Stories of companies crippled by ransomware intrusions dominate headlines. Still, for someone who never experienced a cyber attack, it’s hard to understand the extent to which it can damage an organisation.
Ransomware attackers developed sophisticated methods to harm their targets, and their actions often face no implementation errors. Some of the latest attacks featured a new component that allowed them to expose not only companies to data loss but also communities and public organisations.
Cybercriminals are no longer satisfied with attacking organisations; they cripple governments, hospitals, and family ventures. Lately, hackers lock down computer networks without considering who the victims are.
To better understand how a ransomware attack can affect a target, we’ll provide some fresh insights on the experience some organisations had with hackers.
Half of the existing ventures experienced a ransomware attack in the last year. Hackers managed to decrypt over 70% of the data these companies stored and use it for malignant purposes. 95% of the companies that paid the ransom recovered their data, but 1% of the victims never got it back. The organisations that got their data encrypted found it easier to restore it via backups.
The victims dealing with ransomware attacks pay not only the costs associated with losing the data but also the ransom, so their expenses double when hackers strike.
Even if hackers prefer the private sector when setting attacks, the public one isn’t safe either. 45% of the victims were organisations and institutions functioning in the public sector.
Cybercriminals are Shifting Targets
The first ransomware attacks were created as consumer threats and were slightly more aggressive than scareware attacks. But with the advent of technology, the dark web has become a crowded place to design cyber-attacks, and hackers had to expand their area of operation.
Antivirus providers also upgraded their products to cover a broader range of services, so they could quickly identify and prevent ransomware, at the level hackers delivered at first. A report from 2019 states that they observed the evolution of cyberattacks between 2018 and 2019. They reported that what seemed to be a dormant threat in 2018 came back to life in a big way in 2019, and switched the target from mass internet consumers to businesses and communities.
During the analysed period, the number of organisations experiencing cyber attacks increased with 365%, and the number of consumer victims decreased. Hackers focus on businesses and public institutions and use all kind of infection methods to exploit information. Even if technology evolved and antivirus services improved, cybercriminals still find it easy to infect organisations.
EternalBlue is one of the vulnerabilities devices using Microsoft have, and hackers took advantage of it to exploit data. The Server Message Block Protocol, Microsoft used to solve the issue worked as a propagation tool for ransomware worms like NetPetya and WannaCry.
This protocol isn’t the only factor that led to a growth in cyber-attacks, but they encouraged hackers to come up with more creative methods to attack organisations. Before these worms, big companies assumed their cybersecurity is strong enough to protect them from ransomware.
Still, after analysing the extent of the damage they produced, they understood more effective measures are needed. For criminals, these events were convincing enough to reckon it’s worth to go after organisations instead of consumers.
Hackers Count on New Attack Methods
Cybercriminals still rely on insecure Remote Desktop Protocol and spear-phishing as main methods to attack their victims, but they also came up with new techniques. Lately, they buy access to systems already infected with other malware.
For someone who never was passionate about cybersecurity, it may sound strange that hackers go on online marketplaces to buy access to hacked servers, computers, and botnets to deploy their malware. Shouldn’t they be able to hack the systems on their own? They can do it, but it’s easier to pay for a Trojan or Ryuk ransomware.
Most Ryuk ransomware incidents count on commodity malware. In the cybersecurity world, experts specialised in ransomware investigations like the ones from Cytelligence often witness the following scenario. Emotet leads to TrickBot infections that in time facilitate Ryuk compromises. There’s no logical reason behind this, but specialists assume the hackers behind Ryuk attacks pay the TrickBot initiators for access.
For a time, Trickbot does its standard automated credential theft, but when Ryuck hackers take over control, the operations change. They are more hands-on cybercriminals who use system administrations tools, public attacks frameworks like PowerShell Empire, and network scans to prevent malware detection.
They spend more time investigating the environment, identifying weak points and domain controllers, and preparing the terrain for a significant hit. Some compare their techniques with the ones military tactical groups use.
But for companies and public institutions, the good news is that between the Emotet infection and the Ryuk takeover, there’s a large window frame when the target can detect and stop the infection. Usually, it takes around a month for Ryuk hackers to gain access to TrickBot infected systems.
However, only companies equipped with advanced network and monitoring tools can detect malware movement. For small organisations that don’t invest in building capabilities to prevent cyber-attacks, these attacks are too sophisticated to detect until their effect is too extensive.
The Real Impact of Ransomware Remains Unknown
Private organisations aren’t always obliged to report cyberattacks, so the real impact of ransomware is far from being known in terms of prevalence and cost. It’s hard to say how often victims choose to pay the ransom, but considering the incidence of the events, it’s clearly the targets do it often enough to encourage cybercriminals to invest in this method.
In October 2019, the FBI’s Internet Crime Complaint Centre stated that since 2018, the number of indiscriminate ransomware attacks dropped, but the effects of the incursions grew. Cybercriminals set more targeted attacks, invest in sophisticated tools, and the overall result remains damaging for victims.
When they hit public institutions like hospitals, governments, municipalities, police departments and schools, the visibility of the attacks is higher. The extent of the attacks is also more considerable because public organisations don’t have the same resources to fight cyberattacks and rely on an outdated IT infrastructure.
Ransomware seems to have evolved from an attack directed towards customers to an invasion of organisations’ data.