Rise of Ransomware

Fortinet’s 2021 Ransomware Survey Report reveals a more than 1000% surge in ransomware between July 2020 and June 2021.

According to the report:

• Two thirds of organizations have been targeted by ransomware.
• One in six companies have been hit at least three times.
• 94% expressed concern about the threat of a ransomware attack, with 76% being very or extremely concerned.
• 85% are more worried about a ransomware attack than any other cyber threats.
• 62% consider the top concern of organizations concerning ransomware is the risk of losing data.
• 38% said loss of productivity and 36% said the interruption of operations were their top concerns.
• 36% of respondents said the growing sophistication of the threat landscape was among their top five challenges in preventing ransomware.
• Lack of user awareness and training about cybersecurity hygiene came in at 32% and the difficulties of securing “work from anywhere” employees at 31%.

Despite these statistics, there appears to still be complacency about the problem. Researchers found that despite the volume of attacks and their regular success, 96% of respondents feel at least moderately prepared.

Digging in deeper, however, the survey found that less than half of the respondents have a strategy that includes such things as network segmentation (48%), business continuity measures (41%), a remediation plan (39%), testing of ransomware recovery methods (28%), or red team/blue team exercises (13%) to identify weaknesses in security systems.

Combatting Ransomware

What is to be done to combat ransomware? 91% plan to invest in more employee cyber awareness training. That’s a smart approach as people tricked into clicking on malicious links and attachments is a primary line of ransomware incursion. But that isn’t enough. Survey respondents said that also look to areas such as threat intelligence, embedded artificial intelligence (AI) for behavioral detection, Secure Web Gateways, VPN, Network Access Controls, and offline backup as key areas of defense.

Perhaps the simplest, most basic, and perhaps the most effective technology upgrades that should be done to minimize the chances of attack are patch management and vulnerability scanning. This one-two punch of vulnerability scanning and patch management provides an essential defensive barrier against most potential incursions. When supported by good user training to proof employees up against phishing attacks and other social engineering scams, organizations are in a strong position to avoid the scourge of ransomware and other malware-borne ills.

How Syxsense Helps

The Syxsense vulnerability scanner is not only a complete security management package, it is automated, repeatable, and generates quick results, delivering security and safety in a timely manner. With security scanning and patch management in one console, Syxsense Secure is the only product that not only shows you what’s wrong, but also deploys the solution.

It offers visibility into OS and third-party vulnerabilities like defects, errors, or misconfigurations of components, while increasing cyber resilience. And it is fully integrated with automated patch management software that lets you easily manage unpatched vulnerabilities with the click of a button.

Syxsense includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

Ransomware: You Ain’t Seen Nothing Yet

Ransomware statistics have been rising for years. But earlier this year, it appeared that things might be slowing down. There were actually a couple of months when the volume of ransomware attacks dropped.

The thinking at the time was that the bad guys had changed their approach: they were prioritizing attacks on high-value targets rather than conducting generalized phishing campaigns that tried to trick anyone on a computer anywhere.

That theory has been blown out of the water by the latest Global Threat Landscape Report from FortiGuard Labs. It highlights a new explosion in ransomware that is bad news for us all. This portends a future where cybercriminals will greatly expand their use of targeted attacks against high-value organizations, while shot-gunning phishing and ransomware malware from one end of the Web to the other.

Shocking Statistics

The report detailed some shocking statistics:

• A year ago, the average volume of ransomware attacks per week (June of 2020) were almost 15,000.
• Average volume of ransomware attacks per week in June of 2021 were almost 150,000 i.e., an increase of 1,000%.
• About a third or organizations in government, telecom, automotive, and among managed security service providers (MSSP) experienced ransomware attacks in the past year.
• Among all other sectors, the average is about 25%.

The conclusion reached by the researchers is that ransomware is a “clear and present danger regardless of industry or size.”

Rising to the Ransomware Challenge

If it is accepted that ransomware is not going to go anywhere soon, then organizational IT security procedures and defenses must rise to the challenge.  Fortunately, we have enough historical precedents to give us hope for a less disruptive future courtesy of the ransomware scourge:

• Industrialization filled cities with soot that blackened buildings and filled them with thick smog. London was particularly prone to this about half a century ago. A move to a less polluting form of coal, and then away from coal altogether has eliminated that issue.
• Acid rain was regarded by many as the world’s biggest problem about 30 years back. Changes in emissions standards have seen it diminish as a challenge.
• Similarly, the hole in the ozone layer was purported to be the doom of mankind a couple of decades back. Changes to aerosol and other chemical regulations had seen it disappear from the headlines.
• On the IT side, innovation has steadily conquered problems such as disk fragmentation, how to fix buggy software, simple computer viruses, pop-ups, and a long list of other challenges.

In all likelihood, ransomware is just the latest hurdle that has to be overcome. It may take a year or two more for it to be largely gotten under control. But eventually, enough safeguards will be in place that it will fall from the headlines, although it is likely to remain a threat that IT must stay alert to.

In the meantime, organizations are advised to beef up their security resources: The addition of skilled personnel, importing external help via consultants and MSSPs, and adding effective security defenses. High on the list of these defenses come patching and vulnerability scanning.

How Syxsense Can Help Your Organization

Syxsense reviews, verifies, tests, and issues all patches within three hours of issuance. Its software can automatically deploy those patches to all users and devices.

It also contains a patch rollback function in one of the rare instances when a problem arises due to a new patch. This represents the most efficient way to deal with the onslaught of new patches. It frees up IT and security personnel to take care of other urgent areas of security for the enterprise by incorporating vulnerability scanning and IT management within one interface.

Is There No End to the Ransomware Pandemic?

Pandemics are receiving a lot of media coverage right now. But the one most on the radar of those in IT and security is ransomware. According to the Positive Technologies Q1 2021 Cybersecurity Threatscape report, ransomware remains the most common type of malware, accounting for nearly 2/3 of all malware attacks.

It is easy to see why 2020 was a banner year for ransomware. But the research shows an increase in ransomware in Q1 of 2021 of 17% compared to Q1 of 2020. 77% of the malware consists of targeted attacks against government, industrial, scientific, and educational organizations. The bad guys are after personal data and credentials, as well as stealing commercial secrets.

When IT gets a handle on one type of malware, another strain emerges rapidly. Thus, new pieces of ransomware have emerged of late such as Cring, Humble, and Vovalex. Despite all the new strains, it is sometimes the golden oldies that reap the best rewards. That’s why new variants of WannaCry are causing havoc once again, reprising their heyday back in 2017.

Another successful tactic is to harness rarely used programming languages in order to escape the attention of security scanners and avoid threat prevention technology. To make matters worse, some attackers make use of features that can successfully erase any traces of malicious activity.

Success Breeds Larger Ransoms

In sport, a good season with high numbers often leads to a lucrative contract. It’s the same with ransomware. Following the high-profile attacks on SolarWinds, Kaseya, and the Colonial Pipeline, cybercriminals are now demanding far more in exchange for a return of files, or services. Those who refuse to pay are often subjected to threats to expose the attack and the extent of the data theft to the press, or reveal the hack to the customer base. Alternatively, they find sensitive data and release it to the public, threatening to do more of the same if a ransom is not paid.

While government, education, healthcare, and industry may be in the crosshairs, IT organizations aren’t off the hook. Attacks of IT companies remain high for the second quarter in a row, according to the report. Cybercriminals have also turned their hand to developing malware that infiltrates virtualization environments and virtual infrastructure. This is rich pickings at the moment due to the number of companies that continue to operate remotely.

But perhaps the most lucrative area for attackers is the exploitation of known vulnerabilities. It isn’t hard to imagine cybercriminals sharing tales by the water cooler about being able to infiltrate yet another organization via a well-publicized vulnerability that has had a patch available for two months. A colleague no doubt interrupts to say, he got one where the patch was six months old but had never been installed. And then another one pipes up with his tale of an uninstalled two-year old patch that enabled him to hold an organization to ransom.

Shocking as that may sound, it is commonplace for attackers to find a way in by exploiting unpatched systems. It may seem hard to believe, but it’s now more than a year since the SolarWinds attack first made headlines. Yet new victims of this exploit continue to be reported.

How Syxsense Can Help

The first line of defense against ransomware, therefore, is patching. Syxsense lets you easily manage unpatched vulnerabilities with the click of a button. It includes patch supersedence, patch roll back, and a wealth of automation features.

In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

How Will User Behavior After the DarkSide Attack?

Recent ransomware attacks upon infrastructure targets like the Colonial Pipeline have certainly elevated the profile of cybercrime. Justice and policing agencies are giving it far more attention. Companies are taking more steps to avoid the possibility of a ransomware attack.

The mainstream press, not just the IT and security press, are constantly running stories about malware, ransomware, and cybercrime. This has raised awareness of the problem to something that is now very much in the popular consciousness.

Prime-time news stories highlight the dangers of phishing, and tell harrowing stories of individuals and small businesses destroyed by cybercrime after falling victim to social engineering trickery.

