Happy Friday,
You would think that with today's attention to cyber threats being at an all-time high and law enforcement cracking down more than ever on cyber gangs, that ransomware attacks should be at an all-time low. But according to a new report published by Tenable, 35.5% of breaches in 2022 were the result of a ransomware attack, only down a negligible 2.5% from the year before. Also, payouts from ransomware victims declined another 38% last year. Cybercriminals are not making the same kind of cash they used to... or are they?
So what's going on here?
Cybercrime is organized. This means they have metrics like KPI's, client acquisition costs and quarterly targets. They are increasing pressure on victims to pay up and here are the new ways that they're doing it:
1. Double Extortion
With double extortion, the ransomware group, in addition to encrypting the files on victim's systems also download your sensitive data. This gives the hacker more leverage since now the ask is not only about decrypting the locked data but also about leaking it. This isn't a new tactic - we saw it emerge during Covid, but what can come next is insidious.
2. Triple Extortion
In triple extortion, the ransomware gang not only encrypts the your files and extracts sensitive data, but then adds a distributed denial-of-service (DDos) attack to the mix. Unless the ransom is paid, not only will the files remain locked but even public facing services such as websites, e-commerce and customer portals go offline. Banking institutions, online stores and service providers are most vulnerable to DDoS attacks.
3. Reputation Damage
Once the bad guys have company data, what's to stop them from going after your customers? The short answer, nothing. The Cl0p ransomware group is notorious for calling and emailing stakeholders and customers of their victims, informing them that their data is going to be leaked because the company won't cough up the ransom. Cl0p even sends victims to a website where they can see the exfiltrated victim and customer data as well as negotiations going on between them and the victim company in real time. The idea is to add urgency and pressure to pay up and make it all go away, which often doesn't work. Once a ransom is paid, the bad guys usually won't stop until the company shuts its doors.
The Takeaway
It's easy to see how your customers might jump ship after such an incident and your business might never recover. While companies are deploying ways to protect assets that store their data (eg. EDR, SIEM/SOC, etc.), the bad guys are taking advantage of the fact that the right controls are not being deployed around company data itself. Wait, what? I know that sounds confusing - I'll explain:
If you have a computer network and the CFO has access to not only Timberline (an accounting software) but has also been unknowingly granted access to the company's Autocad (engineering) files on the server, if she accidentally clicks a link that gives a bad actor access to her machine, they can move laterally and encrypt all of the company's engineering files. The practice of Least Privilege should have been employed with the CFO. She should have only been given access to the files and folders she absolutely needs to do her job, nothing more. This is what hackers are taking advantage of.
Here are some tips on what to do about this in your business:
1. Reduce the blast radius and minimize the damage attackers can do by locking down access to critical data and ensuring that employees and contractors can access only the data they need to do their jobs.
2. Find and identify critical data that’s at risk. Scan for everything attackers look for, including personal data, financial data, and passwords. Does your CFO store all of their passwords in a Word document on their desktop? Yes, we see this more often than you might think.
3. Embrace multifactor authentication. Enabling MFA makes an organization 99% less likely to get hacked.
4. Monitor what matters the most. Monitor how every user and account use critical data and watch for any unusual activity that could indicate a possible cyberattack. A SIEM + SOC solution will cover this.
It’s also important for you to have an SOP for responding and remediating to a security incident and have effective awareness programs to educate users to detect and report breaches. If you need help with a SIEM, SOC or Employee Security & Awareness training solution, feel free to reach out. We can help.
Stay safe out there.
-Attila