Editor’s Question: How have cybercriminals changed their behavior?

Editor’s Question: How have cybercriminals changed their behavior?

Sophos, a global leader in next-generation cybersecurity, has announced the findings of its global survey, The State of Ransomware 2021, which reveals that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from US$761,106 in 2020 to US$1.85 million in 2021.

The average ransom paid is US$170,404. The global findings also show that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.

The survey polled 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East and Africa.

Globally, fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020). The new survey results reveal worrying upward trends, particularly in terms of the impact of a ransomware attack.

“The apparent decline in the number of organizations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect, at least in part, changes in attacker behaviors,” said Chester Wisniewski, Principal Research Scientist, Sophos.

“We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking. While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher. Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs.”

Globally, the number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to get back all of their data.

“The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay. Despite more organizations opting to pay a ransom, only a tiny minority of those who paid got back all their data,” said Wisniewski.

“This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.”

We asked industry experts how cybercriminals have changed their behavior and if these changes have made them more dangerous? Here are their responses.:

Tom Callahan, Director of Operations (MDR) at PDI Security Solutions

Tom Callahan, Director of Operations (MDR) at PDI Security Solutions

One thing to keep in mind is that cybercriminals are almost always ahead of any security solutions simply because they’re on the offensive, and everyone else is trying to predict what they’ll do next. As much as we want to be proactive, we often end up having to react to whatever new threats they create. One of the more interesting recent developments in the cyberthreat world is the concept of extortionware or doxware.

By now, almost everyone is familiar with ransomware, where cybercriminals essentially lock out businesses or government entities from their systems and data until a ransom is paid. Extortionware is even more dangerous, because it goes a step further.

Like ransomware, the attacks typically involve a computer infected via a phishing email. Where extortionware differs is primarily the sheer escalation of the threat. For instance, if you try to negotiate too aggressively or refuse to make the ransom payment, it’s no longer just about getting locked out from your data and systems.

Instead, cybercriminals are actually taking your (theoretically) confidential data and uploading to a public venue or selling it off to the highest bidder. Even if you’ve strengthened your backup and recovery capabilities, a cybercriminal might need only a few minutes to access confidential data-such as PII, cardholder information or HIPAA-regulated records – and they suddenly have enough materials to extort you.

The resulting damage can be both extensive and expensive: regulatory fines, legal fees, damage to your reputation, and the vast time and effort required just to identify exactly what (if any) data has actually been breached.

When the difference between ‘business as usual’ or a complete shutdown depends on whether a single employee clicks on the wrong email link, you simply can’t afford to take any chances.

The elevated level of threat posed by extortionware makes it even more critical to implement a solid security awareness training program for all employees. It’s also important to focus on additional threat prevention methodologies so you never get hit by this type of cyberattack. Investing a little upfront time and money as ‘cybersecurity insurance’ can go a long way in avoiding a preventable disaster.

Surya Varanasi, CTO, StorCentric

Surya Varanasi, CTO, StorCentric

Cybercriminals are the most serious threat facing organizations today. In the past year these bad actors have become increasingly aggressive as COVID-19 exacerbated cybersecurity challenges. Attacks have become more targeted, the deployment of ransomware more specialized and the payments of ransomware harder to trace.

Cybercriminals are able to easily adapt to changes in economic market conditions. As the world was adapting to the public health crisis, hospitals were particularly vulnerable with strained resources. Not only is data being held for ransom, but the threat of releasing sensitive information is rampant, creating a double threat. State and local governments have also been increasingly targeted. Limited budgets and IT personnel make them ideal targets and consequently force these organizations to quickly resolve cybersecurity breaches for operational continuity.

Once data is compromised, hackers encrypt and/or delete valuable information, causing irreversible reputational damage, regulatory fines, and costly downtime. However, bad actors are now also targeting backups, which used to be considered a recovery option. Cybercriminals have found backdoors to delete or encrypt the backups as well, which is why ‘unbreakable’ backup solutions have become increasingly critical.

Once ransoms are paid, tracing the cybercriminals is increasingly difficult. Bad actors work with several other groups to share ransomware profits, thus also making them harder to trace. Furthermore, ransoms are increasingly being demanded in cryptocurrencies. Payments can be made anonymously which means that it is often impossible for law enforcement to uncover the identity of the bad actors.

Yuen Pin Yeap, CEO at NeuShield

Yuen Pin Yeap, CEO at NeuShield

Before ransomware attacks were commonly reported in the news, the typical security related news consisted of companies being breached and customer info becoming stolen and sold on the Dark Web.

The victimized organizations might not even be aware of the data breach until they were informed by authorities or a white hat group that monitors the underground activities. Apart from a bruised reputation and the arduous journey of going through the disclosure and cleanup processes for the affected customers, life would continue on and most companies survived the traumatic episode.

Then came along the new and deadlier data extortion, ransomware. Using ransomware to encrypt important data and paralyze computers, hackers demand a ransom before restoring the data. Facing the ruin of their businesses and livelihoods, some victims gave in to the demands and paid to get their data back. The payoff encouraged the criminals and fueled further ransomware attacks. According to a recent Gartner Report, 27% of malware attacks in 2020 were attributed to ransomware.

But, as bad as that is, it gets worse. Now we are seeing the worrisome trend of ransomware hackers deploying multiple data extortion tactics to exert maximum pressure on their victims. Many of the recent ransomware attacks also stole data before deploying ransomware. The ransomware gangs begin by infiltrating the C-level executives’ computers and servers to steal confidential company data, as well as personal information that can be used to humiliate the victim. After transferring the data outside network, they encrypt the data locally to paralyze the computers and business.

If the stolen data includes protected information in regulated industries, such as medical records of a patient or social security number from a finance institute, the attack just escalated into a full data breach incident. In most cases, this type of attack will trigger a government regulation and thus require the victim to notify its users of the breach. Ironically, the chance of the criminals getting paid may be reduced as most government bodies that get involved would actively discourage the company from paying the ransom.

On the other hand, if the leaked data is of personal nature of the executives, or confidential data, the victimized company may be much more willing to comply if they deem the damage of the leaking is much bigger than the ransom.

In any case, this type of multi-pronged attack is hard for most victims to escape unscathed. However, by following security and recovery best practices, companies can minimize the risk of attack, and maximize the chances of quick recovery.

Don Boxley, CEO and Co-Founder of DH2

Don Boxley, CEO and Co-Founder of DH2

According to new research on those who used a VPN for network access and/or security measures, the number-one enterprise pain point is inadequate security.

While this stat in itself was no surprise, that same research revealed that almost 40% of those responsible for keeping ransomware and other malware from penetrating their network, believed that in fact, their network already had been breached. 

Cybercriminals understand this all too well and have changed from opportunistic crypto-locking malware attacks to ‘post-intrusion ransomware’ advanced persistent threat (APT) tactics. 

APT tactic is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. This change is exceedingly dangerous for organizations because cybercriminals deploying post-intrusion ransomware APT tactics seek to gain complete control of the environment. With this control cybercriminals can extract massive payments or threaten significant disruptions to critical systems.

Browse our latest issue

Intelligent CIO North America

View Magazine Archive