In the past year, the Fortinet FortiGuard Labs team has found a dramatic increase in the cyber threat landscape. Its Global Threat Landscape Report determined a sevenfold surge in overall ransomware activity in the second half of 2020. Sectors that have been heavily targeted by these attacks include healthcare, and professional services and consumer services firms, with the public sector being a particularly attractive target. But ransomware has adapted, and the recent spike in its use directly results from the disruption that businesses faced at the start of the Covid-19 pandemic.
In the midst of having to deal with this sudden change in the way organisations run their businesses, the transition to working from home brought critical challenges to IT and security team. This has been compounded by the fact that IT teams need to ensure that employees are aware of the latest cyber security threats and best practices on how to deal with them.
The growth of ransomware operations
Threat actors generally leverage ransomware to crypto-lock critical systems and business infrastructures, demanding a ransom for the decryption key. Leveraging the threat of releasing the compromised data if demands are not met, it has proven to be a relatively simple and lucrative way to extort money from organisations.
Increasingly, researchers are also seeing encrypted versions of data posted online – not just held for ransom. This is usually along with the threat that if the ransom isn’t paid, all data will be released to the public, or sold.
As the volume and frequency of attacks and attackers have drastically increased, a more sinister and targeted form of ransomware scheme has come to the fore.
Traditionally, ransomware attackers have been a few highly skilled coders developing sophisticated malware strains and focusing on making money solely from ransom payments.
That approach has evolved to a service model with its promise of recurring revenue streams from multiple sources. Attackers have realised they stand to make more money by selling or leasing these strains on the dark web to the everyday criminal, and taking a cut from the victim’s ransom payments. As a result, in the past six months of 2020 there was a steady growth of what is now being classified as ransomware-as-a-service (RaaS), according to the Global Threat Landscape Report.
RaaS is proving effective for lower-level cybercriminals who want to jump on the latest boom in ransomware activity, but don’t have the technical skills to develop their own malware strains. Demand for RaaS has increased drastically and competition among ransomware developers can lead to special deals being made for aspiring criminals, which could spell disaster for potential victims.
One RaaS threat actor that FortiGuard Labs identified was Smaug, a service that offered ransomware strains that could be deployed across Windows, MacOS and Linux platforms. Most RaaS is restricted to vetted members, but Smaug became a fully public offering in late 2020. Other major players in the RaaS space that organisations need to be aware of are Phobos, Sodinokibi, Conti and Egregor. RaaS makes these types of attacks extremely attractive for cybercriminals, and almost any organisation or business regardless of size or industry can become a potential victim.
Keeping the threat at bay
A compromised digital supply chain and a workforce telecommuting into the network pose a real risk that ransomware attacks can come from anywhere, meaning organisations need to have a strategic, platform approach to cyber security that offers consistent protection and visibility across the entire IT estate and attack surface.
Whether an organisation uses cloud-delivered security solutions, endpoint detection or zero-trust access, a cohesive strategy with the right solutions and an overarching view of the network is the best defence against malware. On top of this, organisations should look at making foundational changes to the frequency, location and security of their data backups as an extra layer of protection.
There is no denying that enterprises and public sector organisations alike face a threat landscape with attacks on all fronts. Threat intelligence remains central to understanding these threats and how to defend against evolving threat vectors. Visibility is also critical, particularly when a significant number of users are outside the typical network scenario. Every device creates a new network edge that must be monitored and secured.
The use of artificial intelligence (AI) and automated threat detection can enable organisations to address attacks immediately, not later, and are necessary to mitigate attacks at speed and scale across all edges. Cyber security user awareness training should also remain a priority; cyber hygiene is not just the domain of IT and security teams.
There has been much debate on the topic of criminalising ransomware payments in an effort to reduce the number of attacks. The official advice from the UK National Cyber Security Centre (NCSC) remains that organisations do not pay ransoms. This debate is likely to continue to divide opinion; however, it can’t be ignored that the paying of ransoms can be problematic.
Ransomware and RaaS, in particular, have become more prolific as a result of the ongoing global crisis, with the public sector targeted frequently. It’s not going away any time soon and organisations need to know what they’re coming up against and how best to mitigate the impact that a ransomware attack has, while understanding that paying the attackers could make their situation worse. But, with a more proactive, platform approach to securing their IT environments and the right cyber security solutions and intelligence, these organisations can be confident that they have the tools to combat these threats.
Paul Anderson is director, UK and Ireland at Fortinet.