The Crucial Shift In Ransomware Tactics
Expert: Andrea Csuri
Role: SOC Analyst
Specialises in: Cyber Threat Intelligence
What you will learn:
As organisations invest in comprehensive backup systems, hackers are adapting to new strategies which make their exploitations faster and easier. Crowdstrike’s 2023 Global Threat Report found that threat actors are increasingly stealing victim’s data and threatening to leak it, without even encrypting the stolen files. These incidents rose 20% last year, effectively nullifying organisations efforts in backup operations which are designed to combat extortion.
Ransomware Without the Encryption
I believe that this shift in attacks could be contributed by the fact that stealing data, encrypting the files and then subsequently unwinding the encryption takes a lot of time, and can sometimes be unsuccessful if files were encrypted multiple times due to a network share being mapped by multiple computers all running the ransomware. This new extortion strategy cuts corners to ensure attacks are carried out without fuss and rewards are met swiftly.
Data extortion is the low hanging fruit in this case. A leak is not only embarrassing for a company, which certainly can affect potential business revenue in the future, there are regulatory, legal, and compliance consequences as well. Data leaks and breaches can cost hundreds of millions of dollars in fines and lawsuit settlements. A great example of T-mobile, who recently had to pay out 350 million dollars in a class action lawsuit following a data breach and committed to spend another 150 million on data security and related technology.
As we know, ransomware attacks with encryption often target state/local government, manufacturing and healthcare, these industries see the most attacks due to the crucial financial impact ‘downtime’ can have on the organisations. However, law firms, government, PR firms and business processing firms are attacked with data-leak threats, knowing that these entities store large amounts of sensitive data. The well-known adversary known as Lapsus$, or Slippery Spider, stole data from big companies like Samsung and Okta last year, attempting to extort them while their apparent leader was still a teenager. From this we can establish that non-high-tech methods such as bribery and social engineering are still legitimate threats that must be recognised. Social engineering combined with tactics such as open-source intelligence (OSINT) allow malicious actors to paint a digital picture of you from publicly available information and use this data to gain access to avenues they can exploit
Key statistics
- More than 2,500 advertisements for access were identified across the criminal underground, representing a 112% increase compared to 2021 and demonstrating a clear demand for access broker services.
- 33 new adversaries, raising the total number of actors tracked to 200+
- The average breakout time for interactive eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022
- Malware-free activity accounted for 71% of all detections in 2022 (up from 62% in 2021)
New solutions for New Threats
‘Gain Visibility into Your Security Gaps’
Effectively securing your assets requires clarity on all your endpoints, identities, cloud and data to ensure that individual risk levels are properly assessed and recognised.
Understand your infrastructure end-to-end, so you can protect it. Don’t overlook third-party services, network security devices, and the copies of your data, including logs and monitoring tools.
‘Prioritize Identity Protection’
Due to the risk in malware-free & social engineering tactics, it is vital for organisations to enforce MFA whilst quickly identifying and assessing unusual network behaviour.
Make sure the passphrases are strong, and implement a password manager. Users tend to reuse passwords out of convenience – password managers combine security with convenience. Take advantage of Threat Intelligence and monitor the web and dark web with potential leaked credentials.
‘Prioritize Cloud Protection’
Cloud exploitation rose 95% year-on-year in 2022 through TTP’s such as misconfigurations and credential theft. The report suggests employing ‘agentless capabilities to protect against misconfiguration, control plane and identity-based attacks, combined with runtime security that protects cloud workloads’.
Implement geolocation and device policies. You can block countries, set group policies or give specific allowances for certain users in Microsoft Azure.
‘Know Your Adversary’
Understanding which threat actors are likely to target your industry/organisation and what tactics they’re likely to use puts you at an advantage for faster detection and defence deployment.
Follow the news and fresh threat reports. Utilize Microsoft Defender Threat Intelligence capabilities, from dynamic TI updates to correlating data and identifying possible attackers and tools.
‘Practice Makes Perfect’
Ultimately, maintaining regular testing of security systems and eliminating weaknesses can proactively prevent breaches. As hackers adapt, security teams must adapt with them and stay one step ahead with exercises like red/blue teaming and pen testing.
The best way to make sure you eliminated possible vulnerabilities is a penetration test. You can test your infrastructure, your security team, and confirm you did a great job. If the pen test team found some vulnerabilities you didn’t expect, don’t get discouraged! You gained valuable insight, the team will recommend how to fix it, and you will still be ahead of potential threat actors. You can lean back for a second, but continue with your good work, so you are always a step ahead.
Want to know more about how our team can help you secure your environment? Get in touch and speak with our experts.
find us on Youtube
