Recent Trends in Ransomware Attacks
Ransomware attacks are on the increase during holidays and weekends—when offices are normally closed. Companies need to be especially diligent in network defense practices in the run up to holidays and weekends, based on recent bad actor tactics, techniques, and procedures (TTPs).
The FBI’s Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, has received 2,084 ransomware complaints from January to July 31, 20021 (over $16.8M in losses).
The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments.
Cyber Criminals Common Tactics
Cyber criminals have increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom.
Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations.
Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints.
Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web.
Precursor malware enables criminals to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber bad actors use this access to:
- Study a victim’s ability to pay a ransom;
- Evaluate a victim’s incentive to pay a ransom to regain access to their data and/or avoid having their sensitive or proprietary data publicly leaked; and
- Gather information for follow-on attacks before deploying ransomware on the victim network.
The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Bad actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data.
Ransomware Best Practices
The FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. A payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities.
Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov.
Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.
Cyber insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers, but one that is growing rapidly.
A robust cyber insurance market that effectively prices cyber risk will also improve cybersecurity. By identifying and pricing risk created by gaps in cybersecurity, cyber insurance can create a financial incentive to fill those gaps to reduce premiums.
To foster the growth of a robust cyber insurance market that maintains the financial stability of insurers and protects insureds, the NY State Department of Financial Services (DFS) created a Cyber Insurance Risk Framework that outlines best practices for managing cyber insurance risk (the Framework).
About CMR & Associates + PolicySmart®
CMR & Associates’ risk management consultants provide independent retirement and insurance advice by reviewing your current plans to improve coverage and reduce cost. Through CMR’s proprietary database – The CMR Database® (comprised of some 13,000 brokers and specialists globally), we maximize access to the insurance and retirement industry for greater options that will translate to better coverage and lower cost.
Please email CMR & Associates or call 877-447-4301 or 212-447-4300 for more information.