SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

Evolution of ransomware reaches dangerous levels of sophistication

By Ryan Morris-Reade
Fri 15 Apr 2022

Ransomware is reaching new levels of sophistication with dangerous results, according to cybersecurity firm SLVA. 

Once a niche criminal enterprise, ransomware has become big business, complete with R&D departments and sales and marketing divisions. The deeply layered onion that is today's ransomware attack landscape has been wreaking havoc in large enterprises across the globe. 

Patrick Evans, chief executive officer of SLVA Cybersecurity, says it only takes two hours to determine whether a network's endpoint protection can be circumvented and if the organisation has controls in place to stop the encryption and ransomware behaviour.

"Understanding an organisation's current environment, and the likely costs of a ransomware attack, is crucial to making a more informed decision concerning security," he says.

Evans says recent high profile ransomware attacks have undoubtedly raised concerns among enterprises about their own potential security vulnerabilities. 

He says irrespective of the amount of protection currently in place, ransomware has evolved into a complex and sophisticated form of organised crime.

"While many people believe the ransomware victims have not secured their networks, the truth is most organisations have made significant investments in information and cybersecurity," Evans says. 

"Features such as firewalls, endpoint protection, intrusion detection, patch management, and many others are all in place and form part of the organisation's layered defence."

In addition, large enterprises typically have teams of experts running security operations, governance and compliance programs and more than likely even have a CISO playing a critical role of information security executive.

"There is no doubt that the majority of businesses today know that the weak link is the human element, which poses a tremendous risk to the safety of the overall company," Evans says.

"For these reasons, they have run security awareness programs for well over a decade, all to make their employees and contractors aware of the risks they create when clicking on a link in a document or having easily guessable passwords," he says.

Yet, with such extensive measures in place, the question as to how ransomware attacks happen remains. As with any organised crime unit, there usually is a syndicate at work. These syndicates are comprised of experts who know their way around a complex digital world. With its multiple layers, this complexity makes it easy for criminals to strike successfully.

"If you think of a typical IT environment, there are endpoints, servers, mobile devices, networks, multiple applications, cloud, and service providers. Every individual item develops vulnerabilities that attackers can use to gain access to the network, endpoint or server," Evans says. 

"There are other vulnerabilities that need to be patched, which is a complex task," he says.

"Today, it is virtually impractical to patch everything all the time, so patching needs to be prioritised based on the likelihood and impact of an attack. This requires intelligence about what is happening and needs to be collated, interpreted and insights derived in real-time."

Legitimising the business of crime, as with organised crime, now includes ransomware, with these organisations often being registered as legitimate businesses. 

"There is nothing subtle about these businesses as their CEOs conduct TV and radio interviews, blatantly operating in countries which have no intention of stopping the activities because they bring in tens of millions of dollars of revenue," Evans says.

He says this new, more organised form of ransomware, or ransomware 3.0, kicked off in earnest in 2019. It is often referred to as 'double extortion' and is characterised by the theft of credentials, intellectual property and data while threatening public shaming and the organisation's employees and customers. 

" Threats to exfiltrate data in the absence of paying the ransom are 81% of the norm today, which is a worrying statistic," Evans says.

According to Evans, in ransomware 3.0, criminals are organised into mission-focused businesses, each playing a different role. There are developers of specialist attacks, access brokers who specialise in breaking into organisations and then selling that access; and finally, Ransomware-as-a-Service providers who work with affiliates to identify targets and then share the profit with the affiliates after successful attacks. 

"They even have public relations departments that issue press releases and respond publicly to crises," he says. 

"Criminals also have crypto brokers and money launderers in the supply chain, which is, in essence, a multilevel ecosystem of organised crime."

Ransomware 3.0 has also seen distributed denial of service attacks as a distraction or obfuscation of an attack. It also sees the deployment of crypto-mining malware in a hybrid form of attack.  

"The organised criminal syndicates have developed knowledge and experience in industry verticals such as healthcare, retail, government and education, which Evans says enables them to identify whether they are the likely intended target or not.

"The goal of a ransomware attack is maximum disruption of business-critical services," he says. 

