Ransomware: Every internet-connected network is at risk. Be prepared!

Cyber criminals are targeting every type of organization, from small businesses to large enterprises. Many people tend to believe that ransomware actors only target large enterprises and/or critical systems; unfortunately, the opposite is true. If you have internet-connected devices, you are at risk of a ransomware attack.

Some ransomware actors target very specific victim environments, others focus on specific verticals and/or sectors, and yet others take a more opportunistic approach. These latter types of actors utilize a wide-net approaches, sometimes even purchasing access to victim environments from initial access brokers (IABs), whose role is to break into a wide variety of networks to later re-sell this access to threat actors such as ransomware actors.

Ransomware attacks in 2022: An overview

Tracking all ransomware incidents is impossible. No one on the planet knows exactly how many ransomware attacks have occurred over time or even within a given year. Some victims negotiate directly with the threat actor and provide a ransom payment before the rest of the world becomes aware of the situation. Many incidents are handled in private with non-disclosure agreements (NDAs) signed by all parties involved. In these situations, the consulting groups involved are barred from discussing specifics. 

Though even coming close to tracking all ransomware attacks is not possible, some groups release reports that contain statistics along with techniques, tactics, and procedures (TTPs) of the various groups involved. The reports you will find released to the public are often written through the lens of the firm or group writing the report. For the purposes of this article, we have opted to use statistics from ecrime.ch, a paid threat intelligence service that aggregates and reports on ransomware data leak sites (DLS). These sites are run by the ransomware operators themselves.

Based on intelligence from ecrime.ch, ransomware actors made over 2,600 posts in 2022 related to their victims. These posts included victim identification, while some even provided sample files and/or notes concerning full data dumps (typically as a result of non-payment). Within this data set, the following were the top 10 sectors in terms of compromise, in order:

• Construction
• Hospital and Health Care
• Government Administration
• IT Services and IT Consulting
• Law Practice
• Automotive
• Financial Services
• Higher Education
• Insurance
• Real Estate

According to Coveware’s April 28^th article concerning ransomware attacks in Q1 2023, the two most common company sizes impacted by ransomware were those with:

• 101 to 1,000 (34%) employees, and
• 11 to 100 (25.2%) employees

However, companies with employee counts between 1 to 10 served as 6.3% of impacted companies. That number is not insignificant and should serve as a warning to organizations who think to themselves, “Ransomware only hits enterprises… so we should be safe.”

Consulting firms, insurance agencies, and law firms alike see small businesses, such as dentist offices and small accounting agencies to name a few, being hit with ransomware. The threat is not only relegated to larger companies. If you have network infrastructure on the internet, you are a viable target. 

----

Should you be interested in free sites similar to ecrime, we recommend the following resources:

Ransom Watch provides a group index, recent DLS posts, group profiles, and statistic/graph pages: https://for528.com/ransomwatch.

Ransom Look provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages: https://for528.com/ransomlook. The team also maintains a GitHub repo that you can review: https://for528.com/ransomlook-gh.

Ransom.Wiki focuses more on allowing users to search for recent victims and/or ransomware groups by name: https://for528.com/rwiki.

DarkFeed provides several resources for identifying ransomware DLS and blog information: https://for528.com/darkfeed.

How serious is the threat of a potential ransomware attack?

During the development of our SANS Forensics “FOR28: Ransomware for Incident Responders” course, we experienced a real-world, eye-opening attack. To generate the data for our labs and capture the flag (CTF) event, we created multiple network ranges. One night, I left one of our ranges in a vulnerable state, purposefully. The servers in the range had Remote Desktop Protocol (RDP) open with insecure passwords for no more than 8 hours while I slept.

I joked that I wanted to give a real threat actor a chance to brute-force one of the Administrator account passwords. When I awoke, I found that not only had the range been breached, but the entire environment was ransomed! We could not have asked for a better, real-world example of just how serious the threat is… we’re up against a monster!

Figure 1. One of our network ranges after being ransomed after being vulnerable for no more than 8 hours. 

