The most concerning thing about the rising numbers of ransomware attacks isn’t the actual attacks. Instead, it’s the organized groups methodically and resolutely carrying out these attacks across the globe.
Does this mean that the risks of ransomware have been overhyped? Not at all. Ransomware is now getting just the right amount of exposure. More awareness among C-level executives, board members and other leaders ensures more funding and tools for security teams to detect, prevent and mitigate attacks.
Ransomware attacks using basic malware that lands and immediately starts to encrypt data are still popular with bad actors. It’s how many ransomware groups got started and received their initial rounds of funding. Security teams with the right resources should have the ability to prevent this type of malware or at least quickly detect and contain it. Because these basic attacks still work in many instances, they will continue to be a problem. The ongoing success of these attacks has led some ransomware groups to provide Malware as a Service to other criminals. It gives them another profitable line of business by taking a cut of the ransomware payments their “customers” receive.
How ransomware groups operate
But there is a threat that is much more dangerous and harder to defend against: the patient ransomware group that attacks the same way a penetration tester does, using advanced tactics and stealth to take over entire networks. They start with simple command and control droppers, staying quiet, and identifying potential defenses the target has in place. If they can avoid or disable these defenses, they do so.
If not, they use native Windows tools to identify other systems or accounts they can take over. Their goal is to take over other accounts and systems and start attacks from those systems. From there, they work to take over Active Directory (AD). Once they have AD admin access, they take over backup systems and storage to see if they can delete recovery options before looking at or encrypting any data.
Once data encryption and/or exfiltration has happened, they’re ready to issue their demands to the target. Ransom demands today come with stronger threats to data than in the past. Warning of the public sale and release of data, threatening to contact employees, customers or media, maintaining control of AD, and deleting backups are all used to exert pressure for payment.
The making of a successful ransomware group
Organized, well-funded, and increasingly successful, ransomware groups use keyboards as weapons and operate 24×7 to discover exploitable vulnerabilities. Their successes cross global, industry, and purpose-based boundaries—hitting healthcare, education, commerce, and individuals with equal zest.
And like any strategic business operation, they reinvest a portion of their profits into their business.
- Hiring: This is a lucrative opportunity for hackers, and with groups “hiring for multiple positions,” it’s enticing for those slim on conscience. They have also set up fake companies to hire hackers, programmers and project managers.
- Talent: Top talent swayed by the highest dollar are heavily recruited and well-compensated. Hiring managers for legitimate positions may be competing against ransomware groups for candidates, and these groups likely have deeper skillsets than the average or even-above average security team.
- Reach: The dark web offers ransomware how-to kits, stolen identities, personally identifiable information (PII), and more for sale. Ransomware groups have access to a web of resources to improve their tactics, strengthen their threats, and increase their payout percentage.
Ransomware group squad goals
It’s ill-advised to think that any system, application or device is bulletproof or that these groups will run out of steam anytime soon. They continue to learn new methods and employ better skills.
The SolarWinds breach offered a cautionary tale for most companies and individuals—and a major opportunity for black hats. It’s now a model for their ideal ransomware scenario: breach one organization and impact thousands more. Organized groups are actively searching for vulnerabilities at software companies to find the same “success.” And some have found it using this approach.
Now consider the implications if they take over a common desktop tool, such as Notepad++ or PuTTY. These two open-source tools alone are used on hundreds of thousands of IT, development and security systems.
Shore up your ransomware defenses
It’s more important than ever to understand your current security stance and how to improve it. The security experts at Sirius are here to help and can guide you through assessments, solutions, and professional services that optimize your security posture.
Our security experts work with you to validate your tools and processes and uncover gaps that increase your risk. You receive recommendations for remediation graded by urgency and impact.
Sirius takes a vendor-neutral approach to help you determine the right solutions for your organization. EPP and EDR are critical components of ransomware protection and mitigation because they can detect attacks before they start. We can help you review and evaluate solutions from leading providers, including staging proofs of concept in the Sirius Technology Enablement Center.
Advancing your ransomware protection should include behavioral detection methodologies. We can help you understand what attacker behavior to look for and how to recognize behavior that falls outside of normal system or user behavior in your organization.
Developing and implementing a stronger ransomware strategy
Ransomware groups are scary, but organizations aren’t defenseless. Innovative, next-gen solutions can improve your defenses and strengthen your security stack, and Sirius offers a deep bench of security experts to help you implement and optimize your resources. Reach out to your Sirius representative or contact us today to learn more.