homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training Course
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webcasts Listings
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Brazil
    • France
    • Japan
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Ransomware: Every internet-connected network is at risk. Be prepared!
370x370_ryan-chapman.jpg
Ryan Chapman

Ransomware: Every internet-connected network is at risk. Be prepared!

As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. Here is what you can do to prepare.

May 4, 2023

Cyber criminals are targeting every type of organization, from small businesses to large enterprises. Many people tend to believe that ransomware actors only target large enterprises and/or critical systems; unfortunately, the opposite is true. If you have internet-connected devices, you are at risk of a ransomware attack.

Some ransomware actors target very specific victim environments, others focus on specific verticals and/or sectors, and yet others take a more opportunistic approach. These latter types of actors utilize a wide-net approaches, sometimes even purchasing access to victim environments from initial access brokers (IABs), whose role is to break into a wide variety of networks to later re-sell this access to threat actors such as ransomware actors.

Ransomware attacks in 2022: An overview

Tracking all ransomware incidents is impossible. No one on the planet knows exactly how many ransomware attacks have occurred over time or even within a given year. Some victims negotiate directly with the threat actor and provide a ransom payment before the rest of the world becomes aware of the situation. Many incidents are handled in private with non-disclosure agreements (NDAs) signed by all parties involved. In these situations, the consulting groups involved are barred from discussing specifics. 

Though even coming close to tracking all ransomware attacks is not possible, some groups release reports that contain statistics along with techniques, tactics, and procedures (TTPs) of the various groups involved. The reports you will find released to the public are often written through the lens of the firm or group writing the report. For the purposes of this article, we have opted to use statistics from ecrime.ch, a paid threat intelligence service that aggregates and reports on ransomware data leak sites (DLS). These sites are run by the ransomware operators themselves.

Based on intelligence from ecrime.ch, ransomware actors made over 2,600 posts in 2022 related to their victims. These posts included victim identification, while some even provided sample files and/or notes concerning full data dumps (typically as a result of non-payment). Within this data set, the following were the top 10 sectors in terms of compromise, in order:

  • Construction
  • Hospital and Health Care
  • Government Administration
  • IT Services and IT Consulting
  • Law Practice
  • Automotive
  • Financial Services
  • Higher Education
  • Insurance
  • Real Estate

According to Coveware’s April 28th article concerning ransomware attacks in Q1 2023, the two most common company sizes impacted by ransomware were those with:

  • 101 to 1,000 (34%) employees, and
  • 11 to 100 (25.2%) employees

However, companies with employee counts between 1 to 10 served as 6.3% of impacted companies. That number is not insignificant and should serve as a warning to organizations who think to themselves, “Ransomware only hits enterprises… so we should be safe.”

Consulting firms, insurance agencies, and law firms alike see small businesses, such as dentist offices and small accounting agencies to name a few, being hit with ransomware. The threat is not only relegated to larger companies. If you have network infrastructure on the internet, you are a viable target. 

----

Should you be interested in free sites similar to ecrime, we recommend the following resources:

Ransom Watch provides a group index, recent DLS posts, group profiles, and statistic/graph pages: https://for528.com/ransomwatch.

Ransom Look provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages: https://for528.com/ransomlook. The team also maintains a GitHub repo that you can review: https://for528.com/ransomlook-gh.

Ransom.Wiki focuses more on allowing users to search for recent victims and/or ransomware groups by name: https://for528.com/rwiki.

DarkFeed provides several resources for identifying ransomware DLS and blog information: https://for528.com/darkfeed.

How serious is the threat of a potential ransomware attack?

During the development of our SANS Forensics “FOR28: Ransomware for Incident Responders” course, we experienced a real-world, eye-opening attack. To generate the data for our labs and capture the flag (CTF) event, we created multiple network ranges. One night, I left one of our ranges in a vulnerable state, purposefully. The servers in the range had Remote Desktop Protocol (RDP) open with insecure passwords for no more than 8 hours while I slept.

I joked that I wanted to give a real threat actor a chance to brute-force one of the Administrator account passwords. When I awoke, I found that not only had the range been breached, but the entire environment was ransomed! We could not have asked for a better, real-world example of just how serious the threat is… we’re up against a monster!

Figure 1. One of our network ranges after being ransomed after being vulnerable for no more than 8 hours. 

IInitial Access – How the Ransomware Actors Are Getting In

The top three methods used to obtain access to victim networks in ransomware attacks, along with some prevention/mitigation-related questions, follow:

  • Phishing
    • Are you training your users to spot and report potential phishing emails?
    • Do you have an email security gateway that allows you to pull potentially malicious email from your user inboxes?
    • Are you blocking potentially malicious file attachments? To learn about which files to block, see https://for528.com/filesec.
  • RDP
    • Do you have RDP exposed to the Internet?
    • Are externally-facing RDP services using Multi-Factor Authentication (MFA)?
    • Are you using your firewall(s) to allow access only to IP subnets that truly need external > internal RDP access?
    • Are the accounts enabled for remote access standard, non-privileged accounts only?
  • Software vulnerability exploitation
    • Do you have proper asset management?
    • Are you patching:
      • Externally-facing services?
      • Network equipment such as firewalls and VPN concentrators?
      • Internal software?
      • Your operating systems?

Some ransomware groups carry out their own attacks (e.g., Vice Society), while some use affiliate groups as part of their Ransomware-as-a-Service (RaaS) model (e.g., Lockbit 3.0). Regardless, entry into victim networks often comes by way of the three above methods. Initial entry may not be direct via the operator or affiliate group. Rather, access may be purchased and/or leased via an Initial Access Broker, or IAB, as noted earlier.

The IAB’s role is literally in its name: to broker initial access to victim networks. Such groups work around the clock, literally, to breach victim environments using the above three methods. Once in, they sell, auction, or trade access to other threat actors, including ransomware actors. That’s the threat we’re up against: Entire teams of humans are using well-known, tried-and-true attack methods constantly – And they work all too often.

To learn more about the IAB landscape, see https://for528.com/iab.

Protecting Your Organization

What is the best way to protect me and my organization from ransomware?

The only way to stay safe from ransomware is to be prepared. As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. However, there is one thing that can help you fight back: train your team!

One of the most important things you can do as an organization is to train your cyber team on how to recognize the signs of a possible attack, what steps they should take, and how they can help prevent it from happening in the first place. A well-trained team will be able to identify what ransomware attacks look like, and thus will be able to help you work out a plan for responding if it's detected on your network.

For example, how might you determine that an identified actor within your environment may be a ransomware affiliate? What signs do you look for? Should you make this determination, what steps would then be appropriate? You do not respond to a potential ransomware attack the same as you do an Advanced Persistent Threat (APT). Do you know the difference? If not, it’s time to prepare you and your organization.

A recent study found that organizations that have trained their IT or cybersecurity teams are 28% less likely to experience a breach than those who haven't. This makes sense: when you know what you're doing, you can act quickly and efficiently when the time comes.

If you're a business owner, you know that staying on top of the latest in cybersecurity can feel like an uphill battle. But there are ways to ensure that your business stays secure from the dangers of ransomware and other forms of malware.

Here are five tips for staying safe:

  1. Train your cyber team on the newest threats and how they should respond.
    1. This training should include phishing training to help thwart one of the top two methods used for ransomware initial entry.
  2. Keep your software and network appliances updated with the latest patches and updates.
    1. Software vulnerabilities are everywhere. Avoid them at all costs.
    2. Don’t forget that your network appliances, including firewalls, have operating systems that most likely require updates. Many ransomware breaches occur due to exploitation of network devices.
  3. Don't open suspicious emails or click on links.
    1. Again, phishing is a massive entry vector. Train your staff. Then train them some more.
      Keep an eye out for unusual activity on your network—if something looks suspicious, don't hesitate to reach out for help!
  4. You want to foster an environment in which your employees are prone to report vs. not doing so.
    1. The impact of many ransomware and other attacks have been lessened thanks to diligent reporters.
  5. Encrypt all sensitive data so even if it does get stolen, it's not stored in plaintext.
    1. Starting in 2019, the MAZE Team made popular the data extortion that we now see in most ransomware attacks. If a ransomware actor gets into your network, will they be able to exfiltrate data that is not encrypted? Chances are they will. Do all that you can to avoid this by leveraging encryption at-rest.

Learn more about the course at www.sans.org/FOR528

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png
Digital Forensics and Incident Response
May 22, 2023
Finding Evil WMI Event Consumers with Disk Forensics
This blog covers disk-based artifacts and tools available for use during deeper forensic investigations.
370x370_Chad-Tilbury.jpg
Chad Tilbury
read more
Blog
Cloud-Powered_DFIR_-Blog.png
Digital Forensics and Incident Response, Cloud Security
May 4, 2023
Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency
This blog covers eight different use cases for leveraging cloud resources and services to improve the efficiency of incident response workflows.
Megan_Roddie_370x370.png
Megan Roddie
read more
Blog
blog_340x340_Digital_Forensics_Salary_Skills_and_Career_Path.jpg
Digital Forensics and Incident Response
March 30, 2023
Digital Forensics Salary, Skills, and Career Path
How to become a digital forensic analyst
thomas.jpg
Thomas Wolfe
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn