Seeing a better opportunity to generate more “revenue” from their victims, the idea of ransomware also exfiltrating data to be used to extort the payment is gaining steam.
Ransomware started as little more than a nuisance, impacting just a few endpoints. Then the idea of spreading throughout a network to infect as many machines as possible became mainstream. By this time, backup vendors had caught on and provided much-needed guidance on how to simply recover from the attack and ignore ransom demands.
So, the bad guys had to come up with a new angle – one that would ensure they get their ransom. And thus, exfiltration and extortion was added to ransomware. The fact that organizations would have their data publicly posted – not to mention the confirmation of a data breach and all the remediation costs that go along with it – was enough for ransomware operators to see increases in ransom payments.
Now, just like any software vendor today who sees the value in partnering with other organizations to improve their own offering, we’re seeing many ransomware operators jumping on the same bandwagon and even using another ransomware operator’s publishing platform to speed up their time-to-market with this “upgrade” in their ransomware.
Thus far, the list of ransomware operators is pretty lengthy and includes: AKO, CLoP, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar, REvil/Sodinokibi, Sekhmet, Snake, Snatch, and – of course – Maze. Without even knowing the specifics behind each of these ransomware variants, it should at least have you doing your best rendition of the infamous blinking guy.
The tide has turned where ransomware should no longer be considered a disruptive attack, using a lack of productivity as the incentive to pay. It’s imperative that it be considered a data breach – regardless of whether there is an indication of data theft or not. Organizations can no longer take the chance and need to proactively take steps to stop these attacks from occurring.
Most ransomware still enters the organization via phishing attack. This makes the user either the perfect asset for the attacker or for the organization. What determines whose side they’re on is whether the user falls for the phishing scam or is already vigilant and sees right through it. User that have gone through Security Awareness Training are educated on such attacks, the social engineering methods used to fool them, and what steps to take should they suspect they are the target of a phishing-based attack.
Stopping ransomware is mission critical today. Ensuring your users play a role is the key.