Ransomware, a malicious malware which initially appeared in 1989, has now become one of the biggest online security menaces that continuously sweeping not only the Philippines but other countries as well. Started as a virus being sent to victims using a floppy disc and email, this malware is currently adopting sophisticated tactics to infect computers or networks, and demanding owners to pay a ransom or risk losing their data.
Once the ransom has been paid, victims will receive a decryption key to be able to regain access to their computer and encrypted files. Before, if hackers penetrated a company network, they would do everything to avoid detection. Now, if an organization is attacked with ransomware, cybercriminals will announce they are holding its data hostage until a ransom is paid to get their data back. The ransom being demanded by criminals involves large amount of money that must be made in a cryptocurrency such as bitcoin.
In the recently published Sophos survey on the State of Ransomware 2020, it was revealed that one in three (30%) organizations in the Philippines had experienced ransomware attack from the previous 12 months. While the study noted a small decline in organizations that reported a ransomware attack from previous years (from 54% in 2017 to 51% in 2020), it is likely due to a change in tactics from ransomware actors rather than a reduced focus on this type of attack.
To get a sense of the extent of the damage, Sumit Bansal, managing director, ASEAN and Korea at Sophos, looks at the average global cost of addressing the impact of such an attack. “Factoring in business downtime, lost orders, operational costs, and more, the bill can run up to US$730,000 – and that does not include the ransom. This average cost can rise up to US$1.4 million, almost twice as much when organizations paid the ransom,” Bansal noted
Yeo Siang Teong, general manager for Southeast Asia at Kaspersky, cites that an average ransom demand would sometimes reach up to US$5-million. He relayed the biggest ransom paid was in 2017 by a Korean web hosting firm which paid US$1.14-million to cybercriminals.
All businesses are potential targets to ransomware attacks, especially essential businesses like energy and water sectors. But since the world is facing a COVID-19 pandemic, industries that are involved in the immediate response to the pandemic are becoming highly vulnerable, particularly the healthcare industry.
“Many attacks related to COVID-19 are targeting hospitals, manufacturers of medical equipment and health insurance companies. They leverage the fact that there is a shortage of medical equipment and supplies and use this as an advantage,” said Jonas Walker, network security strategist, Asia-Pacific, at Fortinet.
Walker also cites other industries such as some types of manufacturing and transportation are under more pressure than before to keep their networks up and running. “Attackers understand that these industries would rather pay a ransom rather than deal with any slowdown or shutdown in their operations.”
FortiGuard Labs is also seeing an uptick in ransomware detections around critical infrastructure such as gas, oil, and power plants. Ransomware threats targeted at critical infrastructure are leveraging the fact that during critical times, critical infrastructures are even more important. The company that is targeted is more likely to pay a ransom in the hopes of getting their infrastructures up and running.
Despite the headlines that the government is a hot target for cyberattacks, the public sector is actually less affected by ransomware than the private sector, according to Bansal. Forty five percent of public sector organizations were hit by ransomware last year as compared to a global average of 51%. The media, leisure, and entertainment industries actually report the highest levels of attack at 60%, closely followed by IT, technology, and telecoms (56%).
Walker notes that all attacks observed by Fortinet are leveraging known techniques and are mostly propagated through user negligence, as well as a lack of proper security measures such as internal segmentation, EDR, sandboxing, email security, and proper access control
RANSOMWARE ATTACK TACTICS
Majority of these attacks are being delivered through email. Email-based threats are exploiting the sense of urgency and panic around the pandemic, often masquerading as government health organizations, NGOs, or suppliers of medical equipment.
Apart from email attacks that are designed to be mass spam, Fortinet has also observed very targeted attacks, along with some accidental and planned Distributed Denial-of-Service (DDoS) attacks as well. DDoS can be directly caused by attackers, or simply by the sheer volume of use that this new scenario has generated.
