Businesses are fighting an uphill battle with ransomware, a threat that’s growing more sophisticated by the day, while at the same time becoming less complex for attackers to launch.
This is according to the "2023 ThreatLabz Ransomware Report” from Zscaler, which found that public entities and organizations with cyber-insurance are being increasingly targeted. Ransomware-as-a-service (RaaS) is also growing more popular, and so to is encryption-less extortion.
As a result, the frequency of ransomware attacks through the RaaS model increased by almost 40% in the last year alone. In RaaS, a threat actor hires the ransomware operators to do their bidding, and if the attack is successful, they split the profits - typically 70-30, or 80-20 in favor of the operators.
Looking at the ransomware distribution per country, the US was unsurprisingly the most targeted location, home to 40% of all victims worldwide. Canada, the UK, and Germany all trailed behind; combined, they didn't even total half of the incidents reported in the States.
Hackers are mostly using BlackBasta, BlackCat, Clop, Karakurt, and LockBit ransomware families. These pose a “significant threat” and can result in financial losses, data breaches, and operational disruption for all kinds of businesses.
The most targeted industry is manufacturing, where attackers go for intellectual property and critical infrastructure. In the report, Zscaler claims BlackBasta was “particularly interested” in manufacturing organizations, as they targeted these firms more than 26% of the time.
The researchers also found hackers increasingly interested in the so-called “encryption-less extortion” attack. Ransomware usually includes stealing and encrypting sensitive data, and then demanding a payment in exchange for the decryption key and deleting or not leaking the stolen data.
More recently, however, threat actors are realizing that they can just steal the data, demand payment, and still walk away with significant profits. That way, they eliminate the most cumbersome part of the work - developing and maintaining the software. Also, as the victim’s operations aren’t disrupted, the attack doesn’t draw the attention of the public, and in turn law enforcement; it’s quieter and more effective.
Analysis: Why does it matter?
Next to business email compromise (BEC), ransomware is considered the most disruptive and most destructive form of cyberattack out there. Businesses that suffer a ransomware attack usually end up with operational deficiencies, a tarnished reputation, huge expenses to resume operations, and data watchdog and government fines.
Over the years, many reports have found that, unsurprisingly, consumers do not want to deal with organizations that are unable to keep their data safe and are happy to spend their money elsewhere.
The majority of organizations, from small and medium-sized businesses (SMBs) to large enterprises, have either experienced a ransomware attack in the past 12 months, or are expecting to suffer one. The key problems with defending from ransomware include insufficient funds, staff shortage, and overly complex and confusing technological solutions.
A ransomware attack usually begins with a phishing email, sent to a low-level employee and carrying malware. Once the threat actors establish a foothold in the target organization, they can linger for days, or even weeks, mapping out the network, identifying key endpoints and essential data. After that, they will being the process of data exfiltration, followed by encryption.
To tackle ransomware, businesses are advised to first educate their employees on the dangers of phishing, social engineering, shadow IT, as well as cracked and pirated software. Then, they are advised to deploy Zero Trust Network Access (ZTNA), deploy multi-factor authentication (MFA) wherever possible, and run state-of-the-art antivirus, firewalls, and endpoint protection solutions. A strong backup solution is pivotal too, it was said. Finally, they need to keep both hardware and software updated with the latest patches and security fixes.
What have others said about it?
Most cybersecurity firms have been warning on the dangers of ransomware since its inception. In a recent report, Sophos said businesses were on good track with backups, but added that there needs to be more effort:
“Using backups as a primary recovery mechanism is encouraging, since the use of backups promotes a faster recovery. While ransom payments cannot always be avoided, we know from our survey response data that paying a ransom doubles the costs of recovery,” said John Shier, field CTO, Sophos.
“With 77% of manufacturing organizations reporting lost revenue after a ransomware attack, this added cost burden should be avoided, and priority placed on earlier detection and response,” he added.
Deepen Desai, Global CISO and Head of Security Research, Zscaler, placed the limelight on encryption-less attacks, saying: “Ransomware authors are increasingly staying under the radar by launching encryption-less attacks which involve large volumes of data exfiltration. Organizations must move away from using legacy point products and instead migrate to a fully integrated zero trust platform that minimizes their attack surface, prevents compromise, reduces the blast radius in the event of a successful attack, and prevents data exfiltration.”
Go deeper
If you want to learn more about the dangers of ransomware, make sure to read our in-depth guide on what is ransomware, as well as our guide for the best ransomware protection tools right now. Also make sure to read our guides for the best antivirus software and the best firewall.
- These are the best endpoint protection tools right now