Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Fighting Back Against Multi-Staged Ransomware Attacks Crippling Businesses

Modern ransomware attacks are multi-staged and highly targeted. First, attackers research the target organization and its employees.

Ransomware

Traditional ransomware attacks were fairly straightforward. Attackers lured indiscriminate victims using social engineering and phishing tactics. Once victims were tricked into visiting a malicious website or opening a malicious link or attachment, they would execute malware that would spread rapidly and encrypt valuable files and folders. Hackers would then demand a ransom in return for decryption keys. 

Enter the Modern Ransomware Attacker Workflow

Modern ransomware attacks are quite different today because they are multi-staged and highly targeted. First, attackers research the target organization and its employees. Next, using custom phishing attacks, stolen credentials or unpatched vulnerabilities, attackers install a trojan or a stager in the victim’s machine. This trojan then modifies the victim’s machine, downloads updates and instructions from command and control [C&C or C2] servers and notifies hackers about the intrusion. While the program awaits instructions, it collects information about the victim’s environment, including passwords stored in a computer’s cache or a user’s browser.

Ransomware hackers then check into the C&C servers to see which companies and computers have been broken into. They identify victims based on their IP address, the computer host name, and the network name. From there, they leverage the built-in programs of operating systems like Windows or Linux to enumerate and learn more about the environment.

Ransomware actors commonly dwell in the victim’s environment anywhere from 24 hours to 10 days, but it can be far longer. During this time, they eavesdrop on email correspondence, explore the victim’s environment and identify mission-critical data suitable for exfiltrated. Once the crown jewels are identified and exfiltration is complete, attackers begin encrypting computers and ask for a ransom. 

Apart from just the attacker workflow, what’s different between traditional ransomware attacks and modern ones is that previously it was much easier to recover encrypted files using backup and recovery systems. Unfortunately today, 91% of attacks exfiltrate data, which means that attackers can still threaten victims using the stolen data, rendering backups useless from an extortion perspective. In case the victim doesn’t pay up, attackers still have the option to sell the stolen data on the dark web. 

Ransomware Business Becoming Increasingly Organized

Ransomware has evolved from lone wolf hackers operating from basements to complex organized crime syndicates that operate just like any other professional organization. Modern ransomware gangs employ engineers that develop the malware and platform; employ help desk staff to answer technical queries; employ analysts that identify target organizations; and ironically, employ PR pros for crisis management. 

Advertisement. Scroll to continue reading.

The ransomware ecosystem also comprises multiple groups with specific roles. For example, one group (operators) builds and maintains the malware and rents out their infrastructure and expertise (a.k.a. ransomware-as-a-service). Initial access brokers specialize in breaking into organizations and selling the acquired access, data, and credentials. Ransomware affiliates execute the attack, compromise the victim, manage negotiations, and share a portion of their profits with the operators. Even state-sponsored attackers have joined the ransomware game due to its potential to cause wide-scale disruption and because it is very lucrative.

Latest Statistics Show Ransomware Growing And Evolving

If you thought ransomware attacks have slowed down in 2024, think again.

  • Approximately one in 10 organizations were hit by ransomware attacks in 2023, a 33% increase over the previous year.
  • Last year, threat actors successfully extorted a staggering $1 billion from victims.
  • 75% of ransomware payments in 2023 were for a million dollars or higher.
  • The average business downtime of a ransomware attack ranges anywhere from 21 to 24 days.

How Can Organizations Fight Ransomware?

Recommendations and best practices that can help combat ransomware include:

  1. Build Social Engineering Defense In Employees: Social engineering and phishing scams are the most common initial access vectors used by adversaries. End user training is the only solution to combat social engineering. Using classroom training, phishing simulation exercises, and gamification, train users to identify and report phishing and social engineering attacks.
  2. Provide Password Managers To Employees: Over 60% of employees reuse their passwords. To prevent bad actors from exploiting leaked passwords to infiltrate organizations and deploy ransomware, it is recommended that organizations equip employees with access to commercial-grade password managers.
  3. Patch Zero-day Vulnerabilities: Threat actors are increasingly exploiting zero-day vulnerabilities to deliver their ransomware payloads (e.g., PaperCut, MOVEit, SysAid). It’s important that organizations patch their systems quickly and frequently to thwart hackers from exploiting these loopholes.
  4. Use Phishing-resistant Authentication: In case an attacker acquires credentials, multi-factor authentication (MFA) is standard for protecting access to the environment. Yet MFA can be susceptible to phishing. CISA recommends organizations use phishing-resistant MFA — pairing something like biometrics with a physical form factor. 
  5. Create Offline Backups: Organizations must ensure that data backups are securely safeguarded to prevent ransomware gangs from gaining access. Keep at least one of the most recent backups offline, requiring a physical action to bring them back online and to restore data. 
  6. Avoid the Ransom: If you starve the beast, it will go away. Studies show that voluntary ransom payments are slowly declining. If this trend continues it is likely that the ransomware business model may lose some profitability and popularity. 

Ransomware is continuously evolving and so are threat actors. If organizations can abide by security best practices and provide user awareness training, patch frequently, implement offline backups, and empower staff with tools like phishing-resistant MFA and password managers, they will certainly bring the fight to cybercrime and better defend the business.

Written By

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts a security awareness training and simulated phishing platform with over 65,000 organizations and more than 60 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, he was co-founder of Sunbelt Software, the anti-malware software company that was acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights