Ransomware is costing companies. The core functionality of Ransomware is two-fold: to encrypt data and deliver the ransom message. 85% of critical infrastructure organizations encountered a ransomware attack in 2022, according to Barracuda Networks’ recent global 2023 Ransomware Insights Report released.
The 2023 Ransomware report discusses the prevalence and impact of ransomware attacks worldwide. In addition, their international survey explored the experience of ransomware attacks on organizations over the last 12 months.
Depending on the complexity of the malware and its mechanism for gaining access, the encryption can be primary or maddeningly complex, and it may affect only a single device or an entire network. So, in my experience, especially with quick partial encryption, once the bad actor has set off the Ransomware binaries, it’s game over. Therefore, it’s better to discover Ransomware in the detection than once the encryption process has started. The kill chain is about five days.
A key point: Useful pre-information
Olesia Klevchuk, product marketing director at Barracuda, said, “Critical infrastructure is an appealing target for cybercriminals because of the impact a successful attack can cause — the bigger the impact, the more chances of a big payout,”
The survey interviewed 1,350 IT specialists from frontline to senior roles at companies across different industries. An overview of the finds is as follows:
- 73% of respondents said being hit with one successful ransomware attack in 2022. On top of that, there was 38% hit twice or more.
- Then we had 85% of energy, oil/gas, and utility organizations and had at least one ransomware attack.
- The Energy, oil/gas, and utility industries were the most likely at 53% to report two or more successful ransomware attacks.
- 31% of I.T., technology, and telecoms have one attack, and 25% experienced two attacks.
- Alarmingly, up to 42% of those hit three times or more paid to restore. This is compared to the 31% of victims of a single attack.
How are bad actors getting in? Ransomware entry points
The bad actors need somehow to get the Ransomware binaries past your perimeter and layers of defense to a valuable target, more than likely files to decrypt. So, they will only land on the critical assets and need to pivot and move laterally in search of valuable assets.
Often with privileged credentials making it harder to detect. How do you know if a bad actor uses PSExec to move from machine to machine, or is it an I.T. admin carrying out their daily task? Also, how do you think bad actors are getting in? Email is still the most vulnerable entry method for bad actors.
A summary of the findings is as follows:
- Up to 69% of surveyed organizations were hit with Ransomware with email as the primary entry method.
- In I.T., tech, and telecom industries, there were 69% of ransomware attacks via email. Then we had 56% by web traffic or web applications and 39% by network traffic.
- In the energy, oil/gas, and utilities industry, 78% of ransomware attacks started with email, 54% by web traffic or web applications, and 60% by network traffic.
“There is a lot of pressure on these industries to be up and running as soon as possible, and paying cybercriminals is one of the routes they may take,” said Klevchuk. “This makes it very appealing to hackers as they can ask for large ransoms.”
The 2021 Colonial Pipeline attack is the best recent example of an attack on critical infrastructure, Klevchuk added. The company paid $4 million, and the entire U.S. The East Coast was impacted.
Ransomware’s main problem is that the victim, an organization being penetrated via email, has no access to a key to decrypt the data once the Ransomware binaries have encrypted it. Depending on the strength of the encryption algorithm, the data is essentially unrecoverable.
While some older algorithms can be broken given enough time and are still occasionally used in business either because the infrastructure is outdated or there’s a perceived benefit to having more straightforward encryption, there’s no need for a ransomware attacker to use this – they don’t want the data to be readily accessible. So for all practical purposes: if Ransomware hits you, your data is lost unless you get the key or can recover it from somewhere that hasn’t been affected.
Ransomware: The way forward.
As I mentioned, you need to focus on the detect stage, as once the binaries have been activated, it’s game over. And as email is noted as the primary entry method, your defense layers are bypassed. So, you must adopt a Zero Trust Model and assume a breach.
Splunk has a good UEBA and detection mechanism for Ransomware. These products have assumed there has been a breach. However, an additional security layer would be prevention and not detection. However, this is challenging. It’s hard to detect Ransomware in email.
So it would help if you had best-in-class email security. Mimecast’s email ransomware protection relies on sophisticated, multi-layered detection engines to identify threats and halt them before they execute. With central control and unsurpassed API integration, you can act fast wherever Ransomware emerges.
- Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
- Comcast SD-WAN Expansion to SMBs - April 4, 2023
- Cisco CloudLock - April 4, 2023