Last year presented the world with unprecedented challenges. While the internet helped us manage and remain resilient through difficult times, we will continue to face new complications in 2021 — from ransomware, cryptojackers, and digital theft targeting every conceivable platform.
As much of the world pivoted to work remotely in 2020, cybercriminals saw this as an opportunity to up their game by devising ways to take advantage of organizations and end-users’ fears and anxieties. It gave way to opportunities for ransomware threats, which continues to be a daily threat, made worse by IT admins scrambling to meet work-from-home security requirements.
In our latest 2021 Threat Report, Sophos identified that the average ransom payout by global companies in the third quarter of 2020 (July to September 2020) alone rose by 21% compared to Q2 2020 (April to June 2020). The average ransom payout in Q3 2020 was the equivalent of USD 233,817.30, payable in cryptocurrency. A year ago, the average payout was USD 84,116.
Similarly, the Cyber Security Agency of Singapore (CSA) also reported recently that ransomware cases in Singapore increased by nearly 75% between January to October 2020 versus 2019.
Let’s face it: ransomware attacks are getting worse and far more costly, having profoundly damaging effects across businesses and organizations of all sizes and industries.
No one is off-limits. Not the hospitals on the front lines treating critically ill COVID-19 patients where it’s a matter of life or death, not school districts working around the clock to maintain safe in-person learning, not IT organizations tasked with enabling thousands of employees to work from home.
The fact that ransomware gangs, like Ryuk, have attacked hundreds of healthcare providers this year, while the world is in the middle of a historic pandemic, goes to show how ruthless these criminals are. We’ve seen a gold rush of recent devastating attacks that’s unlike anything the cybersecurity industry has ever experienced, and there’s no sign of them slowing down.
Staying one step ahead of ransomware gangs means being vigilant, proactive, and prepared.
Here are four increasingly dangerous threat vectors that will define the near-future of ransomware.
1. Abuse of legitimate tools
Cybercriminals are ramping up their abuse of otherwise legitimate tools to gain entry into information systems and stay under the radar. At the same time, they maneuver to launch the central part of their attacks when ready – ransomware. Standard tools used for nefarious purposes do not automatically generate red flags from automated detection systems and can easily go undetected.
2. Commodity malware
Low-level malware — like botnets and loaders, which might lack the sophistication and effectiveness of more advanced persistent threats — might seem like noise, but never underestimate their potential role in a larger attack.
Seemingly ordinary malicious malware can cause severe problems if allowed to persist. Some of these botnets and loaders, along with human-operated Initial Access Brokers (i.e., middlemen for ransomware), are increasingly leveraged to gain a foothold into a target’s network, performing reconnaissance and sending back valuable data to a command-and-control host.
Human operators behind these threats will look for signs of value, brokering lucrative targets to the highest bidder — such as a ransomware operator. It is what we recently saw when Ryuk used Buer Loader to deliver ransomware.
Even run of the mill detections should not be ignored. Blocking or removing malware just once and then cleaning the machine afterward isn’t always the end. These seemingly minor infections often afflict more targets in one fell swoop than realized at first. Allowing that to go unnoticed for too long can enable criminals to facilitate more damaging ransomware attacks later on.
3. Big-game ransomware families
Ransomware can be thought of as a spectrum with two defined poles. On one end of that spectrum, you have the “big game” ransomware families. These are the Ryuks and RagnarLockers of the world, the ones who focus on a relatively narrow band of targets — specifically because their targets are larger organizations with the resources or cyber-insurance to pay multimillion-dollar ransoms.
These big-game gangs will continue building on their already successful tactics, techniques, and procedures (TTPs) and grow even more sophisticated in both their methods to strike and their ability to evade detection.
In Singapore, local ransomware attacks from May to August 2020 targeted bigger enterprises, particularly in the manufacturing, retail, and healthcare sectors.
4. Entry-level attackers
On the other end of that spectrum, there are the Dharmas of the cyber threat space, the “entry-level” attackers who take the opposite approach — spamming large volumes of targets with low-grade ransomware-as-a-service (RaaS) attacks. This more fast-food approach to ransomware is easier to defend against, but it’s also easier for attackers to deploy.
By attacking many targets in one go, even a small percentage of wins can still lead to large numbers of successfully victimized companies. It is emboldening attackers and funding ongoing operations. This approach will continue to pose a threat this year, as they become more collaborative, almost like cartels, sharing best-of-breed tools for greater success.
The ransomware threat landscape may be split between these two groups, but it’s critical that security teams and managed security providers are taking both into account as part of their threat detection and response strategies. The breadth of this spectrum may be getting bigger, but its span will remain as potent and dangerous as ever, if not more so, in 2021.
2021’s ransomware threats deserve a lightning-fast incident response
The best way to detect and stop such human adversaries is with human-led threat hunting. Trained experts know the subtle indicators and red flags to look for; they know how to spot a legitimate tool being used illegitimately in a way that automated detection tools may miss. Endpoint detection and response (EDR) is also essential as a foundational tool, but adding sets of 24/7 expert human eyes will ensure more effective protection and better security outcomes.
As ransomware gangs become more sophisticated in 2021, organizations need to meet the challenge with their best foot forward — and their fastest incident response capabilities.
Sumit Bansal, managing director for ASEAN at Sophos, wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/kentoh