IInitial Access – How the Ransomware Actors Are Getting In

The top three methods used to obtain access to victim networks in ransomware attacks, along with some prevention/mitigation-related questions, follow:

• Phishing
• Are you training your users to spot and report potential phishing emails?
• Do you have an email security gateway that allows you to pull potentially malicious email from your user inboxes?
• Are you blocking potentially malicious file attachments? To learn about which files to block, see https://for528.com/filesec.
• RDP
• Do you have RDP exposed to the Internet?
• Are externally-facing RDP services using Multi-Factor Authentication (MFA)?
• Are you using your firewall(s) to allow access only to IP subnets that truly need external > internal RDP access?
• Are the accounts enabled for remote access standard, non-privileged accounts only?
• Software vulnerability exploitation
• Do you have proper asset management?
• Are you patching:
• Externally-facing services?
• Network equipment such as firewalls and VPN concentrators?
• Internal software?
• Your operating systems?

Some ransomware groups carry out their own attacks (e.g., Vice Society), while some use affiliate groups as part of their Ransomware-as-a-Service (RaaS) model (e.g., Lockbit 3.0). Regardless, entry into victim networks often comes by way of the three above methods. Initial entry may not be direct via the operator or affiliate group. Rather, access may be purchased and/or leased via an Initial Access Broker, or IAB, as noted earlier.

The IAB’s role is literally in its name: to broker initial access to victim networks. Such groups work around the clock, literally, to breach victim environments using the above three methods. Once in, they sell, auction, or trade access to other threat actors, including ransomware actors. That’s the threat we’re up against: Entire teams of humans are using well-known, tried-and-true attack methods constantly – And they work all too often.

To learn more about the IAB landscape, see https://for528.com/iab.

Protecting Your Organization

What is the best way to protect me and my organization from ransomware?

The only way to stay safe from ransomware is to be prepared. As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. However, there is one thing that can help you fight back: train your team!

One of the most important things you can do as an organization is to train your cyber team on how to recognize the signs of a possible attack, what steps they should take, and how they can help prevent it from happening in the first place. A well-trained team will be able to identify what ransomware attacks look like, and thus will be able to help you work out a plan for responding if it's detected on your network.

For example, how might you determine that an identified actor within your environment may be a ransomware affiliate? What signs do you look for? Should you make this determination, what steps would then be appropriate? You do not respond to a potential ransomware attack the same as you do an Advanced Persistent Threat (APT). Do you know the difference? If not, it’s time to prepare you and your organization.

A recent study found that organizations that have trained their IT or cybersecurity teams are 28% less likely to experience a breach than those who haven't. This makes sense: when you know what you're doing, you can act quickly and efficiently when the time comes.

If you're a business owner, you know that staying on top of the latest in cybersecurity can feel like an uphill battle. But there are ways to ensure that your business stays secure from the dangers of ransomware and other forms of malware.

Here are five tips for staying safe:

1. Train your cyber team on the newest threats and how they should respond.
1. This training should include phishing training to help thwart one of the top two methods used for ransomware initial entry.
2. Keep your software and network appliances updated with the latest patches and updates.
1. Software vulnerabilities are everywhere. Avoid them at all costs.
2. Don’t forget that your network appliances, including firewalls, have operating systems that most likely require updates. Many ransomware breaches occur due to exploitation of network devices.
3. Don't open suspicious emails or click on links.
1. Again, phishing is a massive entry vector. Train your staff. Then train them some more.
   Keep an eye out for unusual activity on your network—if something looks suspicious, don't hesitate to reach out for help!
4. You want to foster an environment in which your employees are prone to report vs. not doing so.
1. The impact of many ransomware and other attacks have been lessened thanks to diligent reporters.
5. Encrypt all sensitive data so even if it does get stolen, it's not stored in plaintext.
1. Starting in 2019, the MAZE Team made popular the data extortion that we now see in most ransomware attacks. If a ransomware actor gets into your network, will they be able to exfiltrate data that is not encrypted? Chances are they will. Do all that you can to avoid this by leveraging encryption at-rest.

Learn more about the course at www.sans.org/FOR528