Will Users Wise Up?

The obvious conclusion would be that higher awareness would bring about a rapid change in user behavior. Being fed a steady diet of news about the various ways in which people were hoodwinked by various email scams, users would become far more cautious about their own email, website, and security habits.

Sadly, the facts don’t bear this out.

Research on social engineering from security awareness training vendors such as KnowBe4 indicates that people continue to be fooled by phishing emails in more or less the same percentage as before.

More than 10%, and some studies say 1 in 3 users are prone to be fooled by phishing. All it takes is a moment of inattention and the person clicks on a malicious attachment or link. Even smart people get fooled sometimes.

Malicious Cyber Strategies

To make matters worse, the bad guys continually adjust their tactics. As one particular tactic works well, it gets used a lot and then eventually plays itself out through over-use. The old scam emails from Nigerian banks wanting to pay you millions were once hitting just about every mailbox. People are wise to it. You rarely see it, these days.

The criminals moved on to other approaches such as email subject lines promising lurid details about celebrities or taking advantage of the headlines of the moment.

Another common tactic has been to use logos from corporations, banks, the IRS, FBI, or other government bodies posing as official communications. The idea is to fool the recipient into entering passwords or banking details.

Slightly altered email addresses are another ploy. One letter is added or subtracted from the email address, so it looks correct at first glance. Criminals sometimes infiltrate the email system of one employee and use it to send malicious content to other employees posing as being an urgent survey from the IT, finance, or HR. Such attacks are often effective.

Some users are alert to these scams and spot them instantly. But many continue to be fooled by them, even at an executive level.

When, Not If

Based on the propensity of some users to be tricked into clicking on malware, the unfortunate reality is that no matter the headlines, no matter the raised awareness, breaches will happen.

Phishing scams will help bad actors to gain entry. Effective security awareness training can bring down the percentage of users who click on bad links or attachments. But it won’t bring it to zero.

How Syxsense Can Help

Such actions must be supported by ever-vigilant IT and security personnel using automated security tools. The organization must continually scan the network for vulnerabilities, unusual patterns, anomalous traffic, and new threats. Patches must be kept up to date with priority given to those with the highest threat level.

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution.

Syxsense Cortex simplifies complex IT and security processes with a drag-and-drop interface. Pre-built templates keep organizations secure and without needing large teams, specialists, or scripting.

Ransomware Attacks Given Higher U.S. Priority

Those who have been victimized by ransomware have known it for some time. And now the federal government has faced up to the stark reality: ransomware is terrorism.

The U.S. Department of Justice has just elevated the status of investigations on ransomware attacks to give them a similar priority to terrorism. This comes in the aftermath of the Colonial Pipeline hack, a similar attack on the world’s largest meat processor, and a rash of other smaller incidents impacting schools, hospitals, and businesses.

As a result, U.S. attorney’s offices throughout the country have been instructed that any data concerning the investigation of ransomware should be communicated to Washington for the purposes of coordination. It appears that a concerted and coordinated campaign has begun in attempt to take out this form of cybercrime.

How the U.S. is Responding to Ransomware Attacks

A new task force has been set up in D.C. to address the issue. The goal is to detect patterns, trace common actors, and track down the criminal gangs behind it. This is a necessary move, given the fact that many of these acts are linked to Eastern European and Asian sources. With the federal government involved, pressure can be brought to bear on the police forces of other nations via Interpol, and from the State Department to other government officials.

And it’s about time. The criminals have largely had free rein up until now. Actions have only been taken against them when they went after high profile targets. A few hackers have been arrested over the last couple of years, but not that many when you consider the number of victims.

FBI investigations into cybercrime often lead overseas and that makes effective police action difficult. Hopefully, the new status will foster greater international cooperation as well as greater pressure exacted upon those who tolerate cybercriminals within their borders.

Colonial Pipeline Payback

The new emphasis on ransomware as terrorism seems to have paid immediate dividends. U.S. law enforcement officials managed to recover $2.3 million in bitcoin paid to a criminal gang DarkSide that was behind the Colonial Pipeline attack.

“Today we turned the tables on DarkSide,” said Lisa Monaco, a Department of Justice deputy attorney general.

Justice officials identified the virtual currency wallet used to collect payment from Colonial Pipeline and successfully seized what was there. This was possible as the network was in Northern California and within reach of U.S. court orders. It remains to be seen how effective new measures will be if funds have been transferred overseas.

The Best Defense Against Ransomware

Once ransomware has infected systems, the organization concerned is in for a rough ride. Reports can be filed, mitigation actions can be taken, ransoms may even be paid. But when the dust settles, IT and company management will probably feel they have been to hell and back.

