Ransomware: narrowing the focus for more targeted attacks

Guest post by Rob Allen, who is an IT Professional with almost two decades of experience assisting small and medium enterprises embrace and utilise technology.

Worrying trends are emerging in how ransomware is being not just more narrowly targeted, but tailored and sophisticated too

According to Security Intelligence, one of the top 10 most costly cyber attacks of 2022, took place in April, where ransomware crippled the US Austin Peay State University.

The attack brought the university to a halt just before final exams began, reducing faculty, staff and students to personal devices to access email and other university resources. The university cancelled final exams and closed all computer labs.

Ransomware: narrowing the focus for more targeted attacks

It was forewarning of later attacks seen in the same sector here at home in 2023.

It is becoming easier for ransomware to target specific sectors and individual organizations, with elements of artificial intelligence (AI) and automation being incorporated, adding to developments such as ransomware-as-a-service.

It does not have to be the devastating strike it used to be. A combination of policies, controls and layered protections can stop ransomware, minimising damage and ensuring your business can carry on.

There is little doubt that ransomware is becoming more prevalent, and more costly. Gartner reports that as many as a third of organisations globally have experienced some kind of ransomware attack. As reported by BCS,  while 2022 saw a slight global fall in ransomware incidents, Europe saw a 63% increase.

IBM’s “Cost of a Data Breach Report” 2022 found that the share of breaches caused by ransomware grew 41% in the period and took 49 days longer than average to identify and contain. Additionally, destructive attacks increased in cost by more than $430,000, making the global average cost of a ransomware attack  $4.54 million.

The volume and impact of ransomware is further multiplied by technological developments. Ransomware-as-a-service has already been observed and is well documented. Now, cybersecurity experts suspect that AI and machine learning (ML) may be deployed to increase efficacy, and perhaps facilitate automation.

Automating significant elements of the ransomware process could mean an even greater acceleration of attacks, argues Mark Driver, a research vice president at Gartner.

‘It’s not worth their effort if it takes them hours and hours to do it manually, but if they can automate it’, Driver reasons, “it’s terrifying.” While it has not yet been definitively identified in the wild, security expert Mikko Hyppönen has said there may be a few, highly successful ransomware gangs with the resources to hire AI talent and develop the capability.

-Experts see distinct patterns emerging within ransomware attacks due to these technological developments.  TechTarget reports that the three sectors of media/leisure/entertainment, retail, and energy/oil/gas/utilities, accounted for more attacks than any other sectors. These ransomware attacks are increasingly tailored for a specific sector or industry, with utilities, in particular, seeing more narrowly focused methodologies, instead of the ‘scatter gun’ approach of old.

This has led to speculation that if the trends of as-a-service platforms, and sector specific adaptation converge with embedded AI and ML, automation, , then ransomware incidents such as the Colonial Pipeline attack in the US could not only become more common, but more coordinated and effective. If such tactics and tools were to be used by a nation-state, entire sets of critical infrastructure could be at risk of crippling attacks.

However, it is important to point out that while ransomware is a growing menace, it is often the final stage of an attack.  Gartner’s “Anatomy of a Ransomware Attack,” it depicts the initial stages as

• ingress- through the likes of phishing, email, credentials dumps, etc, compromise followed by
• burrowing and lateral movement – prior to any data exfiltration and ransomware actually being run.

It also highlights that these last two stages (where attackers perform discovery, exploration of and exfiltration of data from compromised resources) can often take place over a period of months, as supported by IBM’s findings. This means by the time ransomware or a malicious payload is actually executed it is often too late – a data breach has already occurred and the data is already being used .

During this time, there are opportunities to not only detect, but mitigate the impacts. By adopting what is referred to as a ‘zero trust mindset,’ organisations can presume that should an attack occur, there are ways to prevent and diminish the effects of an attack.

By  thinking about every phase of the attack, from ingress to deployment of a payload, organisations can break down what needs to be done into more easily accomplished steps. Researching other known incidents will help you identify weak spots and vulnerabilities before they become an issue.  This can allow the implementation of methods such as least privilege access, access controls, and network monitoring and segmentation, to ensure that your own infrastructure, users and resources cannot be used against you.

All of this can build into playbooks for when an incident occurs, reducing the time to effective intervention.

Constant monitoring will also allow you to identify a baseline of healthy operation, making anomalies and malicious behaviour easier to identify, earlier.

These layered, coordinated strategies and techniques will mean that your organisation is harder to breach, harder to explore, and harder to damage.

Attackers are usually opportunistic, profit driven, and ultimately, looking for the avenue of least resistance. By reducing your attack surface, making your environment as unfriendly as possible to an attacker, you can make your organisation the least attractive target, prompting all but the most determined attackers to move on for easier scores.

The sheer prevalence of ransomware attacks suggests that every organisation will, at some stage, face an cyber attack in some form. Despite a narrowed focus on sectors and rapidly developing technological sophistication, a simple change of mindset can be the first step to ensuring that you put the right tools, processes and practices in place to deter, defend, and diminish the impact so your business can carry on.

About Rob Allen

Rob Allen is an IT Professional with almost two decades of experience assisting small and medium enterprises embrace and utilise technology. He has spent the majority of this time working for an Irish-based MSP, which has given him invaluable insights into the challenges faced by MSP’s and their customers today. Rob’s background is technical – first as a system administrator, then as a technician and an engineer. His broad technical knowledge, as well as an innate understanding of customer’s needs, made him a trusted advisor for hundreds of businesses across a wide variety of industries.

Rob has been at the coalface, assisting clients in remediating the effects of, and helping them recover from cyber and ransomware attacks. Rob joins the ThreatLocker team in 2021 excited at the prospect of building new relationships and helping deliver ThreatLocker’s enterprise-level security products to customers throughout the EMEA region.

See more breaking stories here.