Other ransomware attack tactics being deployed by cybercriminals include social engineering tactics like phishing, remote attack on server, misconfigured public cloud instances, or by infecting a USB memory stick to target people and organizations. Attackers are using a range of techniques to get into the organization. When one technique fails, they move on to the next, until they find a weak spot.
THE RISE OF TARGETED RANSOMWARE
Yeo notes that cybercriminals have evolved into “targeted ransomware” where they focus on organizations that are likely to make substantial payments in order to recover their data. He said ransomware actors are now increasingly targeting businesses instead of individuals.
Throughout 2019, Kaspersky had recorded several cases where attackers used targeted ransomware, and they think that a likely future development will be more aggressive attempts to extort money. Yeo said that a potential twist might be that, instead of making files unrecoverable, threat actors will threaten to publish data that they have stolen from the victim company.
In addition to targeted ransomware, Yeo said it is inevitable that cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. These may include ransomware in consumer products such as smart TVs, smart watches, smart cars/houses/cities.
“As more devices become connected to the Internet, cybercriminals will also be looking for ways to monetize their access to these devices. Ransomware is, unfortunately, the most effective tool for extracting a financial profit from the victims,” said Yeo.
Based on insights from SophosLabs, mass market ‘spray and pray’ desktop ransomware was very common in 2017. These attacks were spread widely and indiscriminately, resulting in a high number of organizations being hit. Now, in 2020, the trend is for server-based attacks. These are highly-targeted, sophisticated attacks that take more effort to deploy, hence the reduction in the number of attacks. However, they are physically far more deadly due to the higher value of assets encrypted and can cripple organizations with multi-million dollar ransom requests.
RANSOMWARE TO GET WORSE IN 2020
Walker cites that ransomware is predicted to get worse this year. “There will be more targeted ransomware attacks that cost businesses more from an operational and regulatory perspective. In time, there is likely to be another mass ransomware exploit, such as the one Philippines (and the world) experienced with WannaCry, simply because there are a lot more ‘wormable’ vulnerabilities out there, like BlueKeep and the newest one in SMBv3, which has been dubbed SMBGhost. It is just a matter of time,” said Walker.
Another factor that is contributing to the growing attacks on businesses and organizations is the availability of Ransomware-as-a-Service (RaaS) offerings. Ransomware toolkits that can be downloaded from the Internet and modified with minimum programming knowledge can make ransomware more dangerous as the threshold of knowledge that attackers must possess is low, so it is easy for attackers to launch ransomware attacks.
Meanwhile, Sophos anticipates ransomware to remain ubiquitous in 2020. Its State of Ransomware 2020 survey states that half of organizations experienced an attack, with three quarters having their data encrypted. Overall, the study found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular. Cloud repositories and applications are another big target, with 59% of those successfully attacked mentioning that cloud data was targeted in some form.
Ransomware is one of the most widely reported cybercrimes in the public cloud. According to the Sophos’ State of Cloud Security 2020, more than three quarters (82%) of organizations in the Philippines experienced a public cloud security incident last year – including ransomware and other malware at 77%.
The most successful ransomware attacks include data in the public cloud, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment.
PATCHING IS IMPORTANT
Generally, most ransomware attacks can be avoided. Walker said it is important for companies to do the most basic thing – which is patching. Most well-known attacks exploit known vulnerabilities that actually have patches available, but oftentimes organizations have a hard time patching devices. However, this is not always their fault.
“Patches need to be tested, and that can take time in large and complex environments,” said Walker, adding that “often, users have administrative rights on their system to ease the burden and cost of management and IT support staff, but that makes it difficult to automate patches and updates. And in large, mobile environments, getting users to apply patches can be difficult because of things like geographic disparity.”
BACKUPS AND SECURITY ARE A MUST
Walker also advised that it is important to always have backups, and store these backups offline. Besides, it might be useful to consider using cloud as a backup for an organization’s infrastructure such as Alibaba Cloud, AWS, Azure and Google Cloud.
The Sophos Ransomware 2020 Report, meanwhile, found that almost three quarters of ransomware attacks result in the data being encrypted by cybercriminals (73%). Of these, 94% of organizations got it back. More than twice as many got it back via backups (56%) than by paying the ransom (26%). Only one percent paid the ransom but didn’t get their data back.
Bansal revealed an interesting finding from the study that 3% of their data was not encrypted but they were still held to ransom. He said that this particular attack was found to be particularly dominant in Nigeria, Colombia, South Africa, China, Poland, Belgium, and the Philippines. This shows that crooks look for ways to make money without the effort of encrypting and decrypting files, Bansal said.
On the other hand, Yeo advised victims of ransomware attacks not to pay the ransom. “Paying the ransom cybercriminals are demanding does not guarantee that they will return the data. These are thieves, after all. Paying also reinforces the ransomware business, making future attacks more likely.”
Yeo also said the data recovery rate in incidents where victims paid the ransom depends if cybercriminals will follow through with their commitment after a ransom is paid.
On whether a company survives a ransomware attack without paying ransom depends on the capability of the institution/business that was attacked, Yeo said.
He cited the City of Baltimore which suffered two attacks in 2018 and 2019 as an example. Together, the attacks cost an estimated US$18-million. They did not pay the ransom and are still operating.
Another example is the Norsk Hydro, a Norwegian aluminum and renewable energy firm, which was also attacked and did not pay the ransom. They said their good backups meant the attack was not as bad as it could have been, but it still cost them around US$90-million.
“The moral lesson here is that backups and security are a must,” Yeo said.
To help businesses prepare and stay protected from ransomware attacks, organizations should focus their efforts on cybersecurity user awareness training, as well as creating and maintaining a cybersecurity mindset throughout the company in every process and interaction, whether personal or corporate.
Having a robust email security solution with a sandbox can also stop these threats at the network perimeter. Not allowing these phishing emails to propagate and reach the user’s email inboxes in the first place is ideal.
Walker said even after an organization’s existing email security solution did its best to filter out malicious or risky traffic, FortiGuard Labs’ email analytics found that 1 in 3,000 messages sill contains malware, including ransomware. What’s more interesting is that 1 in 4,000 contains previously unknown malware. These are often advanced or zero-day threats and maybe the latest ransomware variant.
On the other hand, Kaspersky, with its security detection solution, has seen thousands of unsuccessful ransomware attempts. It has blocked 7,211 ransomware attempts against small and medium businesses (SMBs) with 50-250 employees in the Philippines during the first quarter of 2020. This is slightly lower compared with the 9,550 attempts for the same quarter in 2019.
This year, cybercriminals are taking advantage of the uncertainties surrounding the COVID-19 pandemic, as well as the mass shift to remote working. According to Bansal, there were various reports of coronavirus-themed phishing emails and “malspam” (unwanted mass email that is malevolent by design because it actively aims to disseminate malware). At the same time, as workers accessed their office documents using home devices and networks that lacked security protocols they usually have at work, servers housing valuable company information became more vulnerable. As more companies institutionalize remote working, business and IT leaders are encourage to establish the necessary precautions.
From a social engineering point of view, Walker notes that the panic component is being maximized, especially now with all of these campaigns related to COVID-19 targeting hospitals, manufacturers of medical equipment, and health insurance companies. They leverage the fact that there is a shortage of medical equipment and supplies and use this as an advantage.
Attackers are relying on targeted ransomware phishing attacks, and emails targeting specific individuals at an organization, either directly or through a new technique where phishing emails are inserted in an active email thread to increase the likelihood of it being clicked on. This type of attack is known as spear phishing, and if the target is a member of the C-suite, it is called “whale phishing,” Walker said.
Meanwhile, Kaspersky’s Yeo said that by adding topics and “hot phrases” related to COVID-19 into their content, they boost the chances of their infected links or malicious attachments of getting opened.