Ransomware attackers are leveraging holidays and weekends for maximum impact. While most organisations are aware of the spike in attacks during the holidays, many are not prepared to respond if it happens.
According to recent reports, 2021 has seen a substantial rise in the number of data breaches compared to 2020 and is on course to be a record year in terms of the number of attacks. The all-time record for breaches over the course of a year was set in 2017, with a total of 1,529 successful attacks reported. With phishing and ransomware attacks on the rise, it is expected that 2021 will exceed this number given current trends. Security firm Darktrace has reported that researchers have noted a 30% year on year increase in ransomware attacks between 2018 and 2020, with a 70% average increase in November and December when compared to January and February over the same period. This is supported by reports that past experiences and the trends seen in 2021 have led regional companies to be extremely concerned about attacks over the holiday period.
The key to understanding ransomware attacks is that their deployment is a relatively simple undertaking, according to David Brown, Security Operations Director of Axon Technologies, “Ransomware, for the most part, requires little, if any, skill to be deployed. Most deployments are secondary infections. The primary threat actor already established initial access and persistence and sells this access and delivery method to one of the many Ransomware Affiliate Groups (RAG) renting access to the Ransomware-as-a-Service (RaaS) platform.” In short, RAGs offer would-be criminals the ability to launch attacks against a target of their choice.
While the process is simple, the choice of target is driven by more complex criteria, “The hackers know where the money is,” says Sam Curry, Chief Security Officer, Cybereason. “If you’re a criminal and aren’t investing in some form of ransomware-based extortion you’re probably making bad investment decisions.”
A security chain is only as strong as its weakest links and, as with all criminals, cybercriminals often seek out vulnerable companies or services. Additionally muddying the waters is the emergence of potentially state-sponsored, or harboured, organised criminal gangs targeting infrastructure, examples include the targeting of the Colonial Pipeline and the American meat processing company JBS.
Responses from governments and law enforcement, particularly in the case of headline-grabbing attacks, mean that criminals may well change their strategies going forward, according to Marty Edwards, VP, Operational Technology at Tenable, “Rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies for ransomware operators. They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organisations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile. In other words, organisations must make sure these missions cost too much to conduct. If the reward doesn’t cover the cost of the investment, threat actors won’t pursue it.”
A holiday spike
While ransomware is a year-round problem, the holiday season is of particular concern to businesses around the world. This is a time when companies are typically staffed by a skeleton crew, meaning that resources are more thinly stretched than normal. Attackers are aware of this and are often particularly active during holiday seasons. As a result, attacks can go unnoticed and remediation attempts can take much longer. “The holiday season is the time when email traffic surges with promotional content targeted at end users. Threat actors use this surge and confusion to make users click and execute malicious content. Attackers also take advantage of IT/SOC teams operating at lower capacity during the holidays,” said Vibin Shaju, Director – Presales, EMEA Enterprise, McAfee.
There is no simple answer when it comes to which industries are most likely to be targeted by cybercriminals. When it comes to extorting businesses, any industry is at risk, however, Shaju highlighted retail and e-commerce, supply chain and logistics businesses, and travel-related firms as being particularly choice targets. The reasoning behind these specific targets would appear to be that they face intense seasonal demand and might therefore be more vulnerable to attack and more likely to pay criminals to avoid exposure or damage.
Taking action
The question then becomes, “What can CISOs and business leaders do if their organisation is successfully attacked?” Brown and Shaju immediately highlighted the importance of sticking to a pre-planned response, or an Incident Response Plan, to ensure that every party understands exactly what to do. The first step is to isolate the problem as far as possible and to update any relevant systems. According to both experts, this course of action will greatly assist in allowing business continuity and data recovery.
When it comes to the next course of action CISOs can take after a ransomware attack, Toni El Inati, RVP Sales, META and CEE, Barracuda Networks was clear on one thing: “If ransomware does take control of your data, there’s no need to pay a ransom or go through a difficult and tedious recovery process — if you have a strong, modern, easy-to-use backup solution.” While the process might well be intimidating, if the business has invested in leading, contemporary defences, there is a very high probability that data can and will be retrieved.
Cybereason’s Curry strikes a more sombre tone, “Once your data is encrypted, there are no good options. The only effective way to fight ransomware is to prevent it from occurring in the first place,” he explains. Curry also pointed to research undertaken by Cybereason which found that 80% of businesses that paid a ransom demand after suffering an attack went on to experience further attacks.
While reacting to a successful attack, and recovery from it, are possible, according to the experts ITP.net spoke to, building a strong protective system and corresponding strategy is the best line of defence. The key, according to Brown, is to understand your business’ vulnerabilities, “The strategy points back to situational awareness regarding attack surface management as the critical component. The lack of understanding of an organisation’s attack surface leads to poor cyber hygiene, resulting in established initial access most of the time. Understanding the attack surface enables building layered defences in combination with segmentation,” he says.
“Organisations need cybersecurity with comprehensive visibility across the environment, and the ability to analyse indicators of behaviour in addition to indicators of compromise. Behaviour provides clues about what is happening now, or what may happen soon, as opposed to compromise which focuses on reacting once a malicious action has occurred,” said Curry.
The ransomware and cybercrime environment is complex and ever-evolving, however, the approach to dealing with these threats appears to remain constant: it is better to prevent attacks than deal with the consequences of a successful breach. With attacks on the rise and myriad industries being targeted, businesses cannot afford to ignore their cyber defences. The very nature of the holiday season leaves businesses exposed and leadership must be cognisant of the fact and create multi-layered defences to frustrate criminals along with action plans to be followed in the event of a successful attack.
