Ransomware is an increasing problem for every industry. Whether your customers specialize in education, technology or retail, or if they have any component of their business online, they’re a potential target. It doesn’t matter how large or small the company is either. In July of 2020, Garmin (one of the largest GPS and fitness tech companies) was the victim of an attack that locked users out of their data for weeks. And with ransomware-as-a-service (RaaS) software kits now available in internet forums, amateurs can now easily begin targeting companies on their own.
Is there any hope for avoiding becoming a ransomware victim? Definitely, but before we examine cybersecurity strategies to mitigate these threats, let’s look at some of the most recent ransomware trends.
Strategies for extracting payment
Ransomware operators have expanded the sophistication of not only their malware and methods of intrusion, but also their techniques for extracting payments. Some examples include:
How they get in
- Post-compromise software deployment—With this method, attackers can sift through a company’s data architecture and identify and exploit the most critical systems, making it more likely that the victim will comply with their demands.
- Price switches—Another method to guarantee payment is by aggressively upping the ransom price, or by offering the victim an option to unlock certain portions of infected systems for a lesser amount of money.
- Merging data theft and extortion—Bad actors may threaten to leak compromising or sensitive information to the public to boost payment probability.
Phishing remains one of the main ways ransomware attackers gain access to systems and networks. Notorious malware families such as Trickbot, FlawedAmmyy and Emotet were delivered via phishing attacks in numerous recent cases.
Another top entry point for ransomware is through drive-by downloads, which is when a user unknowingly downloads malware onto their device when they visit a website. This usually occurs when a security flaw is exploited due to out-of-date software in the operating system, app or browser being used. A recent example of drive-by downloads occurred when users visited compromised websites and saw their devices infected with Dridex malware, which uses Microsoft Word macros to steal bank credentials.
Recent research showed that deployment of ransomware after the initial moment of compromise ranges from zero to 299 days. For the majority of incidents studied, a minimum of three days elapsed between initial malicious activity and deployment. This is good news because it means that if companies can spot malicious activity within that initial time frame, they have a chance to thwart the attack before it begins, avoiding untold time and money lost. In fact, it’s not uncommon for installed ransomware to be discovered and removed as it was waiting to deploy.
Another common strategy is to deploy malware after work hours or on weekends or holidays, when the security response will be much slower (or non-existent) than during normal working hours. Attackers have also programmed ransomware to activate based on user activity (or inactivity), e.g., when certain users—or certain number of users—log off.
Ways to mitigate ransomware
The best way to fight against the threat of ransomware is by having a plan and staying proactive. That means identifying and fixing infection vectors, creating or updating security best practices and creating a plan of action for emergency situations.
While the latest ransomware trends can seem daunting, it’s not all bad news. As stated previously, there is typically a critical window between infection and deployment. This means a security team that is proactive can potentially discover and mitigate a ransomware threat before it’s too late. And with innovations like post-compromise attacks on the rise, it’s in everyone’s interest to stay vigilant and (at least) one step ahead of what’s out there.
For questions about ransomware trends and how to protect your customers from attacks, email the cybersecurity experts
at Ingram Micro.
VIEW VIRTUAL EVENTS