Good Cyber Hygiene Can Prevent Ransomware Attacks
by Anastasios Arampatzis
Ransomware attacks are increasing year after year, affecting a wide range of organizations and industries. In November 2021, electronics retail giant MediaMarkt suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany.
In Greece, back in July 2021, the Municipality of Thessaloniki, the second biggest city in the country, suffered from a ransomware attack (link in Greek) which encrypted files and documents containing personal data. Later, in November of the same year, several Greek shipping companies were hit by a ransomware attack that spread through the systems of a popular, well-established IT consulting firm.
What is the state of ransomware in 2021?
The evolving ransomware landscape is described in many security reports that provide a detailed account of the tactics used by ransomware gangs and their impact.
For example, Sophos’ 2021 State of Ransomware report states that 37% of the survey respondents had suffered by a ransomware attack. Even if a company chooses to pay the ransom – don’t do that! – this does not ensure that they will get their data back. Only 65% of the encrypted data was restored after organizations having paid the ransom. Paying the ransom is not the only financial constraint faced by the victims. Sophos reports that the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was $1.85 million.
Ransomware groups are no longer targeting small and medium businesses. They are going after the big fish! Europol’s Internet Organised Threat Assessment (IOCTA) 2021 report notes that “The trends of focusing on large corporations and public institutions, utilizing vulnerabilities in the digital supply chain, and multi-layered extortion that we observed last year have intensified and become more prominent, which is an indication of the increased sophistication and maturation of the ransomware affiliate programs involved.”
The shift in the attack paradigm towards high-value targets indicates that ransomware groups choose their targets based on:
- their financial capability to comply with higher ransom demands,
- their need to resume their operations as quickly as possible.
This seems to indicate that spending more time on large corporations and public institutions is an effective approach for cybercriminals in terms of the return on investment. This trend is reflected on the sectors which are mostly targeted by criminals: central and local government, technology, manufacturing, energy, oil/gas, education, and healthcare.
It is important to highlight the core role of technology companies in ransomware attacks. Technology companies are a popular target for ransomware gangs because they are a crucial part of supply chains. The examples of the SolarWinds, Kaseya and Microsoft Exchange Server attacks are fine examples of the tactics employed by criminals who seek to compromise digital supply chains.
Organizations need to grant access to update distributors, which makes third-party service providers an ideal target. After infiltrating a software provider’s client network, ransomware groups can choose the most suitable targets, move laterally remaining undetected under the disguise of legitimate users, and then deploy their malicious code at the most convenient time. Furthermore, as the past successful attacks have profoundly demonstrated, with businesses being highly interconnected and interdependent, a successful intrusion does not only put one company at risk, but also opens doors to compromise other service providers, giving the attack even greater scalability.