti
  • REvil
  • Avaddon
  • CL0P
  • Darkside
  • Doppelpaymer
  • Babuk
  • Netwalker

When it comes to data theft, the attackers are not picky, and they do not care what type of data they obtain. Size also does not matter to attackers; the attackers do not seem to care about how much data they are able to exfiltrate.

Ransomware Trends

Chief Information Security Officers (CISOs) should be aware that the majority of attacks that come from Conti and REvil (also known as Sodinokibi) are no longer run by automation, but by someone sitting in front of a keyboard. As a result, this makes it more difficult for victims to defend themselves against ransomware attacks.

According to the report, a significant number of the ransomware variants were observed sharing code similarities and Tactics, Techniques, and Procedures (TTPs) related to some of the same variants that were observed in 2020 and earlier. Once such example is Wizard Spider’s Conti; Conti contains many code similarities to Ryuk. However, ransomware developers continue to innovate on a more advanced level, including encrypting on multiple threads to achieve a faster target takedown time.

Another noted similarity is the use of  Domain Generation Algorithms ( T1568.002 – Dynamic Resolution: Domain Generational Algorithms)  for Command and Control Communications and common cloud platforms such as Rclone for data exfiltration.

Should The Ransom Be Paid?

The number of businesses and organizations paying the requested ransom to get their data back continues to increase. However, ransomware attackers do not always reveal that the likelihood of getting all your data back is not great. Less than 10 percent of businesses and organizations will get all their encrypted files back. Those who pay the ransom will only get some of their data back. Paying the requested ransomware is not recommended by any group of law enforcement officials.

Address Current Ransomware Infections

If you suspect a ransomware attack is taking place, and you do not have the resources or tools in place to put an end to it, you will need to determine which devices have been impacted. Once you have discovered which devices have been impacted, those devices will need to be isolated. One of the best things for you to do is to unplug the network cable or disconnect the Wi-Fi adapter.

If the damage to the attack has already spread to other devices, the entire network segments may need to be taken offline. If you cannot disconnect the network, you may have to resort in shutting down the devices. After determining that an attack did occur, you will need to assess the damage. Do you know what systems or servers were affected? Do you know what data has been lost?

Do you still have backups that are still intact? Were your backups discovered and deleted by the attackers? If you still have your backups, you should make offline copies quickly.

How To Prevent a Breach in the Future

Once the attack has been contained and/or neutralized, you will need to perform an investigation of what happened so you can prevent future attacks. If you do not feel you have the resources or knowledge to take on an investigation, there are ransomware incident response and threat hunting teams available to take on the investigation for you.

Another way to reduce your risk of being a victim of a ransomware attack is to deploy a Microsoft Group Policy to restrict software’s ability to run from %appdata% and temp folders in Windows. These are often used by malware because every user will have the ability to write to these particular locations. Also, permission cannot be restricted without having an impact on the system’s function.

There are few to zero reasons why software should be installed or run from %appdata% and temp folders. If there is no room for malware to do anything, no harmful actions can occur. The report also states another way to prevent future breaches is to restrict the email use and web browsing use of administrators and other privileged users. Administrators and staff members should not use the same accounts for administration tasks and day-to-day computing tasks.

Businesses and organizations can do the following to reduce any future risk of ransomware attacks:

  • Gain an understanding of all critical data assets and protect them
  • Ensure backups exist and cannot be encrypted
  • Have an effective business continuity and disaster recovery plan that can be implemented without delay

Dealing with any cyberattack will be a stressful challenging experience. You must understand how the attackers gained access to your files, learn from any mistakes, and make it a priority to improve your security. If you fail to do so, you will increase the risk of being attacked by the same attacker or a new one. At Mainstreet IT Solutions, we take pride in providing world-class IT solutions to organizations throughout South Central PA.

To learn how we can help your organization solve and innovate your IT needs, contact us today at 717-354-8385 for a free consultation. You can also complete our online form or email us at solutions@mainstreetitsolutions.com. We look forward to hearing from you.

MainStreet IT Technology Tips & Articles

Tune In To MainStreet IT TV

An Important Cybersecurity Lesson From Dr. Abraham Wald

US Discovers Malicious Software In Energy Sector

Subscribe To Mainstreet IT On YouTube