"If they don't achieve that, the ransom won't be paid. As a result, these organisations often understand better than their intended targets what the business-critical services processes are and their interdependencies, and they target those with knowledge and foresight."

According to Evans, the way forward is to consider that ransomware is an advanced persistent threat or APT.

"It's important to note that attackers are playing a long game. He says that victims are tricked into letting an initial piece of malware in," he says.  

"And where an organisation is already a victim of a ransomware attack, attackers already know multiple vulnerable entry points and may still have malicious code embedded in that environment masquerading as a benign process."

Once in, it immediately downloads updates and additional malware, getting instructions from command-and-control servers. The malware can be resident for between 8 and 12 months before it starts encrypting data. It scans the environment to determine what is being used as endpoint protection/AV/EDR and updates itself to avoid detection and spreads.  

"As it moves laterally, it collects credentials sending that information to command and control for hackers to use and learn as much about the environment as possible," Evans says.

He adds that the hackers will then study financial accounts and cyber insurance documents to determine how much that organisation can afford to pay or is insured for. All IP and the crown jewels of data will be discovered and exfiltrated.  

"To make matters worse, they will try to compromise data backups, making it impossible to restore the encrypted data. Then, and only then, will they encrypt the data and ask for a ransom. But worse still, the ransom payment is no guarantee that a data decryption key will be provided."

While it might be tempting to believe ransomware attacks are directed at large enterprises because they grab the lion's share of the headlines, Evans says this is not true. 

"All organisations, from the micro-business to the parastatal, are potential targets, irrespective of industry vertical." He says that small to medium-sized organisations simply cannot absorb the financial loss following a ransomware attack," he says.

Current estimates suggest that 60% of SMEs fall under business administration or face total business failure within six months of a ransomware attack. A staggering 80% of organisations that are successfully attacked will suffer a second attack.

While there is no silver bullet, Evans says there are proven ways to prevent a successful attack. 

"Efficient cybersecurity defences, including an effective last line of defence against ransomware, inside a fit-for-purpose budget remains the most sensible starting point."

 
 

