Saturday, February 4, 2023

5 Unique Traits Of Ransomware Groups You Need To Know

 


Ransomware is something that is not going to go away soon.  It proliferated greatly during the height of the COVID-19 pandemic, and 2021, IMHO, was deemed to be the worst ever.  But things slowed down in 2022, and so far, knock on wood, I have not seen any kind of major Ransomware attack happening so far. 

But the trends on the Cyberattacker groups that are launching these Ransomware attacks is getting very alarming.  For instance, many are now resorting to extortion attacks, and many hacking groups in the Dark Web are now resorting to what is known as “Ransomware as a Service”, or “RaaS”.  This is where a Cyberattacker hires a group to purposely launch an attack.

In fact, the GuidePoint Research and Intelligence Team (GRIT) just released a report which showed that at least one new Ransomware group is coming out each month.  This report examined a total of 2,507 victims, from 40 different market segments, and attacks that were carried out by at least 54 active Ransomware gangs.  Their report can be downloaded at this link:

https://www.guidepointsecurity.com/resources/grit-annual-ransomware-report-2022/

The illustration below depicts some of their major findings:


(SOURCE:  https://www.darkreading.com/attacks-breaches/7-insights-from-a-ransomware-negotiator)

One of the lead researchers for this report is also a Ransomware negotiator, in which they try to get the ransom payment lowered, or somehow negotiate in getting the decryption keys back.  From this perspective, here are some of the newer characteristics that are emerging from the Ransomware groups from just within the past year:

1)     A definite classification scheme:

Believe it or not, Ransomware groups fall into certain categories, which are as follows:

*The Full Timers:  These are the hacking groups that have been in existence for at least 9-10 months, and have impacted at least 10 or more victims. A good example of this is the Lockbit group, which has accounted for at least 33% of Ransomware attacks on a global basis.  These kinds of groups have the money to have a good infrastructure, and most importantly (to them) is evading detection by law enforcement.

*The Rebrand Groups:  These are the hacking groups which have been in business for less than 9 months or so, but are still just as active as the Full Timers.  The only difference here is that they infiltrate more victims, but stay in for a much shorter period of time.  And their pace is rapid fire.  They hit one victim, then move onto the next.

               *The Splinter Groups:  These are the Cyberattackers that have broken off from one of the    previous groups, as mentioned.  Either they have decided to go solo, or have joined another               group with more “exciting opportunities”.  These kinds of Cyberattackers are less known, and               are very erratic in their behaviors.  In other words, they are trying to discover their own brand             and identity.

               *The Ephemeral Group:  These are the groups that have been around for less than two months,      and launch a Ransomware attack every now and then, with no defined frequency to it.

2)           A lot of rebranding:

               In order to evade law enforcement, like the FBI, most Cyberattackers are constantly trying to go         from one Ransomware group to another.  But this of course makes it harder to for the IT        Security team to keep track of, so the report claims that the sharing of intelligence with other   entities (whether private or public) becomes very critical.

3)It is getting far more difficult to negotiate:

               When Ransomware attacks were just starting to happen, negotiating the payment was fairly            straightforward, as the negotiator was just dealing with the same group.  But with the advent of   RaaS groups, negotiating has become very difficult, as there are now many more threat actors              that are involved. 

4) The demands for payments are higher:

               In the early days of Ransomware attacks, the costs of payments were rather low comparatively    speaking, in the range of a few thousand to maybe perhaps a value in the five figures.  But given    the sophistication of the Ransomware groups of today, the demands for large payments are   now literally getting astronomical.  For example, seeing something as high as $15 million is now       not unheard of.  But many Ransomware negotiators are pretty successful at bring this amount     down, say something like in the six figures.

5) Extortion is on the rise:

               Locking up your device and encrypting your files is one thing, but now Ransomware groups are          kicking up their degree of punishment by now extorting their victims, as mentioned before.  For instance, they can now exfiltrate your PII datasets and sell them on the Dark Web for a nice                profit, or even threaten the victim to make them available to the public, thus causing brand and      reputation damage which is almost difficult to recover from.  Why do they do this?  Well they   figure if they are not going to get any money from the actual attack, perhaps threatening the victim on a much higher and personable level will result in getting some sort of payment.

My Thoughts On This:

In the end, Ransomware here is to stay.  Now the frequency in which it happens and to what degree it is going to get worst is anybody’s guess.  Nobody can predict the future.  But there is one thing that is for sure:  Your best line of defense against a Ransomware attack is to have an effective backup strategy. 

How that is supposed to be done will depend a lot on your organization’s security requirements.  But the rule of thumb here is keep backups both On Prem and at an offsite center.  The latter can be simply storing your PII datasets in the Cloud, such as using the AWS or Microsoft Azure.

The report I have highlighted here even mentions that although Cyberattackers really have no ethics amongst themselves, they do want to protect their reputation on the Dark Web.  This simply means that if you do make a ransom payment, you now have greater chances of getting the decryption algorithms in which to unlock your device and files. 

I am not sure if I agree with this or not, but then again, I am not a Ransomware negotiator. 

This now comes to another question:  Should you make the ransom payment in the end?  My answer to that is no.  This will only fuel the Cyberattacker to launch more attacks, and also, many insurance carriers will not make a payout if you file a claim in these circumstances.  Also, with new legislations coming out, it is now even considered to be a crime to make a ransom payment, depending of course on the circumstances. 


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

7 Key Lessons To Be Implemented For The Cyber Supply Chain

  I am close to wrapping up the manuscript for my 16 th book, which is about the Data Privacy Laws, and how to come into compliance with th...