The best defense against ransomware, therefore, is not to get infected in the first place. That means deployment of the right mix of security tools, educating users on how to avoid clicking on malware, and making sure all vulnerabilities are known and all patches are up to date.

How Syxsense Can Protect Your Business

Time and again, hackers exploit known vulnerabilities. Systems are continually breached due to well-publicized patches not having been deployed across the network.

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution.

Syxsense Cortex simplifies complex IT and security processes with a drag-and-drop interface. Pre-built templates keep organizations secure and without needing large teams, specialists, or scripting.

DarkSide Ransomware Behind Colonial Pipeline Hack

Colonial Pipeline provides 45% of the fuel supply of the eastern seaboard of the USA. Early Saturday, reports surfaced that the Oil and Gas behemoth had temporarily stopped operations of their fuel transport service due to a cyber security breach.

Colonial responded by announcing it was the victim of a targeted ransomware campaign. Although the situation is evolving, reports are coalescing around the organization DarkSide as the source of this security breach.

What is DarkSide?

DarkSide is a highly-coordinated team of offensive cyber security criminals who use their expertise to extort organizations for profit by infecting corporate networks with ransomware.

Ransomware is a form of malware which infects and then encrypts computers, locking the owner out of their own property. Once encrypted, the attacker then sends a ransom note to the owner of the infected property. Generally, ransom demands are expected to be paid out through Bitcoin, and if the owner of the affected assets is a large company, the ransom demand can range up to millions of dollars worth of Bitcoin.

How Ransomware Attacks Start

Many ransomware attacks are started through simple phishing scams. An unsuspecting user opens a bad email, clicking on a link which infects their computer with the malware. Then, the malware attempts to reach out to additional resources until it has access to a large aspect of the organization.

Once the malware has infected a wide scope of the company, the malware triggers it’s payload and locks down access to the assets it has infected. Although details are still murky around the Colonial Pipeline breach, we do know a fair bit about how DarkSide has implemented their malware in the past, and it’s much more complex than a standard phishing campaign.

What We Know About the DarkSide Ransomware Group

DarkSide has made a name for itself by performing complex breaches into target networks to deliver malware. They do this by initiating automated vulnerability scans on potential victims, prior to selecting a target.

Once a potential target is found, the team at DarkSide then performs a more complex audit of the victim’s network, looking for specific vulnerabilities to exploit. If the team finds a viable exploit, they will then exercise the exploit to deliver their malware to the target’s network.

Adding insult to injury, DarkSide does not just encrypt corporate data, but also copies a target’s data to servers operated by DarkSide. If the target then chooses to perform a disaster recovery data restoration and not pay DarkSide, their sensitive corporate data will be released to the public by DarkSide.

This added layer of criminal extortion has forced the hands of multiple companies and has made the DarkSide approach extremely lucrative for the criminal group.

The Latest with the Colonial Pipeline Hack

On Saturday, Colonial Pipeline reported that they were breached by a ransomware attack. Cyber security experts close to the event informed the media that the company was targeted by DarkSide.

Even though Colonial reported the issue on Saturday, there is reason to believe that DarkSide may have been on their network for significantly longer. Multiple government agencies are now investigating the breach as Colonial works to repair their damaged environments.

Recovering from a ransomware attack like DarkSide can be a complex and difficult process. Even after the ransom has been paid or recovery processes initiated, the network must be thoroughly audited for compromises. This process takes time and money. As of Monday morning, much of Colonial’s services are still offline.

How to Protect Your Business from DarkSide Ransomware

The story of Colonial Pipeline is not a new one — this is just the newest chapter in the long history of cyber extortion. But your organization does not have to participate in this story.

The DarkSide intrusion relies on exploitable vulnerabilities found on a target network. Syxsense Secure provides a simple interface for performing vulnerability audits across your entire corporate network. The visibility offered by Syxsense Secure shows your IT and security teams an in-depth view of your company’s vulnerabilities.

Outfits like DarkSide are interested in picking off easy targets. The best defense against DarkSide is a hard-to-breach corporate environment. By remediating vulnerabilities in your organization, DarkSide and other similar cybercriminal outfits will choose to look elsewhere to make their money. Colonial Pipeline has already given up millions of dollars in consulting fees, remediations, and lost revenue due to this breach. Appropriate vulnerability audits would have helped prevent this disaster.

Start a free trial to see how Syxsense Cortex can help you defend against DarkSide and other complex ransomware attacks.