Resisting a Triple Threat: Ransomware Attacks and Prevention in 2022
Ransomware attacks have rapidly increased in frequency over the past three years, with reports of incidents increasing by 62% from 2020 to 2021.
According to IBM, the average cost of a ransomware breach in 2021 was $4.62 million, not including the cost of the ransom. It’s no wonder ransomware is one of our top attack vectors to watch out for in 2022. Ransomware attack tactics are evolving and becoming increasingly more professional, with an increase in services for hire (Ransomware-as-a-Service) and a growing threat of triple extortion ransomware. Here we will explore recent major attacks, double and triple extortion ransomware, and ransomware prevention.
A Tumultuous Political Landscape and Recent Ransomware Attacks
In May of 2021, we witnessed the ransomware attack on Colonial Pipeline, an attack that impacted gas prices for millions of consumers. The company ended up paying DarkSide, a Russia-linked cybercrime organization, $4.4 million after they had successfully shut down the pipeline for six days. The attack was the result of a single compromised VPN password.
Not long after the Colonial Pipeline attack, JBS Foods, one of the largest meat suppliers in the US, disclosed a hack that caused it to temporarily halt operations at its five largest US-based plants. The ransomware attack also disrupted the company’s Australia and UK operations. JBS paid the hackers an $11 million ransom in Bitcoin to prevent further disruption and limit the impact on grocery stores and restaurants with a supply chain already riddled with bottlenecks. The FBI announced the following day that the attack likely came from a hacker organization known as REvil or Sodinokibi, which is now a confirmed Russian Ransomware-as-a-Service organization.
In March of this year, Denso Corp., a multi-billion dollar Japanese auto parts supplier to companies such as Mercedes-Benz, Toyota, Honda, Volvo, and Ford, reported a ransomware attack. After breaching Denso Corp., the cybercrime gang Pandora leaked 1.4 terabytes of stolen data belonging to Toyota Motor Group. The leaked data included emails, purchase orders, non-disclosure agreements, technical drawings, and other classified information. ThreatPost observed that the attack came on the heels of Japan rejoining Western allies in blocking Russian banks from accessing the SWIFT international payment system and committing to giving Ukraine $100 million in emergency aid. This tactic of withholding data while also threatening to publish it is an example of increasingly common combination attacks involving multiple extortion levels.
The Rise of Double and Triple Extortion Ransomware Attacks
There is a growing trend of cybercriminals not stopping at a ransomware threat if they don’t get what they want. For example, when a company refuses to pay up, some cybercriminals threaten to publish sensitive data online. Toward the end of 2019, a large global security staffing firm, Allied Universal, suffered a double extortion ransomware attack. After they refused to pay, the attackers threatened to use sensitive information extracted from Allied Universal’s systems and stolen email and domain name certificates for a spam campaign impersonating Allied Universal. According to Check Point Research, the attackers published a sample of the stolen files, including contracts, medical records, encryption certificates, etc. This means even those companies that regularly back up their data are not safe from double extortion attacks.
As if it couldn’t get any worse, other companies have experienced triple extortion ransomware attacks. After threatening to publish a victim organization’s data, cyber criminals will also threaten and extort clients or partners of the victim organization. For example, a psychotherapy clinic in Finland was breached, and patient records were held for ransom. The attackers then proceeded to contact some of the clinic’s patients and threatened to publish their personal information online unless they paid ransoms.
Other triple extortion ransomware attacks involve more than one attack vector. For instance, hackers will steal and encrypt an organization’s data and threaten to publish it. Then if the organization still doesn’t comply, they will conduct a DDoS attack to force them into negotiation. The average ransom demand has climbed more than 500% between 2020 and 2021, which is likely due to the effectiveness of these combination tactics.
Ransomware Prevention and Mitigation
Ransomware prevention tactics are crucial to protect any business in today’s political environment. A combination of tactics is necessary to stop these multimodal attacks.
- Educate staff
According to IBM’s Cost of a Data Breach Report, phishing was the method used in nearly 40% of breaches. The importance of creating a password with a certain level of complexity may be evident to some, but many employees are still using easy-to-guess passwords. NordPass analyzed data from 15,603,438 breaches and found that 20% of passwords maintained by employees of Fortune 500 companies were the name of the company, and “password” is still a commonly used password. Educate employees on these hacks and provide them with password best practices on a regular basis. It’s also necessary to regularly provide employees with information about phishing attacks, how they occur, and how to prevent them. Send staff test emails to make them more aware of what phishing attempts look like. - Implement backup and disaster recovery plans
Go through the process of developing a thorough disaster recovery or DR plan. Learn and understand recovery point and recovery time objectives (RPOs and RTOs) across the organization, and implement a backup solution with a trusted colocation service provider that enables a return to a set recovery point after an outage or after data has been lost. The most secure backup solution is an isolated solution that segments storage locations to isolate them from the rest of the network. Download our IT Leader’s Disaster Recovery Guide to learn more about IT disaster recovery and start building your DR solution. - Buy cyber insurance
According to Sophos, many organizations rely on cyber insurance to help them recover from a ransomware attack. In a survey of 5,600 IT professionals across the globe, they found that 83% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack. According to the survey results, cyber insurance almost always pays out. In 98% of incidents where the victim had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 40% overall covering the ransom payment). Cyber insurance will be a must as multimodal ransomware attacks become more common.
Countering Combination Attacks
With an uncertain political landscape and the increasing use of combination cyberattack strategies, it’s more important than ever to ensure your business is prepared for ransomware attacks. To counter combination attacks, IT and cybersecurity leaders should train with a combination of prevention and mitigation strategies. These strategies should include recognizing and preventing hacking attempts, safeguarding data, and mitigating economic loss.