Ransomware attacks mushroomed during the pandemic and now continue to grow. Before March 2020, there were four major ransomware groups operating at any one time and today there are around 20. Competition has become fierce among ransomware groups and there’s a high mortality rate. Just as LockBit 3.0 replaced Conti in 2022, newcomers such as BlackBasta, BianLian, and new-kid-on-the-block Royal are now all seriously vying for LockBit's crown in 2023.
They bring with them new threats and fresh tactics, techniques, and procedures (TTPs), such as BianLian's use of hard-to-crack GoLang to write its malware. The increased use of cloud services that enabled efficient WFH practices, plus a significant rise in the number of third-party services and suppliers being integrated into the corporate infrastructure has also considerably extended the attack surface.
Organizations should strengthen their cybersecurity in several important areas. Start by understanding that most breaches occur as a result of employee error. This can involve anything from opening an email attachments from an unknown source to downloading a dodgy app onto a personal smartphone.
Although major breaches such as Colonial Pipeline in the U.S. and, more recently, the UK’s Royal Mail breach grab the headlines, it’s generally more modestly-sized organizations which offer the most tempting targets for ransomware groups. In addition to generally weaker security, targeting firms with $20-$100 million in annual revenue means a successful cyber-attack won’t get widely reported and investigated. Major breaches that are perceived to affect national security and infrastructure are taken extremely seriously not only by the investigating authorities, but also by unpaid armies of hackers, such as those who deposed top 2021’s top ransomware gang, the Conti Group. Ideal targets are businesses with about 50 employees and $30 million in revenue.
The suddenness of the epidemic and the speed of national lockdowns meant that companies, even the biggest and best organized, had no time to prepare for the mass exodus from the workplace in 2020. For some years, bring-your-own-device (BYOD) strategies had been used by many SMEs to save cash by encouraging staff to use their own smartphones and tablets for work communications. But WFH exposed the weaknesses in this strategy from a security standpoint and it has already resulted in a recent rapid growth in identity theft. A single employee will frequently log onto scores of external websites every day, submitting personal and log-in details that criminals can steal and sell in large batches on the dark web and then used in subsequent attacks.
It's therefore essential that given the growing ransomware threat, organizations raise cybersecurity awareness across the entire organization, particularly among those staff who have opted to continue to work from home in the post-pandemic era.
The regular emails that some companies send staff warning them of the dangers are insufficient, as they are frequently ignored. Engage with staff where possible. For instance, the intelligence gathered from a questionnaire designed to highlight ongoing security issues and dangerous behaviours can then get relayed back to the staff to inform them that, for example, 30% of employees may leave themselves open to spear-phishing attacks.
But raised awareness must also go hand-in-hand with basic precautions, including updating the system regularly, rather than every couple of months as is the case at many companies. Failing to prioritize system updates needlessly leaves the organization playing Russian roulette with the ransomware gangs for weeks on end.
We also recommend using a virtual private network (VPN) for staff working from home accessing the corporate network. Organizations should ideally have insisted on this at the beginning of WFH. Most staff returning home continued to use their own personal devices and ill-secured home Wi-Fi networks. Many homes also use technology to control and monitor domestic appliances, which then also present tempting attack vectors for determined criminals.
But while insisting staff use VPNs to access the corporate network and supplying them with dedicated devices for work use may offer the best solution in theory, companies also need to consider time and money concerns. It’s expensive to buy and maintain workstations and other devices for all the staff. Companies may also find it impractical to use multiple communications devices for those working in certain sectors, such as finance and tech where they need to contact important staff 24x7.
So businesses need to update security protocols and install safeguards, and also educate the staff with access to the corporate network as to the true nature and pace of the ongoing war they are fighting with fast-growing ransomware groups in 2023.
Shmuel Gihon, threat intelligence researcher, Cyberint