Growing Sophistication Amplifies the Risk and Impacts of Ransomware Attacks

Growing Sophistication Amplifies the Risk and Impacts of Ransomware Attacks

Ransomware emerged into the mainstream in 2017 with the WannaCry outbreak.  In a few short years, it has become a sophisticated, professionalized threat that costs victims $1.85 million on average. 

In 2021, the sophistication of ransomware advanced by leaps and bounds.  The evolution of corporate IT environments driven by the COVID-19 pandemic and the growing professionalism of ransomware gangs prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Center to issue a joint advisory about the ransomware threat. 

Exploiting Digital Transformation 

The COVID-19 pandemic had a significant impact on many organizations’ business operations.  Within the space of a few weeks, companies shifted from mostly or wholly on-site work to a remote workforce.  As a result, corporate IT infrastructure rapidly – and insecurely – evolved to support the remote workforce. 

In response, ransomware operators shifted their focus to take advantage of these changes.  Some of these tactical shifts include: 

  • Rise in Phishing Attacks: Phishing has always been a common delivery mechanism for malware, but the COVID-19 pandemic shifted this into overdrive.  The COVID-19 environment of uncertainty and rapid change was ideal for phishing attacks, and ransomware actors took full advantage in their attacks. 
  • Exploiting Compromised Credentials: Remote workers require access to corporate networks and resources, so many companies rolled out virtual private networks (VPNs) and the remote desktop protocol (RDP) to support them.  These tools provided an ideal environment for attackers to test and exploit compromised credentials.  With authenticated access, ransomware operators could explore corporate environments and plant malware where it could do the most damage. 
  • Targeting VPN Vulnerabilities: VPN solutions are notoriously prone to vulnerabilities, and the need for availability means that companies are often slow to patch them.  Ransomware attackers took full advantage of these vulnerabilities to access and infect corporate networks. 

These are the three primary ransomware infection vectors of 2021, and they take advantage of remote work-driven changes in corporate IT environments.  Since many companies plan to support extended telework programs, these attacks are likely to be successful and popular among cybercriminals for some time. 

Optimizing Profitability and Sustainability 

Ransomware is a business and a profitable one at that.  In 2021, the average ransom payment was $170,404.  After WannaCry and follow-on attacks demonstrated that ransomware attacks were a viable and profitable business model, ransomware gangs exploded and went corporate. 

As a business, ransomware operators have consistently worked to evolve their strategies and align them with business needs.  Some of the main changes that have occurred in recent years include: 

  • Role Specialization: A successful ransomware attack requires both access to high-quality malware and the ability to deliver it to a target.  Ransomware gangs have largely shifted to an affiliate-based model where malware developers provide it to other groups for delivery and a share of the profits.  This enables ransomware developers to dramatically scale their efforts and gives intrusion specialists a means of entering the market. 
  • Attack Diversification: The biggest problem with ransomware is that good backups eliminate the need to pay a ransom.  For this reason, ransomware operators have begun stealing sensitive data, threatening targets with Distributed Denial of Service (DDoS) attacks, and targeting victims’ customers.  With additional leverage, these groups increase their probability of a payday. 
  • Industry Collaboration: In 2021, ransomware groups in Europe and Asia began sharing information about victims, including access to corporate networks.  This collaboration can support further growth of ransomware attacks as less-sophisticated groups purchase access to targets and follow through on the attacks. 
  • Target Selection: In recent years, the U.S. and other governments have taken action against the biggest and most disruptive ransomware groups in operation.  For this reason, some groups are deliberately avoiding high-profile attacks such as the Colonial Pipeline, Kaseya Limited, and JBS Foods to avoid the wrath of authorities and remain in operation. 
  • Supply Chain Exploits: Exploiting trust relationships, such as those between MSSPs or software developers (like SolarWinds) and their customers, has become a common tactic of ransomware groups.  This allows them to dramatically scale their attacks by leveraging a single successful intrusion into access to multiple organizations’ networks. 

Ransomware has come a long way in the past five years.  As such a successful and profitable business line, it is likely to only continue to grow and evolve. 

Managing the Ransomware Threat 

Ransomware operations are growing more professional and sophisticated.  In the last few years, ransomware has pivoted to leverage changes in corporate IT infrastructure and has refined its techniques to improve profitability and success rates.  At the same time, many organizations have taken a step back in terms of security, rolling out new solutions and IT infrastructure without developing and implementing a plan to secure them. 

Mitigating the risk and cost of a ransomware attack requires a proactive approach.  Instead of waiting for ransomware operators to uncover your organization’s security weaknesses, find and fix the issues before they’re exploited with a penetration test. 

Netragard provides authentic simulations of real-world ransomware attack vectors using Real-Time Dynamic Testing to identify security holes that ransomware organizations may leverage to compromise your network. Netragard can help close these security holes in your systems to prevent future attacks. To learn more about ransomware prevention and attack simulation, contact us. 

 

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.