Keeping Pace with the Ransomware Landscape
Keeping Pace with the Ransomware Landscape
Last September, the RiskSense team published our first Spotlight Report focused on the rise of ransomware. Specifically, the report focused on the newer breed of ransomware that strategically focuses on network-wide attacks on enterprise, government, and educational organizations. In addition to covering a variety of ransomware trends, we covered the specific vulnerabilities attackers exploit in order to infect networks, spread, and ultimately cause damage.
However, the malware landscape is always evolving and so too are our defenses. The past month has seen some of major ransomware families continue to gain steam, while new entrants and new ransomware strategies have emerged that will directly affect how organizations approach security. On our end, RiskSense has been adding a variety of features and services designed to help organizations pinpoint and proactively assess their ransomware risk before an attack ever gets started. With that in mind, let’s take a look at the latest from the world of enterprise ransomware.
More Damage and Higher Ransoms
2019 marked a major turning point in which ransomware became both more common and far more damaging to victim organizations. Unfortunately, the latest industry data shows that the impact of ransomware attacks continues to grow and shows no signs of leveling off. Data from incident response firm Coveware found that the average ransomware payment more than doubled between Q3 and Q4 of 2019 to an average of $84,116. For reference, the average ransom in Q4 of 2018 was only $6,733.
Likewise, the downtime due to an attack continues to rise, even as organizations invest more in backup and recovery solutions. Specifically, the average downtime rose to 16.2 days, compared to 12.1 days in Q3, and 6.2 days in Q4 of 2018. These downtime figures should be of even greater concern to organizations given that weeks of downtime and cleanup will almost certainly cost far more than the ransom itself.
Both downtime and ransom demands are on the rise because attackers are doing more and more damage. Attackers have become more adept at causing network-wide damage by spreading through an organization to infect as many machines as possible. Likewise, attackers are seeking out higher value assets such as servers, databases, and application infrastructure where disruptions will cause the greatest pain to the enterprise. Even when backups are available, the widespread and critical nature of impacted devices can mean organizations are immobilized for extended periods of time.
Familiar Families Continue to Make News
As ransomware continues to evolve, we see families hone in on particular niches, while well-established families continue to add new tricks and techniques. For example, Sodinokibi (also known as REvil) featured prominently in our previous Spotlight Report, and has continued to be one of most notorious and damaging families of ransomware. Specifically, Sodinokibi has targeted managed service providers as a way to cause massive damage. Most recently, this ransomware has begun targeting vulnerabilities in a popular VPN (CVE-2019-11510, CVE-2019-11539) as a way of getting into enterprise networks.
Similarly a vulnerability that we covered previously affecting Atlassian’s Confluence (CVE-2019-3396) continues to be popular with a variety of ransomware including GandCrab, MegaCortex and LockerGoga. And while these families target some of the same vulnerabilities, they also have their own particular niche and techniques. For example, like Sodinokibi, GandCrab has heavily targeted IT service providers. LockerGoga on the other hand, has continued the trend of targeted malware attacks, but with a specific focus on critical infrastructure.
However, the past few months have also introduced us to some new ransomware. Ragnarok is one of the most recent strains of ransomware and this family is notable for specifically targeting Citrix ADC Servers vulnerable to CVE-2019-19781. Ragnarok is also part of a growing trend in which ransomware attempts to disable on-host defenses such as Windows Defender.
Ransomware Picks Up Data Theft and Victim Shaming
While ransomware focuses on disabling data, attackers are increasingly showing a willingness to steal data as well. Previously, attacks have been observed in the wild using a combination of malware such as Emotet, Trickbot, and Ryuk to both steal data and encrypt data for ransom. This trend continues to gain steam as ransomware such as DopplePaymer and Zeppelin have added data stealing capabilities in addition to their standard encryption techniques.
Once data is stolen, it can also be used to shame victim organizations and further increase the pressure to pay the ransom. Attackers using the MegaCortex family of ransomware have been observed attempting to blackmail organizations by publicly exposing their attacks. More recently, the Maze and Sodinokibi families of ransomware threatened to publish stolen data and documents if victims do not pay the ransom.
New RiskSense Functionality and Services to Tackle Ransomware
While much of the news around ransomware may sound bleak, it is important to remember that there are a variety of steps you can take to get control over your risk. Specifically, RiskSense recently released the industry’s first Ransomware Dashboard that allows organizations to easily and clearly see the vulnerabilities in their environment that are specifically targeted by ransomware. This lets teams see their exposure to specific attacks including the ransomware family name, vulnerabilities they exploit, the assets at risk and remediation steps to prevent an infection.
Additionally, organizations can take advantage of the RiskSense Ransomware Assessment Program. This service provides an evaluation of an organization’s susceptibility to ransomware. Experts perform authenticated scanning of the environment as well as automated and manual security pen-testing to find potential weaknesses. Customers can then log in and immediately see results via the RiskSense enhanced risk-based vulnerability management (RBVM) solution. Most importantly, the service provides prioritized and preemptive actions to block ransomware.
All the latest data indicates that ransomware isn’t going away anytime soon. Yet, even as ransomware evolves and finds new ways to cause damage, organizations can still take the preventative actions to keep their assets safe. At RiskSense we see ourselves as your partner in this critical area, by continuously tracking the latest threats and proactively identifying the specific vulnerabilities that pose the greatest risk to your organization. If you have any questions about how RiskSense can help protect you from ransomware or have any questions about the Ransomware Dashboard or Ransomware Assessment Program, please contact the team at firstname.lastname@example.org.