Related stories
Top stories
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Artificial Intelligence
Abnormal Security finds financial supply chain under threat
New research by Abnormal Security has found a rising trend in financial supply chain compromise as threat actors increasingly impersonate vendors.
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Cybersecurity
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Collaboration
Why the success of client collaboration projects depends on addressing these five warning signs
New tools, applications, and software have enabled project collaboration to continue remotely, both between employees within an organisation and with its clients.
Story image
DDoS
Q1 DDoS and application attack activity reveals surprise result
The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.
Story image
Network Security
Netskope announces zero trust network access updates
Customers can now apply zero trust principles across a range of hybrid work security needs, including SaaS, IaaS, private applications, and endpoint devices.
Story image
Cybersecurity
Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
Story image
Malware
Decline in mobile malware but hackers show growing sophistication
"It may seem that cybercriminals are becoming less active because of decreased mobile malware attacks. But it does not necessarily mean we are safer."
SonicWall
Find out how you and your business can prevent being caught out by everything from ransomware to cryptojacking.
Link image
Story image
INTERPOL
Hundreds arrested, millions seized in global INTERPOL investigation
A two-month-long investigation by INTERPOL this year involved 76 countries and clamped down on organised crime groups behind telecommunications and social engineering scams.
Story image
Collaboration
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Cybersecurity
New survey uncovers critical OT security challenges
While industrial control environments continue to be a target for cyber criminals, there are widespread gaps in industrial security.
Story image
Data resilience
Digital resilience in 2022 - A10 Networks releases new study
Of the 250 corporate organisations surveyed, as many as 95% showed high levels of concern for all aspects of enterprise digital resilience.
Story image
API
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Manufacturing
Cyber attacks on industrial assets cost firms millions
Some 89% of electricity, oil & gas, and manufacturing firms have experienced cyber attacks impacting production and energy supply over the past year.
Story image
Cybersecurity
Schneider Electric and Claroty launch building security solution
Schneider Electric has announced the launch of Cybersecurity Solutions for Buildings, a solution designed to help buildings customers secure BMS.
Story image
Cybersecurity
Malwarebytes expands Nebula platform with DNS module
Malwarebytes has expanded its Nebula platform with a new DNS Filtering module designed to provide a quick, flexible, and comprehensive Zero Trust offering for Nebula users.
Story image
Cloud
Exabeam expands investment in Google Cloud in fight against cyber threats
The move opens up limitless data ingestion, speed, and scale opportunities for worldwide security teams in their ongoing fight against cybersecurity attacks.
Story image
Cybersecurity
Trend Micro unveils dedicated security for electric vehicles
The cybersecurity company has announced VicOne - dedicated security for the electric vehicles and connected cars of today and tomorrow.
Story image
DDoS
Flashpoint unveils security offering for school boards
Flashpoint has released its K-12 risk management and security offering to provide school boards and education security practitioners with tools to recognise, prevent and manage cyber and physical threats.
Story image
Cybersecurity
ConnectWise reveals cybersecurity updates and partnerships
ConnectWise has unveiled new updates to its services and highlighted the importance of cyber insurance at its IT Nation Secure conference.
Story image
APAC
Digital resilience big concern for 95% of APAC businesses
A10 Networks finds of the 250 APAC businesses surveyed, 95% of them are very concerned about all aspects of enterprise digital resilience.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
Data Protection
Thales solution supports DevSecOps teams with data protection
Thales' CipherTrust Platform Community Edition enables DevSecOps teams to deploy data protection controls into multi-cloud applications faster.
Story image
Zscaler
Securonix partners with Snowflake, Zscaler in joint venture
Securonix is embarking on a joint technology integration with Snowflake and Zscaler to speed up threat detection and response at cloud scale.
Story image
Cybersecurity
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Yubico
New research shows global drive for passwordless authentication
A new study has shown there has been a significant shift towards wanting a passwordless future, but adoption is still in its infancy.
Story image
Ransomware
More than 90% of cyber attacks made possible by human error
The data are clear, with cyberattacks on the rise in recent years and the cybersecurity situation increasingly complex. 
Story image
Apple
LastPass announces new capability for iPhones and iPads
LastPass has announced its new save and fill experience, allowing customers to fill in, create and save their credentials directly within the site's form field.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.
Story image
Ransomware
Rapid7 report examines use of double extortion ransomware attacks
New insight into how attackers think when carrying out cyber attacks, along with further analysis of the disclosure layer of double extortion ransomware attacks, has come to light.
Story image
APAC
Aqua Security launches cloud native security SaaS in APAC
Aqua Security has announced the general availability of cloud native security SaaS in Singapore, serving the broader APAC region.
Story image
Privileged Access Management / PAM
Delinea unveils new Secret Server features and improvements
Delinea has announced new features and enhancements to expand the capabilities of its Secret Server, including design updates and new security controls.
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Rimini Street
Today we welcome back Daniel Benad, who is the GVP & regional GM for Oceania at Rimini Street.
Story image
SaaS
Varonis strengthens security capabilities for AWS and S3
Varonis has strengthened and expanded its cloud and security capabilities, with a critical aim of improving safety and boosting data visibility in Amazon Simple Storage Service (S3).
Story image
PagerDuty
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Identity and Access Management
Ping Identity launches corporate venture capital fund
Ping Identity has launched a corporate venture capital fund to foster innovative offerings for the identity security market.
Story image
SaaS
Commvault's SaaS division experiences notable growth
Commvault has revealed the global momentum that its SaaS division Metallic has experienced since its launch two years ago.
Story image
Cybersecurity
Kaspersky opens three new centers to boost data management
Cybersecurity company Kaspersky has opened three new Transparency Centers, one in Japan, the second in Singapore and the third in the United States.
Story image
Cybersecurity
Palo Alto Networks named Google Cloud technology partner of the year for security
Palo Alto Networks was recognised for helping organisations rapidly transform security operations for future success.
Story image
Cloud
SonicWall recognises partners and distributors at FY2022 partner awards
SonicWall has recognised its distributors and partners for their efforts in producing the company’s most successful year to date.
Story image
Cloud
QuSecure partners with DataBridge Sites to showcase platform
QuSecure has partnered with DataBridge Sites to showcase its Quantum-as-a-Service (QaaS) orchestration platform, QuProtect.
Story image
Cybersecurity
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."