Like most industries, cybercriminals have adapted and changed over the past two years as circumstances have changed. They have a wealth of evolving tools in their arsenal and are able to leverage many vectors to get to their destination: the valuable enterprise data. Varonis experts explain what every executive needs to know about modern ransomware attacks.
This is how modern attackers have learned to launch even more disruptive ransomware campaigns. At the same time, they have become more efficient and adept at avoiding prosecution. This is how ransomware groups regroup after a (rare) breakup, build a new infrastructure and give themselves a new name. Such as DarkSide, the ransomware group behind several high-profile attacks, now arguably known as BlackMatter. Often, after such a realignment, cybercriminals come back stronger, learning from their experiences and using new techniques and vulnerabilities. They have a wealth of evolving tools in their arsenal and are able to leverage many vectors to get to their destination: the valuable enterprise data.
The dismantling of REvil infrastructure by Russian authorities and confiscation of at least some of the loot is certainly notable and encouraging. Of course, this is not a reason for the all-clear: Fighting cyber criminals is like putting out a fire in a dry forest. It can be extinguished, but it can flare up again anywhere, anytime.
Ransomware as a business model
Cyber extortion promises big profits, driving development and innovation on the part of criminals. Attempts to regulate cryptocurrencies like Bitcoin and limit their anonymity seem sensible but difficult to enforce. In addition, the attackers are already using digital currencies such as Monero, which are more difficult to track. As long as the underlying conditions don't fundamentally change, companies should assume that ransomware gangs will continue to exist, refine their techniques and target their critical data.
Most cybercriminals now rely on the efficient ransomware-as-a-service (RaaS) model, which allows independent attackers to strike quickly and get started. You can combine this service with your own tools and techniques to effectively attack victims and hold their data hostage. Attackers are increasingly pursuing the "double extortion" approach, in which the data is stolen before encryption in order to put even more pressure on the victims by threatening publication. In addition, the attackers now often threaten to report to the official data protection authorities, knowing that companies fear the fines threatened there and want to avoid being denounced in public.
To maximize their profits, attackers sift through their victims' files to estimate their financial leeway and find out if and how much their cyber insurance would pay in the event of an attack. The ransom demand is then set accordingly.
Different approaches, same goal
Over time, each group develops a specific modus operandi. For example, BlackMatter often manipulates the access controls, i.e. the security settings that determine who can access what data on the network, so that every employee has access to huge amounts of data. In other words, they don't crack the vault, they blow it open, making organizations even more vulnerable to future attacks. Other attackers actively recruit company insiders such as employees and others who are already on the company's network. Dissatisfied employees in particular are often prone to this. To increase pressure on victims, some cyber criminals also release small amounts of stolen data.
This is how the ransomware defense can be strengthened
Michael Scheffler, Country Manager DACH at Varonis Systems (Image: Varonis).
As long as ransomware promises massive profits for criminals, they will continue to seek and find victims. For companies, it is about not being an easy victim and increasing their own resilience against data-related threats.
- Eliminate weak and reused passwords and enable multi-factor authentication (MFA). This important step is one of the simplest you can take to protect your business. Many groups, such as BlackMatter, acquire usernames and passwords on the dark web and use them for brute force attacks.
- Recognize unusual activity. In most organizations, your employees and contractors stick to daily work schedules, access the same files, and use the same devices from known locations. Unusual activity, such as logging in from a new location and accessing files not needed for work, can indicate compromised accounts or devices. Unusual activity, especially when associated with administrative and service accounts, should be monitored with high priority and stopped quickly if necessary.
- Watch your data for signs of ransomware attacks. Ransomware doesn't behave like your HR specialist or your accounting team. When ransomware is deployed, it quickly starts opening a lot of data, assessing it and then, if necessary, encrypting these files as well. Employees also legitimately encrypt files. However, malware tends to behave differently than a human user, typically modifying or encrypting files in batches and at high frequency. This often happens outside of working hours. This makes recognition much more difficult and files can be encrypted without hindrance.
- Take a data-centric approach. Despite the explosion of endpoints, most data is stored on-premises and in the cloud with large, centralized data stores. At the same time, there is an enormous number of vectors to get at this data. Even if you were able to fully anticipate and monitor these, you would likely be inundated with security alerts. Rather than starting “outside” with all the endpoints and vectors and working your way inward to the data, it makes far more sense to start protecting your large, centralized data stores.
- Most companies are unaware of how much data is all too easily accessible and unguarded. A single compromised user has the potential to access and compromise large amounts of sensitive data. The data risk report for the financial sector, which is actually security-sensitive, shows that every employee has access to an average of almost 11 million files from their first day at work, and in larger companies even to around 20 million – an enormous explosion radius.
If you want to make your business resilient, start with your greatest asset. Companies know what the attackers want: the data. The least privilege model enables companies to only grant their employees the access they actually need for their work. By systematically limiting access to the data and monitoring it more closely, you make it much harder for the attackers.
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,