Ransomware 2020: A year of many changes

Ransomware 2020: A year of many changes

Fady Younes, Cybersecurity Director, Middle East and Africa, Cisco, on why organisations need to be proactive in developing comprehensive security strategies and take the evolving threat landscape serious.

2020 was a turbulent year as the world grappled to cope with the impact of COVID-19 – both on general sense of wellbeing and the critical infrastructures which connect and protect to ensure our livelihoods. From an enterprise standpoint, cyber attackers have increasingly seized the world of remote working and e-learning to exploit vulnerabilities in systems and steal critical information via ransomware tactics.

The nature of these threats has been changing in recent times and research conducted by Cisco Talos discovered multiple threats using the pandemic to lure victims with Coronavirus themes, as the public searched for information about the condition.

Where businesses once viewed these attacks as a nuisance, they are now creating widespread disruption, loss of sensitive information and damage company reputation. This is being caused largely by the adoption of new tactics, techniques, and procedures to deploy ransomware onto corporate networks.

Big game hunting

Rather than activating ransomware on the first successfully compromised system, attackers now leverage the infected system as an initial access point into the network. Once this is established, they can then move across the network to gain additional systems and privileged access to critical network infrastructure. This enables the ransomware to be activated on all these systems simultaneously to inflict maximum damage. Organisations are more likely to pay in these circumstances and ransoms can be set much higher.

Compromise-As-a-service

The crimeware ecosystem has continued to evolve in recent years with new ransomware product offerings emerging on hacking forums, darknet markets and in closed communities. These cater to criminals who seek to launch extortion attacks without having to first obtain initial access into the networks they are targeting. Individuals selling these offerings are known as ‘initial access brokers’, they seek to obtain an initial foothold in corporate environments and may also perform the post-compromise activities necessary to escalate privileges. These criminals then sell this access capability to others, rather than deploy malware themselves. Online sales postings have become increasingly frequent, with access to multiple networks common and they are popular among attackers as they can be purchased for between hundreds to thousands of dollars.

Post-compromise activities

Offensive security and dual-use tools have become increasingly widespread to carry out post-compromise activities. Dual-use tools are applications that were initially created to help legitimate administrators but are now often co-opted by malicious attackers as well. Such files enable IT departments to gain remote access to another computer to solve issues, but they can also be used to place malicious files on another system.

Double extortion

Many attackers are not only causing widespread disruption to business operations but are also stealing large quantities of sensitive data before issuing ransom demands. These are known as ‘double extortion attacks’ and create significant problems for organisations that have to deal with the disruption, as well as the threat of important information such as intellectual property and trade secrets being publicly released. These types of attacks also risk reputational damage to targeted organisations and decrease customer confidence.

Defending against attacks

Although threats have evolved over the course of 2020, the good news is many of the security controls recommended for other types of attacks remain effective against the likes of ‘big-game hunting’ and ‘double extortion attacks’. As a precaution, businesses should use a defence-in-depth approach to securing networks. Companies should focus on network defence, which includes prevention, detection and fast response. As a result, failure of one layer will not result in an inability to react to other threats.

Cisco Secure offers a number of security solutions that not only address security concerns based on key trends but can also be tailored to meet the specific requirements of a business. These products integrate seamlessly with the Cisco SecureX platform and include Cisco Secure Network Analytics, Cisco Secure Endpoint, Cisco Secure Firewall, Cisco Secure Email and more. Each of these solutions helps to secure areas where ransomware attackers may attempt to exploit.

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive