Why are Ransomware Attacks Evolving?

People working on computers.

According to the 2021 Annual Threat Monitor from NCC Group, ransomware attacks increased by 92,7% in 2021 compared to 2020. The report explicitly stated 1,389 attacks in 2020, almost doubling to 2,690 in 2021. This surge came with the COVID-19 pandemic, and it’s been gradually rising ever since. The most targeted regions during 2021 were Europe (30%) and North America (53%) because of being densely populated with wealthy organizations. This quantifying trend will continue to develop. 

Even though ransomware attacks are on the rise, it’s nothing new. Ransomware attacks have been around since the beginning of the world wide web, and the first attack took place in the ‘80s. These attacks are becoming easier and cheaper to pull off, offering cybercriminals a high return rate. Three key elements drive and guarantee a successful ransomware attack.

Ransomware tools are more easily accessible.

While changes in technology have significant benefits, it also means that ransomware attacks on businesses are becoming more inexpensive to carry out. Criminals on the dark web now provide Ransomware-as-a-Service for even the most inept cybercriminals. This provides them with the tools they need to perform an attack. Standard tools may include a dashboard showing users the number of devices or files infected and the status of the attack, while also enabling users to easily access their ransomware payments. 

These kits require very little skill or time, which is why it’s so cheap to launch an attack. The software creators take their cut in return, of course. The high payment rates make this a profitable business model.

Working methods have changed.

The rise of remote and hybrid work environments brought on by the COVID-19 pandemic had a significant impact on the increasing number of ransomware attacks. Employees working from home now had to connect from personal devices, outside of a company’s perimeters. This made it more challenging for traditional anti-malware technology to block suspicious or unverified messages. 

This presented hackers with an opportunity to target isolated employees who had grown accustomed to using digital channels, like email, to communicate with colleagues.

However, this isn’t the only reason attacks are easier to be carried out. Improved interconnectedness among businesses simplifies the spread of ransomware. Criminals may focus on targeting managed service providers (MSPs) since the infection can spread to other businesses through their supply chains.

Greater regulatory and reputational penalties.

Public exposure of data is a lot more damaging than it used to be. People have very little tolerance for businesses that fail to protect their data. In addition to the fear of reputational damage is the fact that legal consequences are higher than ever. Businesses that cannot protect their customer data face the threat of class action lawsuits from affected customers and high fines in accordance with data privacy laws. 

In addition to using encryption, ransomware criminals use data exfiltration technology to get their hands on copious amounts of sensitive information. They threaten to leak this information or sell it on the dark web. The costs and reputational damage this can inflict put targeted organizations under pressure to pay the ransom to deal with the issue.

How is a Ransomware Attack Carried Out?

To get an insight into measures that need to be taken to protect your organization from becoming a ransomware attack victim, one must first understand how criminals operate. They continuously adapt their tactics, techniques, and procedures. However, they do have a basic pattern for launching the attack.

They start by gaining access to their target network by:

  • Compromising weak Remote Desktop connections. Targets are often weak user authentication or unrestricted port access.
  • Sending phishing emails.
  • Exploiting vulnerabilities in systems or software.
  • Use the spear phishing technique to exploit stolen credentials for unauthorized entry.
  • Offer payment to privileged account users in return for their credentials.
  • Offer payment to privileged account users to implement malware.

Once they’ve gained access to a network, they attempt to move laterally across the network. The goal is to compromise additional systems and escalate privileges to better their chances of an impact and gain control. 

Cybercriminals guarantee their foothold in a system by utilizing persistence techniques. They’ll deploy additional malware and create backdoors for continued access if their initial access points were discovered and closed. However, they go out of their way to evade detection by using tools and techniques to blend in with normal network traffic. 

Once they have a proper foothold in the network, they encrypt files and data. They demand a ransom payment, typically in the form of cryptocurrency, in return for the decryption key. More often than not, they’ve likely already exfiltrated data. Ransomware criminals are notorious for double extortion, and in this stage, they’ll threaten to leak or sell these files and/or data. This puts the victim under pressure to pay the ransom as soon as possible. 

By now, the negotiations kick off. Criminals will negotiate the rate and terms of payment through anonymous email addresses or encrypted messaging platforms to facilitate the process.

Which Industries Are Most at Risk and Why?

All the following sectors have one thing in common: they possess highly sensitive information. Should an attack occur, the outcome in which they do not pay a ransom can cause havoc. Even though targeting can vary based on the motivation behind the attack, we typically know these sectors may be more at risk:

Small and medium enterprises: These kinds of businesses may have weaker security than larger businesses, or a lack of resources to invest in better defenses. They may have valuable data and are more likely to pay a ransom to avoid reputational damage or greater losses.

Public Sector: Attacks on the local public sector can disrupt services and lead to financial losses. The public sector is often a target due to the critical services they provide and the impact that a disruption of these services can have on citizens. 

Healthcare: The healthcare industry is a prime target since they rely on uninterrupted access to systems that contain sensitive patient information. The urgency to regain control of these systems plays a crucial role in the success of an attack.

Financial: Due to the possible financial gains, critically sensitive information they possess, and their important role in the economy, financial institutions are more likely to be targeted.

In Conclusion

Motivations to reward payment include minimizing downtime, limiting reputational damage, and getting operations started as quickly as possible. Unfortunately, as long as this is the case, ransomware attacks will continue to soar.

Protection against ransomware attacks requires a multi-layered approach. This includes regular security training and awareness, strong cybersecurity measures, secure backing of data, and regular software patching. Partnering with cybersecurity specialists and staying up to date with emerging trends can help organizations strengthen their defenses. A holistic and proactive approach to security guarantees minimizing disruptions and protecting critical data.