Ransomware Comes a March-ing
With a background in computer science and graphic design, Sophie is a passionate writer and communicator of all things technical.
Hailing from New Zealand, she provides documentation and research, commentary, and analysis on current cybersecurity topics at Fasttrack Software.
Reports are already emerging on ransomware attacks so far this year – and based on statistics from January and February, companies are on the back foot.
The Current State of Ransomware
Black Fog’s 2021 State of Ransomware Report
shines a spotlight on the trends in publicized ransomware attacks over the past two months, compared to this time last year:
- Numbers – Attacks in January increased from 14 in 2020 to 19 this year, while February saw an even steeper rise: 16 to 23:
- Target Locations – The USA has been targeted considerably more than other countries, being hit with 17 out of the total 42 publicized attacks, followed by the UK, in a similar location pattern to 2020:
- Target Size – Surprisingly, no such pattern exists for the size of targeted businesses, with the average size of organization varying greatly from approximately 13,000 employees in January 2020 to 21,000 in January 2021, and just over 35,000 employees in February 2020 to under 5000 in February 2021:
- Cost of Payout – After seeing an exponential rise in cost over the past two years, the average ransomware payout in 4Q20 was $154,108 USD, down from a whopping $233,817 in the previous quarter:
- Cost of Recovery – However, the average cost of recovery, according to SophosLabs’ 2020 State of Ransomware Report, is considerably higher for organizations who get duped into paying up:
$730,000 for companies who do not pay,
$1.4 million for those who do.
The almost doubled cost for companies who pay up could be attributed to the complex and time-consuming process of having to use several decryption keys provided by attackers to restore data, rather than just a single, all-restoring key.
Finding Success: How Do They Do It?
The ransomware gangs that have so far contributed to the statistics above, gain access, propagate and encrypt using varying techniques and tactics – however, there are several key similarities to note:
The initial foothold is often gained via unsecure Remote Desktop Protocol (RDP) – an unsurprising attack vector due to remote systems being implemented by many organizations worldwide in response to the COVID-19 pandemic.
Once in, common ransomware behaviors include:
- Stopping Services and Processes
- Disabling Anti-Virus Software
- Using (/ Abusing) the Windows Restart Manager API
- Deleting Shadow Volume Copies
- Moving Laterally Across Networks
All these tactics make detection and termination by the victim organization exceedingly difficult (an analysis of each of these tactics can be found here
Compiling What We Know
Couple those common behaviors with the above report statistics, and we know that ransomware gangs are:
- Predominantly targeting companies in the Western World (the USA and UK)
- Showing no clear preference for the size of their target (both big and smaller companies hit)
- Costing staggering amounts of money, regardless of whether companies pay up
- Infiltrating via commonly used RDP systems
- Using advanced techniques prior to encryption to ensure success.
Based on this, it’s bad news all round for the average organization – but there are ways to ensure your company doesn’t feature as a statistic in the next monthly ransomware report.
Admin By Request: A Three-in-One Solution
Admin By Request is a Privileged Access Management (PAM) solution that encompasses three of its very own advanced tactics to keep ransomware at bay.
The average endpoint anti-malware solution has a chance of detecting malicious activity (such as file encryption – the ultimate goal of ransomware). But when it comes to advanced threats – like the ransomware contributing to this year’s statistics – a single endpoint solution just isn’t enough to guarantee safety.
This is of particular importance this year, with January and February’s ransomware variants often including functionality to disable or uninstall endpoint antivirus solutions, to avoid detection and ensure an uninterrupted encryption process (more on this here
Admin By Request integrates OPSWAT’s MetaDefender Cloud API
to utilize over 35 anti-malware engines, all of which are used to scan files for malware – taking the detection rate up to almost 100%:
The ransomware seen so far in 2021 attempts lateral movement fueled by privilege escalation, looking to expand its reach from the initial infection device to the wider network, and gain higher privileges so certain key steps in the infection process can take place. (More on this here
An integral feature of Admin By Request is the Auditlog, which records privileged user activity that occurs during elevated session, along with associated details. This essentially means no undue privilege escalation can occur without being noticed and investigated by company admins, who have access to the Auditlog via the Admin By Request web or mobile user portal.
Privileged Access Management
At its core, Admin By Request is a solution to manage your privileged users: the ‘danger’ users when it comes to ransomware – because the higher the privileges a user has on their device, the more access and control they have over the wider network, other users, systems and settings.
To ensure the safety of your network, Admin By Request implements POLP – the Principle of Least Privilege – revoking admin rights and demoting all users (other than those deliberately excluded) to the status of regular user. However, users still have the ability to perform tasks (such as software installs) and run applications as administrator when they absolutely need to by means of self-initiated elevation – a technique known as Just-in-time Elevation (JIT).
When elevation occurs, the computer environment stays completely safe because Admin By Request elevates the application; not the user. At no point does the user gain administrator access to their device.
In such a tightly controlled environment, ransomware is unable to perform key tasks in the infection process, such as stopping services and processes, abusing built-in Windows tools and protocols, clearing event logs, and deleting shadow volume copies (more on these behaviors here
Are You the Next Target?
With a little luck, and a comprehensive Privileged Access Management solution such as Admin By Request, you don’t have to be.
Small or large, your organization needs comprehensive protection from the ever-advancing ransomware variants that have found success so far this year.
The stats for this month’s attacks will be appearing in about two weeks’ time – don’t be a victim of March in the next State of Ransomware Report.