Just recently, Elon Musk confirmed that Tesla had been the target of a ransomware attack. It seems that a Russian national tried to recruit a Tesla employee to help his gang to install malware on the company’s network with the intention of stealing sensitive data and installing ransomware. The plan was that the company would have to pay up or risk company-confidential information going public. And, in order to keep IT staff busy elsewhere, a DDoS attack was to be launched by the gang.
Earlier in August, we learned that the U.S. corporate travel management firm Carlson Wagonlit Travel paid a $4.5m ransom to get its data back. The ransomware attack caused a shutdown of all systems while the infection was contained and dealt with. It seems the ransom was paid in Bitcoins.
A Portuguese energy provider EDP reportedly lost 10 terabyte of private information in a ransomware attack. In February, the University of Maastricht paid a ransom of $220,000 in Bitcoins, following a ransomware attack. In the U.K., Redcar and Cleveland’s council had a suspected ransomware attack In April, which cost the local authority over Â£10m. Danish Agro’s computer systems were also targeted by ransomware. And in July, Argentinian telecommunications were reportedly struck by ransomware.
Everyone remembers WannaCry ransomware that first appeared in 2017 and made ransomware a news item. 200,000 users including large organizations and public institutions were infected in around 150 countries. It used a Microsoft bug to infect computers, so no action had to be taken by the person whose computer was infected. WannaCry self-installed on their computer encrypting files with the extension â€˜.WCRY’. Infected computers were asked for a ransom of around $300 in Bitcoins to be paid within three days. It went up to $600 after that deadline. If payment wasn’t received within a week, all the files were lost.
How Ransomware WorksÂ
So, what is ransomware? Basically, it’s malware that threatens to publish a victim’s data or perpetually block access to it unless a ransom is paid. Nowadays, attacks are focused on larger organizations and public institutions. Typically, an apparently genuine email will encourage the recipient to click links or download an attachment which delivers the ransomware software. Users can also get ransomware from websites through drive-by-download attacks. And, sometimes, ransomware attacks come from social media messages. Once the hackers have access, they will try to access a privileged account, which will make it easier to deploy their software and access the restricted data they need.
Once the data has been stolen and the data onsite encrypted, the organization faces a choice. They may very well have sufficient backups in order to restore their encrypted data, but do they want their information leaked? If the leak involves personally-identifiable information, the organization affected would have to issue a data breach notification or notify regulatory authorities under such laws as the EU’s General Data Protection Regulation (GDPR). From the hackers’ point of view, they could sell the information on the Dark Web and increase their income from the attack. In fact, ransomware groups have threatened to sell stolen data to competitors, use stolen data to attack victims’ business partners, and publicize victims’ â€œdirty secretsâ€ on the clear Web for all to see.
Local Governments Most-Attacked Group
According to the Beazley Breach briefingOpens a new window , 2020 ransomware attacks skyrocketed in 2019. The Beazley Breach Response (BBR) Services, reported the number of ransomware attack notifications against clients increased by 131% compared to 2018. With the growth in frequency, the sums demanded by cybercriminals also increased exponentially, sometimes reaching seven or even eight figures.
Similarly, a study by Barracuda NetworksOpens a new window , which looked at 71 global ransomware incidents over the last 12 months, found that local government bodies are more likely to be targeted by ransomware attacks than any other type of organization. 44% of global ransomware attacks that have taken place so far in 2020 have been aimed at municipalities. Of the municipalities subjected to ransomware attacks in 2020, 15% have confirmed they have made payments, compared to no ransoms being paid last year.Â
There has been a significant rise in ransomware attacks against education and healthcare institutions this year compared with 2019 (15% versus 6% and 23% vs. 21%, respectively). This suggests cyber-criminals are attempting to take advantage of these sectors using the disruption caused by COVID-19. There has also been a rise in ransomware attacks against logistics companies, with six notable incidents observed since July 2019. Overall, the report says, a ransom was paid in 14% of cases, with an average payment of $1,652,666.
Clearly with such pay-outs, ransomware is not going away any time soon.Â Â
Top eight ransomware threats to watch out for as 2020 turns into 2021:Â
Maze was first identified in early 2019. It encrypts files on an infected computer’s file system and associated network file shares. Once the victim has been compromised, but prior to the encryption event, the data is copied by the hackers (exfiltrated).
REvil is best known for being used to breach media and entertainment lawyers Grubman Shire Meiselas & Sacks. Data about several A-list celebrity clients was said to have been leaked on the Dark Web.
Snake (Ekans) infects industrial control systems to disrupt factory operations until a ransom is paid. Ekans is a variant of Snake ransomware, which has been known to attack Honda’s factories.
Tycoon is Windows and Linux ransomware that uses a Java image format as part of its kill chain. The ransomware lives in a trojanized version of the Java Runtime Environment (JRE). Victims have been small- and medium-sized organizations in the education and software industries
Trickbot has spread in a phishing email campaign asking people to vote anonymously about Black Lives Matter. Originally a banking Trojan, TrickBot can now perform a variety of malicious actions, including spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY credentials, and more.
Thanos features the weaponized RIPlace tactic, enabling it to bypass ransomware protection. It’s a ransomware-as-a-service (RaaS) tool. RIPlace uses Microsoft Windows file system rename operations in a way that makes them invisible to security products’ filter drivers.
Zeppelin is part of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. It’s been used on tech and healthcare companies in Europe and the USA. Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
PonyFinal has been described by Microsoft as human-operated ransomware, which is distributed in an automated way by attackers. It’s Java-based, and organizations should focus less on this payload and more on how it’s delivered, said Microsoft.
But where does the ransomware come from? Prolific ransomware operators include Maze, Sodinokibi, DoppelPaymer, Nemty, Nefilim, CLOP and Sekhmet. And they are now creating their own websites where they publish the stolen data from non-paying victims, according to cybersecurity firm Emsisoft <https://blog.emsisoft.com/en/36303/ransomware-statistics-for-2020-q1-report/>.
Maze has a â€˜news’ website to publish stolen data from their victims who haven’t paid up. So also have Sodinokibi/REvil, Nemty, and DoppelPaymer. Most recently, Nefilim has launched a site called â€˜Corporate Leaks’ where they put the data of victims who don’t pay a ransom. CLOP has a leak site called â€œCL0P^_- LEAKSâ€ used to publish stolen data for non-paying victims. And Sekhmet has a data leak site called â€˜Leaks leaks and leaks’.
Hit By Ransomware? These Six Steps Can Help
So, what can an organization do to prevent a ransomware attack. Various companies have software designed to prevent a ransomware attack. What else can be done?
- Use content scanning and filtering on all mail servers. Inbound emails should be scanned for known threats and should block any attachment types that could pose a threat.
- Ensure that all systems and software are up-to-date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
- For staff working from home use a trustworthy VPN or move to ZTNA (zero trust network access).
- Backup files regularly and frequently to somewhere that the ransomware can’t access.
- Train staff to not:
- Give personal information when answering an email, unsolicited phone call, text message. or instant message.
- Open untrusted email attachments
- Click on unverified links
- Insert unfamiliar memory sticks.
- And don’t pay the ransom!
Then, hopefully, you’ll stay ransomware-free in 2021.
Do you think companies should pay ransom when data is at stake? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!