Ransomware groups are increasingly using a more targeted approach against large organisations. Aleksander Jarosz explains more.

Ransomware attacks have seen a huge spike over the past year, much to the detriment of businesses and individuals across the globe. For example, a recent study found that ransomware attacks had increased by 80% over the space of three months in the UK alone, with a 50% jump globally.

The spike in ransomware attacks is in part due to the various impacts of Covid-19, including the rise in the number of remote workers, and the security risks associated with this.

This can be anything from the risks of employees using public Wi-Fi networks or personal devices, to increased exposure to scams as hackers take advantage of the situation.

Throughout the year, this increase in cyberattacks has been widely discussed in the media, so it shouldn’t come as a surprise that the scale of the incidents is also rising. As of this year, the average cost of a data breach stands at a hefty £2.99 million (or $3.86 million), according to a recent report from IBM.

Despite this, Kaspersky recently found that 71% of businesses do not have a formal plan in place to deal with a potential data breach, which suggests that many organisations are still not taking the potential risks of cyber incidents seriously.

It’s also likely that some C-suites are unable to respond to the risks, as they are out of touch with security teams, leading to an awareness deficit within management.

So, what’s new?

As if things weren’t already bad enough, many cybercriminals are changing the way they operate. Globally we’ve seen a rise in ‘big game hunters’, and no we’re not talking about the ones you might typically find scouring the plains of Africa, but ransomware attackers who are employing a far more precise approach and specifically targeting large organisations. These criminals are looking to steal particularly sensitive or high-value data and hold it ransom for a higher amount.

We’ve observed big game tactics solidifying over the last year, with variants such as Gandcrab and Ryuk emerging. These are robust pieces of malware which require significant time and effort in development.

Businesses for which system downtime is particularly damaging make easy and frequent targets for big game hunters, as they are more likely to pay the ransom.

They also highlighted the potential success of these attacks to other cybercriminal syndicate groups and were primary drivers for the trends we’re now seeing.

Businesses for which system downtime is particularly damaging make easy and frequent targets for big game hunters, as they are more likely to pay the ransom.

As a result, organisations from the healthcare, manufacturing, technology and financial services sectors are often subject to attacks. Academic Institutions and local government are also at risk. Unfortunately, every time a company pays the ransom it incentivises the hackers and fuels the trend. If organisations refused to pay then these attacks would stop.

How do they do it?

Big game hunters use specific tactics, techniques and procedures (TTPs) which differentiate them from other ransomware attackers.

For example, they will often spend time selecting and studying their targets before conducting any form of attack. Next, they will enter their victim’s network and may spend anything up to several months there, searching for high-value data and appropriate assets to hold the company ransom.

A typical method that cybercriminals may use to access a company’s network is by compromising a company’s remote desktop protocol (RDP). This is a technique frequently used in attacks against healthcare organisations, as their RDP is usually left accessible via the internet for third-party service providers.

This isn’t the only way hackers can enter their targets’ networks. Alternatively, they may use known software vulnerabilities, including malware or unpatched software, and more frequently we are seeing legitimate former pentesting tools being exploited by threat actors.

Who are they and where did they come from?

We’re often finding that well-organised criminal syndicates will first develop a strain using a particular big game hunting ransomware variant. Once it’s been successfully used and publicised, the group will sell the variants for less experienced cybercriminals to use in a cookie-cutter type approach. They just need to breach a particular target and the ransomware does everything else. The syndicate operators take a cut of the ransom, when successful.

Some groups have already taken the credit for particular attacks. For example, a big game hunting group named Darkside announced itself earlier this year. In a press release, the group discusses its prior experience and claims to have already made millions of dollars in previous hacking projects.

Other well-known big game hunting groups include FIN7, Cobalt Group and the Contact Crew. FIN7 for example, has stolen an estimated $1.2 billion since 2013. These groups remain active despite arrests of individuals connected to these online underground marketplaces.

Playing them at their own game

Luckily, all is not lost. Businesses can defend themselves against big game hunters, and in many cases, it simply begins with education. Given how highly publicised data breaches now are, there’s no excuse for the business leaders not understanding the very real risks that they pose. Those at the top need to lead by example when it comes to security, and acknowledge that it’s more than just the responsibility of the security teams.

In addition to educating all employees on (at least) the very basics of cybersecurity and the kind of scams they could be exposed to, companies need to implement a strong cybersecurity policy. This should outline the particular data and assets that are most vulnerable and need to be protected, and the biggest threats to these assets. Once they’ve been identified, the most important action an organisation can take against ransomware threats is to maintain monthly backups the business-critical assets.

Businesses need to ensure that staff are using strong and complex passwords, as this is the first line of defense against a hacker. However, additional layers of authentication such as challenge and response security questions or SMS one-time passwords will provide an extra layer of security and identity proofing. Organisations can also set-up alternative multi-factor authentication processes such as encryption, so that in the event of a password being compromised, the cyber-attacker still won’t be able to access the files.

Cyber-attackers are becoming both more ambitious and more capable and thanks to the dark web, they are able to access increasingly sophisticated tools and malware. Businesses need to sit up and start prioritising security before it’s too late and they’re exposed to a breach they cannot recover from, on a financial, reputational or technologically destructive level.

By Aleksander Jarosz, Threat Intelligence Analyst at EclecticIQ


Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox