JBS food processing was among the companies targeted by ransomware gang REvil. (Chet Strange/Getty Images)

Increased reliance on cloud environments during the last couple of years, particularly as more employees transitioned to remote work, provided an avenue for ransomware gangs to target organizations, according to new research from CyberRisk Alliance Business Intelligence.

The ransomware racket has become complex during that same time period, transitioning from simple malware deployment and extortion to a tiered business model where criminal interests develop and then sell or rent their services. So-called "double extortion" attacks also heighten the risk, where cybercriminals exfiltrate the data before encryption and ransom demand. All of these developments contribute to a more dire threat to organizations, and considerable targeting among cybercriminals.

Indeed, new research from CyberRisk Alliance Business Intelligence indicates that ransomware attacks are on the rise. The survey of 300 IT and cybersecurity decision-makers and influencers found that 43% suffered at least one ransomware attack during the past two years. Among them, 58% paid a ransom, 29% found their stolen data on the dark web, and 44% suffered financial losses. Another 37% said they lack an adequate security budget, while 32% believe they're powerless to prevent ransomware attacks because threat actors are too well-funded and sophisticated.

Click here to access the full report, "State of Ransomware: Invest now or pay later"

Another eye-popping number: virtually all — 95% — of attacks involved Windows Active Directory. The majority of Windows Active Directory exploits stemmed from a vulnerability (62%), although various other methods, including changed security policies and escalated privileges, were also used.

The growing threat did drive an increase in security resources: Sixty-two percent say they will increase ransomware protection spending. 

Where and how the threat lurks

Remote workers and cloud platforms/apps were the three most common attack vectors:

  • Remote worker endpoint (36%)
  • Cloud infrastructure/platform (35%)
  • Cloud app (SaaS): 32%
  • Trusted third-party (25%)
  • DNS (25%)
  • Software supply chain provider/vendor (24%)

As far as how the attackers were hitting organizations, exploitable vulnerabilities accounted for the most common initial infection point (63%), followed by privilege escalation (33%), credential exfiltration (32%), and averse mapped shares (27%).

Survey respondents are most concerned about losing access to their organization's sensitive data (70%); stolen data being sold on the dark web (58%); ransomware gangs gaining privileged access and/or controlling directory services (53%).

Security people are worried

The concerns for ransomware continue to rise: 32% of respondents are moderately concerned while nearly half (49%) are very or extremely concerned.

A large majority (70%) worry most about losing access to their organization's vital/sensitive data, while another 58% worry that their data will be sold on the dark web. Fifty-four percent are concerned that ransomware will gain privileged access or end up controlling directory services.

Other top concerns include regulatory penalties (28%), attackers returning to the organization (25%), legal issues from paying ransoms (20%), and attackers not honoring payoff agreements (17%).

As for the good news: Fifty-four percent of organizations did not experience a ransomware attack in 2020 and 2021. However, those that were targeted suffered quite a bit, with many experiencing multiple ransomware attacks in the past year. Respondents cited the ransomware groups Tycoon (28%), Maze (26%), Quackbot (22%) as the top groups responsible for these attacks.

How do the hackers work?

The attackers have been exploiting the current work-from-home and cloud computing trends. Thirty-five percent of respondents report that ransomware attacks exploited remote workers. Among the various vectors were cloud infrastructure and platform services (35%), and cloud applications (32%). Other methods, such as DNS, software supply chain, third-party partners, and on-premises endpoints were mentioned.

Once inside, 63% reported that attackers exploited a vulnerability on another system and moved laterally. Other exploits included privilege escalation (34%), credential exfiltration (32%), and averse- mapped shares (25%).