promote webinar 160x1200

promote webinar 160x1200

promote webinar 160x1200

promote webinar 160x1200

Monday, 21 December 2020 09:49

The Rising Stakes of Ransomware Attacks

By John Donovan, Managing Director, ANZ, Sophos

Guest Opinion: Ransomware is the defining cyber-attack of our era. Over the last two decades, threats have evolved from the worm era, which lasted from 2000-2004 and was characterised by software like the infamous ILOVEYOU, through to the monetisation era from 2005-2012, and now the age of ransomware.

COVID has definitely amplified ransomware attacks, with many vectors for the malware coming in phishing emails referencing the pandemic. But ransomware, and the tactics used by cybercriminals, is also evolving. Where criminals were once happy to gain access to a system, encrypt the data and demand a ransom, they’re now also extracting the data and holding it hostage.

This data theft means that ransom fees are rising, and many companies are paying up in a bid to avoid the regulatory scrutiny (along with associated fines and reputation loss) that comes with their data being stolen and then released publicly.

The rising cost of ransomware

Sophos’ recent 2021 Threat Report found ransom payouts are rising dramatically over the last twelve months. The report found that in Q4 2019 the average ransom payout was US$84,116. Jump forward three months and it had increased to US$111,605 for Q1 2020. If that’s not expensive enough, the average payout had risen a further US$66,649 by Q2 2020 and has hit a record figure of US$233,817 in the third quarter of this year.

The reason criminals are pushing the limits of what they can extort from victims is that they know how expensive downtime can be, and so they’re testing the upper limit of what they can extract in a ransomware attack.

They’re also well versed in the aforementioned fact that companies don’t want their precious data released into the wild. Cybercriminals know how much damage a data breach can cause to a company’s reputation and they’re charging accordingly. This additional social pressure turns the screws on the victims even more – especially on those who were undecided on whether to pay the ransom or not.

The blurring of criminals and nation-state actors

Our research discovered that distinct threat actor groups that engage in ransomware attacks are now collaborating closely with their peers in the criminal underground. In doing this, they’re starting to behave more like cybercrime cartels rather than independent groups.

Those cartels are also gaining access to tools developed by nation-states for cyberwarfare, and in doing so, blurring the line between crimes and countries. This makes it harder for organisations defending against cyberattacks to determine where the attack is coming from – is it a nation-state engaging in espionage, or is it a criminal group engaging in their usual activities? It’s becoming more and more difficult to know.

Over the past year, Sophos’ analysts have seen ransomware organisations begin to settle on a common – and slowly growing – toolset to extract data from victims’ networks.

These utilities pose a grave threat because they’re well-known and appear to be legitimate pieces of software that anyone might have, and therefore won’t be detected by endpoint security products.

Criminals, when they extract data from a network, are also using commodity cloud services to hold the information they’ve stolen. When the data is exfiltrated from a victim’s network, the traffic, which is going to a service like Google Drive or Amazon S3, looks legitimate, making it even harder to detect that an attack is underway. This traffic is hard to spot since these are common network traffic destinations.

The amount of data they extract also doesn’t seem to be an issue with online crooks. That’s because directory structures are unique to each business and some file types can be compressed better than others. Our analysis has seen as little as 5GB and as much as 400GB of compressed data being stolen from a victim prior to the deployment of ransomware.

Local backups also fall victim

One of the best tactics to defeat a ransomware attack (but not one where the data is also stolen) is to have remote, offline backups that give businesses the ability to restore their data and get their businesses back up and running.

A new trend, however, is where a business has local servers connected to the network holding their backup data. Ransomware attackers, gaining access to the network, have started to hunt down these local backups and when they find them, they either delete them or independently encrypt them before exfiltrating the data and then encrypting it.

Ransomware is evolving to become the defining attack of our era. New techniques and strategies used by cybercriminals mean that they’re not only encrypting the data and holding it to ransom, but also extracting the data and threatening to release it publicly. This double whammy is a new attack, and it’s one that’s not easily defended against if a crook is able to gain access to the network in the first place.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments