Blog by Jane Chappell, Arcanum Operations Director.
Following our ‘Stand and Deliver’ ransomware blog published on September 3rd, sadly this form of corporate extortion is still on the increase. Ransomware is not only the encryption of data rendering it unavailable to users, but exfiltration of data by extortion, with the intent of making it publicly available.
Behind the deployments of ransomware are two main groups: Nation State Adversaries, and Criminal Gangs. Some Criminal Gangs employ developers to write ransomware code and programmes which they themselves can deploy without the need for advanced technical skills. Other gangs offer ransomware as a service (RaaS) via the cybercrime service economy. RaaS offerings have changed over the past five or six years to take a more crowdsourced, profit-sharing approach with the resulting increase of ransomware into a multi-billion-dollar criminal industry.
During the first two quarters of 2020 ransomware attacks worldwide increased 148% year on year [1]. These corresponded with the reporting of public health announcements about the number of cases and fatalities resulting from the C19 pandemic, and of course the seismic shift in business working practices.
Ryuk, a relatively young strain of ransomware attributed to Wizard Spider, CryptoTech (Russia), and the Lazarus Group (North Korea), was reported to be responsible for one third [2] of all cyber-attacks during 2020. While Nation States and Criminal Gangs continued to launch ransomware into numerous organisations’ networks, the Maze Criminal Gang [3] commenced the shutdown of its ransomware operations by exhorting existing victims to pay their ‘fines’. On November 1st, Maze’s retirement was posted on its website. In the cyber security world, it is thought that the group will transition to alternate activities.
As the American Presidential Elections [4] progressed through 2020, Nation State attacks increased. In Georgia, a database that verifies voter signatures was locked by Russian adversaries. In California and Indiana, Russia’s most formidable Nation State hackers, linked to the Federal Security Service, accessed election systems. In Louisiana, the National Guard was mobilised to manage cyber-attacks to federal networks executed by tools known to originate from North Korea.
Along with numerous other corporations the Campari drinks Group received a ransom of $15 million. Maze ransomware cost Cognizant [5], $50- to $70 million to remediate. Universal Health Services, that runs 400 hundred hospitals in the US received Ryuk ransomware demands over a four-day period in November [6]. Ransomware threats to pharmaceutical companies and healthcare organisations by Nation States and Criminal Gangs is a growing concern. The pharmaceutical industry has long been a target for cyber-attack, but the global supply chain that links them with transport, logistics, refrigeration and to endpoint distribution is vulnerable. Supply chains responsible for delivering the vaccine worldwide, to counter the effects of the current pandemic are under threat of ransomware attacks. IBM [7] reported evidence of suspected Nation States targeting the “cold chain” used to keep supplies at the right temperature during transportation, as well as targeting hospitals and healthcare researchers.
Most organisations do not publicise whether they paid the ransom to regain access to their networks and data. If they do, they still face the cost of implementing preventative measures to reduce the risk of a recurrent attack, recovering infected IT systems, restoring data and revising and testing their cyber incident response plan. New research [8] suggests that victims who pay may still find attackers threaten to release sensitive stolen data unless the victim pays an additionally sum to have the data deleted.
Although organisations that fall victim to ransomware demands may feel intimidated, law enforcement do not encourage their payment. Good cyber security practices, backup management processes, anti-malware protection and a current tested cyber incident response plan are imperative. This would give an organisation confidence that they can continue operating with minimal disruption if it receives a ransomware demand.
Helpful guidance of mitigating ransomware is available on the National Cyber Security Centre’s website [9].
For more information, get in touch today by calling: 01558 669140 or alternatively email: marie.caruso@arcanumis.com
About Arcanum
Arcanum Information Security is a leading National Cyber Security Centre (NCSC) accredited provider, certified in both Risk Assessment and Risk Management to provide specialist Cyber Security consultancy services. Arcanum consultants are NCSC Certified Professionals, with extensive knowledge and experience. In addition, we provide Digital Forensics through our ISO 17025 accredited laboratory.
Sources
[1] https://www.carbonblack.com/blog/amid-covid-19-global-orgs-see-a-148-spike-in-ransomware-attacks-
[5] https://www.zdnet.com/article/cognizant-expects-to-lose-between-50m-and-70m-following-ransomware-attack/
[6] 400 US Hospitals in Danger of Unprecedented Bitcoin Ransomware Attack | Crypto Briefing
[7] https://www.bbc.co.uk/news/technology
[8] https://krebsonsecurity.com
[9] https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks