With hundreds of millions of people stuck at home you may have thought that other than video streaming, gaming and delivery companies, there were no other growth markets.
Sadly, hacking is one of the areas growing very rapidly – even through the pandemic.
In fact, the pandemic has made it even easier for hackers who can attack home computers as well as the ports used by companies to allow workers to get in.
According to Coveware, the average cost of a ransomware payment has hit $111,605, a 33% increase from Q4 of 2019 to Q1 of 2020. Few industries are growing this quickly.
It’s not just the cost that has made things worse. Hackers are getting more malicious. There was a time when hackers either received the ransom or moved on. If an organization was breached, they could always wipe their systems and reinstall from backups. This of course assumed backups existed. They didn’t have to pay.
In January of this year, we broke the news that ransomware has become extortionware meaning hackers are threatening to post the victim’s data online if they do not get paid. This can have drastic consequences as it could cause customer loss, loss of competitive position, increased fines, costs associated with customer credit monitoring services, increased legal costs, increased cyber insurance costs, etc.
In March, U.S. pharma giant ExecuPharm confirmed that it was hit by a ransomware attack. The ransomware group behind the attack published the data they stole from ExecuPharm’s servers to a dark web site associated with the CLOP ransomware group.
Hackers are getting far more aggressive. They can now infect Android with ransomware for example.
In addition, there are ten ransomware strains being used in advanced attacks according to Microsoft:
- RobbinHood: "They typically start with an RDP brute-force attack against an exposed asset," Microsoft says. "They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed." (See: Baltimore Ransomware Carnage Compounded by Local Storage.)
- Vatet loader: This custom loader is designed to work with the legitimate Cobalt Strike penetration testing framework, which is similar to Metasploit, and is being used by a gang that often brute-forces RDP endpoints or exploits CVE-2019-19781, a severe vulnerability in Citrix Application Deliver Controller and Gateway products that came to light last December and which Citrix patched in January (see: UK and US Security Agencies Sound COVID-19 Threat Alert). "The group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers and other critical verticals," Microsoft says. "They are one of the most prolific ransomware operators during this time and have caused dozens of cases."
- NetWalker: Attackers wielding this ransomware (also known as Mailto), have been hitting hospitals and healthcare providers using emails with COVID-19 themes that have malicious Virtual Basic scripts (.vbs) attached (see: COVID-19 Complication: Ransomware Keeps Hitting Healthcare). "The campaign operators also compromised networks using misconfigured IIS-based applications" to deploy the Mimikatz credential-stealing tool, use the PsExec command-line tool, and deploy NetWalker, Microsoft says.
- PonyFinal: While this ransomware might be Java-based, Microsoft says it's nevertheless being used to crypto-lock victims. "Campaign operators compromised internet-facing web systems and obtained privileged credentials," it says, followed by their establishing persistence and using Microsoft PowerShell to create a reverse shell for remote access. "They also used legitimate tools, such as Splashtop, to maintain remote desktop connections."
- Maze: The gang behind Maze gained notoriety in late 2019 for leaking stolen data in an attempt to force victims to pay. Many other gangs are now emulating this tactic (see: More Ransomware Gangs Join Data-Leaking Cult). The Maze gang also regularly targets managed service providers, so that by infecting one organization, they can potentially infect many more. Experts say Maze ransomware gets regularly spread via email as well as targeted attacks that begin via RDP, followed by attackers using Cobalt Strike, PsExec, PowerShell-based remote shells, Windows Remote Management and changes to Group Policy in Active Directory.
- Sodinokibi: The operators of this ransomware-as-a-service offering, also known as REvil, share ransom proceeds with affiliates actually infect endpoints. Some affiliates, inluding Maze, also specialize in hacking MSPs. Sodinokibi affiliates' "techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec," Microsoft says (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).
Microsoft also says it saw the following four ransomware families being used in advanced attacks in the first two weeks of April.
- Paradise: Formerly distributed by email, Microsoft says this crypto-locking malware is now being used in more advanced attacks.
- RagnarLocker: This is installed onto victims' networks by a gang that relies on stealing credentials, deploying RDP and installing Cobalt Strike (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
- MedusaLocker: This ransomware may be getting deployed by TrickBot infections, Microsoft says.
- LockBit: This ransomware is being used by attackers who also rely on CrackMapExec, a publicly available penetration testing tool, to move laterally across compromised networks.
All companies are at greater risk. Public companies have mentioned ransomware in their SEC filings in record numbers. Over 1,000 have done so in the last 12 months and over 700 this year alone! They are listing ransomware in SEC reports as a credible and potential future risk for their operations. Costs for an insured company hit with ransomware has reached $210,000.
That is the "average" decryption fee and the "average" recovery costs, and those numbers also include smaller companies who don't have to file reports with the SEC.
The challenge Apex Technology Services sees in the market is smaller companies still shop for IT and cybersecurity like they might buy paper cups. They think all services are the same and they don’t realize that cybersecurity still hinges on people and people are fallible. Working with a company with a great reputation, references and qualified management, processes and techs is crucial. This goes for the MSP or MSSP you work with.
We have been receiving a good number of requests for network risk assessments lately which gives us hope that more companies are realizing the threat is real. We have witnessed companies who do not take the threat seriously put out of business because their customers fled after they learned of a hack. This can happen to many businesses and the risks today are greater than ever as there are more people working from home than ever.
We had a very informative webinar titled: COVID-19: Teleworking & Cybersecurity Best Practices with Datto – a great partner of ours that provides quality business continuity and disaster recovery solutions. It is free to view – we suggest you watch and share with your team and others, as it can be very helpful in keeping your company secure.
It is never too early to take cybersecurity seriously. Contact us – we want to help keep you more secure