Some say ransomware is in decline. Others say it’s getting craftier.
File-encrypting malware, known as ransomware, infects vulnerable computers and scrambles its files, inviting victims to return access to their data once they pay a ransom. Ransomware remains one of the most popular types of malware and is said to be a multi-billion dollar — albeit illegal — industry.
But as companies gain awareness and shore up their cybersecurity defenses, the cat and mouse game continues between ransomware-launching threat actors and their victims, which can range from small businesses to local governments.
“Ransomware is a lucrative business model for the adversary because they get paid directly by the victim,” Steve Grobman, chief technology officer at McAfee, told TechCrunch.
In the past few months, security experts have seen a reduction in the “spray and pay” attacks against a large number of businesses and an increase of more focused efforts against larger corporate targets. Now ransomware-focused threat actors are using creative means to break into systems and deploy ransomware for the threat actor’s payday.
Just this week, foreign currency exchange Travelex was forced to suspend services at its stores after it confirmed a malware infection on December 31. A week later, the company is still largely offline. Travelex said little beyond a prepared statement, but it was reported that the company was hit by the notorious Sodinokibi (or rEvil) ransomware.
Security researcher Kevin Beaumont recently found that the attackers were exploiting a vulnerability in their corporate virtual private network (VPN) installations to deliver ransomware directly to the internal networks of their victims instead of relying on more conventional methods like duping unwitting employees to open a malicious email.
The affected corporate VPN providers released patches for the vulnerabilities early last year, but many organizations failed to patch their systems, exposing their entire networks to cyberattackers.
One of the VPN providers, Pulse Secure, confirmed that vulnerable organizations with unpatched systems were at risk of ransomware.
“Threat actors will take advantage of the vulnerability… and in this case, exploit unpatched VPN servers to propagate malware, Sodinokibi (rEvil), by distributing and activating the ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched Pulse VPN servers,” said Scott Gordon, chief marketing officer at Pulse Secure.
Last April, we saw more evidence of ransomware threat actors switching tactics. Drinks giant Arizona Beverages suffered a ransomware attack that knocked its systems offline for days. Some weeks prior, the company’s network was infected with Dridex, traditionally a banking malware designed to steal credentials to commit fraud. But attackers repurposed the malware for reconnaissance and later delivering ransomware to the entire company.
Grobman said the Sodinokibi ransomware was highly active during 2019 with an increased focus on targeting specific companies. And it looks like threat group is storming into the new year with full force by targeting seven major companies with Sodinokibi, raking in more than $10 million in ransoms this past week alone.
In some cases, smaller companies don’t have a chance. Just before Christmas, an Arkansas telemarketing agency shut down, leaving 300 employees without work, following a ransomware attack from which the company couldn’t recover. It’s a similar situation in local and state governments, which attackers see as large targets for their ability to pay ransomware demands to get back their citizens’ critical data but are lacking in IT and security resources to properly protect themselves. Just last month, New Orleans declared a state of emergency following a ransomware attack. Pensacola, Florida, Jackson County, Georgia and Louisiana’s state government were all hit by ransomware threat actors last year.
The FBI has long warned against paying ransomware threat actors.
Many ransomware threat actors are also targeting outsourced IT companies — so-called managed service providers (MSPs) — which manage IT systems on behalf of their clients, a campaign that appears to be working.
In the past few months, several outsourced IT providers were targeted with ransomware, not only taking down their systems but also their customers’ systems as well. Colorado-based Complete Technology Solutions, an IT managed service provider specializing in dental offices, was hit in December by the Sodinokibi ransomware. Weeks later, another outsourced IT provider Synoptek was infected by the same ransomware.
“One of the biggest challenges is that the threat surface continues to grow and expand,” said Grobman. In other words, companies need to think about all the ways that an attacker can get into their systems — even the unconventional ways. And that’s no less true with ransomware. Where businesses are securing their email inboxes, ransomware threat actors are finding inventive new ways to breach their defenses.
Grobman said comprehensive cybersecurity defenses are important — from endpoint security and ensuring the network perimeter is protected against attacks.
But some of the simpler, easier and more effective solutions still hold true.
“Things like having comprehensive offline backup and recovery plans for all critical day and system state,” said Grobman. “If critical information is held for ransom, there’s an opportunity to recover it without paying the ransom,” he said.