Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion. The monetary value of ransom demands has also increased, with some demands exceeding US $1 million.
Ransomware incidents have become more destructive and impactful in nature and scope. Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations. The economic and repetitional impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.
Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware that have been much more successful than others.
The most prolific family of ransomware during 2021 so far is Sodinokibi, which has plagued organizations around the world since emerging in April 2019.
Also known as REvil, this ransomware has been responsible for encrypting the networks of a large number of high-profile organizations including, Travelex and a New York law firm with celebrity clients.
The gang behind Sodinokibi spend a long time laying the groundwork for an attack, stealthily moving across the compromised network to ensure that everything possible can be encrypted before the ransomware attack is launched.
Those behind Sodinokibi have been known to demand payments of millions of dollars in exchange for decrypting the data. And given the hackers often gain full control of the network, those organizations that refuse to pay the ransom after falling victim to Sodinokibi also find the gang threatening to release stolen information if the ransom isn't paid.
Sodinokibi isn't the only ransomware campaign that threatens to leak data from victims as additional leverage for extorting payment; ransomware gangs like Conti, Doppelpaymer and Egregor are among those who threaten to publish stolen information if the victim doesn't pay up.
New ransomware families are emerging all the time while others suddenly disappear or go out of fashion, with novel variations constantly emerging on underground forums. Any of the top forms of ransomware right now could be yesterday's news in just a few months.
Why should organizations worry about ransomware?
To put it simply: ransomware could ruin your business. Being locked out of your own files by malware for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.
And it isn't just the immediate financial hit of ransomware that will damage a business; consumers become wary of giving their data to organizations they believe to be insecure.
Cyber criminals have learned that it isn't just businesses that make lucrative targets for ransomware attacks, with important infrastructure like hospitals and even industrial facilities being disrupted by ransomware – disrupting these networks can have big consequences for people in the physical world.
Ultimately, the attackers are looking for an easy way to make money and a hospital that finds its network encrypted with ransomware can't afford to compromise patient care by keeping the network offline for weeks to manually restore it. That's why, unfortunately, many ransomware victims in healthcare will pay the ransom – particularly when they were already overwhelmed by the impact of the COVID-19 pandemic.
The education sector has also become a very common target for ransomware campaigns. Schools and universities have become reliant on remote learning due to the coronavirus pandemic and cyber criminals have noticed. The networks are used by potentially thousands of people, many using their personal devices and all it might take for a malicious hacker to gain access to the network is one successful phishing email or cracking the password of one account.
What is an organization to do?
If you are worried about ransomware we have a few recommendations. These recommendations are written broadly for all levels within an organization. It’s never as easy as it should be, so if you need help, we urge you to reach out for assistance
Actions for Today
Backup your data, system images, and configurations and keep the backups offline
Update and patch systems
Make sure your security solutions are up to date
Review and exercise your incident response plan
Pay attention to ransomware events and apply lessons learned Actions to Recover If Impacted
Don’t Let a Bad Day Get Worse
Ask for help! Contact Specialists
Work with an experienced advisor to help recover from a cyber-attack
Isolate the infected systems and phase your return to operations
Review the connections of any business relationships (customers, partners, vendors) that touch your network
Apply business impact assessment findings to prioritize recovery Actions to Secure Your Environment Going Forward
Don’t Let Yourself be an Easy Mark
Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multi-factor -authentication
Segment your networks; make it hard for the bad guy to move around and infect multiple systems
Develop containment strategies; if bad guys get in, make it hard for them to get stuff out 4. Know your system’s baseline for recovery
Review disaster recovery procedures and validate goals with executives
If this our any other cybersecurity subject is concerning, and you would like to talk further we can be reached here.