The impact of ransomware continues to grow. According to data from global investigations firm Kroll, ransomware was the most most common security issue it has being called in to deal with in 2020, while ransomware attacks accounted for over one-third of all cases up to September.
And here’s how attackers are getting in: in nearly half (47%) of the ransomware cases Kroll has investigated, gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured.
More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used particular vulnerability exploits (17%), including — but not limited to — Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%.
Image: Kroll
Kroll said it had seen three sectors struck especially hard this year: professional services, healthcare, and technology and telecoms. That’s in contrast to recent data from IBM, which suggested that manufacturing, the professional services sector and government were the most likely to be hit.
Ryuk, Sodinokibi and Maze were the top three ransomware variants causing problems in 2020, according to Kroll, comprising 35% of all cyber-attacks. Ransomware tends cycle through periods of activity before going quiet again, as the developers work to upgrade it before returning to action. As such, Kroll said it had seen a resurgence in Ryuk attacks recently.
Many ransomware variants are now stealing copies of corporate data and threatening to publish it: specifically, by downloading between 100gb and 1tb of proprietary or sensitive data to maximize the pressure to pay the ransom. Kroll said 42% of its cases with a known ransomware variant were connected to a ransomware group actively exfiltrating and publishing victim data.
In some cases, ransomware gangs have been reneging on promises to delete data after the first ransom is paid and demanding a second payment, it warned. Gangs can also up the pressure in different ways: Maze claims that credentials harvested from non-paying victims will be used for attacks against the victims’ partners and clients, while one of Kroll’s healthcare clients found that the gang had sent emails directly to their patients threatening to expose their personal health data.
Beyond ransomware, Kroll said business email compromise (BEC) remained a top threat for organisations and was involved in 32% of cases, followed by unauthorised access to systems.
Devon Ackerman, head of incident response at Kroll North America, said: “We have seen a predictable surge in cyber-attacks so far in 2020 as the COVID-19 pandemic has given malign actors increased opportunities to cause havoc. The ongoing evolution of ransomware creators is constantly shifting the goalposts for those trying to defend data and systems, so vigilance must remain at the top of CIO’s to do list.”
Making it harder for ransomware gangs to gain that initial access is probably the best way of protecting your organisation from attack, which means ensuring that essential security steps are taken. This includes blocking any unnecessary RDP access, securing all remote access with strong two-factor authentication, ensuring that all software is patched and up to date, as well as ensuring that staff are trained to spot phishing emails.
Having up-to-date backups that are not connected to the corporate network is also recommended.