Ransomware in 2023 – the evolving risk
According to the latest Annual Cyber Threat Report 2021-22, the Australian Cyber Security Centre (ACSC) recorded 76,000 cybercrime reports – that’s one every seven minutes. The ACSC received 477 ransomware cybercrime reports but concedes that ransomware remains significantly under-reported, especially by victims who choose to pay the ransom.
Research from Splunk’s 2022 State of Security report found that globally, 79% of organisations had experienced ransomware attacks and 35% of victims said an attack led them to lose access to data and systems.
The ACSC considers ransomware to be the most destructive cybercrime threat, noting that all sectors of the Australian economy were directly impacted by ransomware in the last financial year.
To say that ransomware attacks left the public, businesses, law enforcement and governments reeling last year is an understatement. Two high-profile data breaches (Optus and Medibank Private) saw the private details of millions of Australians stolen – and held to ransom. Hundreds more attacks didn’t make the headlines, but their effects were acutely felt by businesses that were targeted. A 2022 study by the Australian Institute of Criminology found 23.2% of SME victims paid the ransom, with many millions of dollars being made in payments and other associated costs.
According to the UNSW Institute for Cyber Security, cybercrime costs that Australian economy an estimated $42 billion each year.
Ransomware was named as the top cybersecurity challenge for 2023 by Red Access, which noted that the “commodification of offensive hacking tools (sold primarily on the dark web) has dramatically reduced the barriers to entry into the ransomware business, and the promise of million-dollar paydays has encouraged new entrants in droves”.
Ransomware is evolving
While the aim of ransomware remains the same (to extort money), the tactics are changing. According to cybersecurity experts, these are five key ways in which ransomware is evolving:
1. SMEs are being targeted
Globally, ransomware groups are shifting towards targeting small and medium sized businesses. The reasons for this include the fact that larger organisations have better defences and that there has been an influx of less sophisticated ransomware affiliates.
Locally, the ACSC says top-tier ransomware groups are continuing to target Australian ‘big game’ entities – organisations that are high-profile, high-value or provide critical services. However, experts expect it won’t be long before the global trend reaches our shores and criminals will target smaller organisations. BlackFog notes that “there are many small to mid-size companies that invest less in protection, have limited technical skills, and find cyber insurance expensive – all of which makes them easy targets. We can expect smaller scale attacks, for lower amounts of money, but which target a much broader base”.
2. Double and triple extortion
Traditionally a ransomware attack meant that a threat actor that manages to infiltrate a network would encrypt an organisation’s data, making it unable to use. Only after paying a ransom, the victim would receive the decryption key. However, as organisations started to implement a back-up system for their important data, many ransomware attacks became ineffective. As a result, hackers became more creative.
Before encrypting a network, the threat actors now make a copy of the data so they can use it in negotiations: if the victim refuses to pay a ransom, the sensitive data stolen from the network will be made public or sold on the black market. This combination of data encryption and exposure threat is known as ‘double extortion’ – and it’s on the rise.
In a ‘triple extortion’ attack, malicious actors seek money not only from the organisation that was first targeted, but also from anyone who might be impacted by the disclosure of that organisation’s data (clients, partners, affiliates, patients, associates, suppliers, etc.). The ACSC notes that in 2021-22, ransomware actors continued to incorporate additional extortion tactics in their operations to more effectively extract payment from victims. Examples of this ‘multifaceted extortion’ include convincing third-party stakeholders to pressure victims into negotiation and sustained Distributed Denial of Service attack (DDoS) attacks against the victim’s network during ransom negotiations. Some experts are also predicting more hackers will skip encryption and go straight to extortion.
3. Ransomware-as-a-Service
Cyber criminals are packaging ransomware and other malware tools into service offerings so that even novices can launch devastating cyberattacks, according to Sophos’ 2023 Threat Report.
The report explained that the industrialisation of ransomware has allowed ransomware ‘affiliates’ to evolve into professional operations specialising in exploitation. Elite gangs are finding increased profits and reduced personal exposure by developing the malware and then leasing its use to third-party affiliates for a fee or percentage of returns. Their success has been so great that more, lesser-skilled gangs are following the same path.
4. Data is the prize
According to PwC Australia, and evidenced in Australia’s recent high-profile attacks, data is now the real prize. “Why go to the hassle of encrypting systems if you can grab the data and run, then extort the victim?” PwC wrote in Forbes. “When a cybercriminal has the names, addresses, passport numbers and health details of millions of customers, the existential threat posed to an organisation is much greater than the inconvenience and revenue loss caused by locked up systems.” Trend Micro forecasts that hackers will also look to profit from data monetisation, as stolen data is not just valuable to its rightful owner: “One compromised machine can provide adversaries with a wealth of company secrets and sensitive documents for sale to the highest bidder.”
5. Changing tactics
As organisations get better at defending against ransomware, the attackers will simply change their tactics. For example, cyber security experts suggest that more attacks will target back-up services that are less frequently monitored, can provide ongoing access to data, and may be less secure.
Leveraging critical vulnerabilities in commonly used applications, such as Microsoft Exchange, firewalls and other widely used applications is also expected, as is the use of legitimate remote management tools such as Atera, Splashtop and Syncro.
Others predict cybercriminals will target endpoints in the cloud or target uncommon platforms such as program logic controllers. Some expect to see a huge shift to data deletion in order to leverage the value of extortion, and also on ransomware attacks focussed on corrupting data rather than encrypting it. Scaling up through automation is also tipped to gain in popularity amongst the unscrupulous, while some expect to see gangs look to exploiting zero-day vulnerabilities.
More professionalised attackers are anticipated to lead new attack techniques, potentially mixing physical and cyber intrusions, such as employing drones for proximity of hacking, according to researchers at Kaspersky.
How to protect your business
The ACSC provides these tips for protecting against ransomware attacks:
- Regularly update your devices
- Set up and perform regular back-ups
- Implement access control
- Use anti-virus software
- Turn on ransomware protection
- Disable macros
- Turn on multi-factor authentication
- Use unique passphrases
- Secure your servers
- Minimise external-facing footprint
- Migrate to cloud services
- Check messages you receive
- Avoid links that ask you to log in or reset your password
- Be careful opening files and downloading programs
- Complete the ransomware prevention checklist
- Prepare your Ransomware Back-up and Response Register
- Remain vigilant and informed.
Businesses should also look at cyber insurance. While it is not a substitute for good cyber security, it does offer a business financial protection and assistance in the event they do suffer a cyberattack.
Ransomware tactics will continue to evolve and pose risks all organisations will need to grapple with. The best defence for organisations is to be prepared, not just for an attack but also for the aftereffects. Talk to your EBM Account Manager about risk mitigation and the right cyber policy for your business.