How to Dodge New Ransomware Tactics
Cyber criminals are becoming more strategic and professional when dealing with ransomware. They are increasingly mimicking how legitimate businesses operate, including leveraging a growing cybercrime-as-a-service supply chain.
This article describes four major ransomware trends and offers advice on how to avoid becoming a victim of these new attacks.
1. IABs on the rise
Cybercrime is becoming increasingly profitable, as evidenced by the growth of Initial Access Brokers (IABs), which specialize in breaking into businesses, stealing credentials and selling that access to other attackers. IABs are the first link in the cybercrime-as-a-service kill chain, a shadow economy of off-the-shelf services that any would-be criminal can buy to construct sophisticated toolchains capable of carrying out almost any digital crime imaginable.
IABs’ main customers are ransomware operators who are willing to pay for access to pre-made victims while focusing their own efforts on extortion and improving their malware.
In 2021, there were more than 1,300 IAB entries on major cybercrime forums monitored by the KELA Cyber Intelligence Center, with nearly half coming from 10 IABs. In most cases, the price for access ranged from $1,000 to $10,000, with an average retail price of $4,600. Of all the offerings available, VPN credentials and domain admin access were among the most valuable.
2. Fileless attacks fly under the radar
Cybercriminals align themselves with Advanced Persistent Threat (APT) and nation-state attackers, using living-off-the-land (LotL) and fileless techniques to improve their chances of evading detection and successfully deploying ransomware.
These attacks use legitimate, publicly available software tools that are often found in a target’s environment. For example, according to a report by Picus Security, 91% of DarkSide ransomware attacks were linked to legitimate tools, with only 9% using malware. Other attacks were discovered that were 100% fileless.
In this way, threat actors evade detection by avoiding “known bad” indicators such as process names or file hashes. Application allowlists that allow the use of trusted applications also do not restrict malicious users, especially for ubiquitous apps.
3. Ransomware groups targeting unobtrusive targets
The high-profile Colonial Pipeline ransomware attack in May 2021 impacted critical infrastructure so severely that it prompted an international and high-level government response.
Such high-profile attacks lead to scrutiny and concerted efforts by law enforcement and defense agencies to crack down on ransomware operators, resulting in the disruption of criminal activity and arrests and prosecutions. Most criminals would prefer to keep their activities under the radar. Given the number of potential targets, operators can afford to be opportunistic while minimizing risk to their own operations. Ransomware actors have become far more selective in targeting victims, made possible by the detailed and granular firmographies provided by IABs.
4. Insiders are seduced with a piece of the pie
Ransomware operators have also discovered that they can recruit fraudulent employees to help them gain access. The conversion rate may be low, but the payout can be worth the effort.
A Hitachi ID survey conducted between December 7, 2021 and January 4, 2022 found that 65% of respondents said their employees were approached by attackers to help them grant initial access. Insiders who take the bait have different reasons for being willing to sell their company, although dissatisfaction with their employer is the most common motivator.
Whatever the reason, offers from ransomware groups can be tempting. In the Hitachi ID survey, 57% of employees contacted were offered less than $500,000, 28% between $500,000 and $1 million, and 11% more than $1 million.
Practical steps to improve protection
The evolving tactics discussed here increase the threat posed by ransomware operators, but there are steps organizations can take to protect themselves:
- Follow Zero Trust best practices, B. Multi-factor authentication (MFA) and least privilege access to limit the impact of compromised credentials and increase the likelihood of detecting anomalous activity.
- Focus on defending against insider threats a practice that can help limit malicious acts not only by employees but also by external actors (who eventually appear as insiders once they gain access).
- Conduct regular threat hunts, This can help detect fileless attacks and threat actors working to evade your defenses early on.
Attackers are always looking for new ways to infiltrate organizations’ systems, and the new tricks we’re seeing certainly add to the advantages cybercriminals have over organizations that are unprepared for attacks. However, organizations are anything but helpless. By following the practical and proven steps outlined in this article, companies can still make life very difficult for IABs and ransomware groups, despite their new tactics.