He ransomware, as the computer attack consisting of the hijacking and encryption of information to make it inaccessible to the user is known, was one of the most active threats during 2020. The data comes from an analysis carried out by the cybersecurity company Eset. According to this report, the increase in this type of attack is linked to the expansion of teleworking.
Over the past year, gangs of cybercriminals have engaged in targeted rather than random attacks. Targeting companies from various industries, as well as the healthcare sector and government agencies globally, and new strategies emerged to demand a ransom payment in exchange for the user being able to regain access to the compromised material.
The theft of information prior to the encryption of files and subsequent extortion under the threat of publish, sell or auction the stolen confidential data it was a methodology that was observed for the first time at the end of 2019 and that was consolidated in 2020.
The objective of this measure is to add a plan B to the strategy of only encrypting the files and demanding the payment of a ransom to return access. With this new method, already adopted by several ransomware families, criminals increase the possibility of monetizing attacks by having another instrument to pressure victims into deciding to pay, since supposedly, in this way, they will prevent the disclosure of the stolen information and regain access to the data.
But “this technique requires the attacker to invest a lot of time, since he needs to gain access to the network, move undetected until he identifies the confidential data and extract a copy of the information to save in his own environment “Tony Anscombe, an Eset specialist, explained in the 2021 Cybersecurity Trends report.
Attackers perform persistence work once they are inside the network with the intention of collecting information and also additional credentials to ensure access to the network in case the path that allowed initial access is closed.
Additionally, many ransomware groups spend time doing intelligence work to understand what data is valuable and identify sensitive information that, if leaked or compromised, in some way they will cause damage to the company or organization, the specialist explained, according to the released report.
Recently, a new business model known as ransomware as-a-service (RaaS) began to resonate strongly. where some actors develop these malicious codes and offer them on the dark web to partner with affiliates who will take care of the malware distribution and then split the profits.
It was this type of model that was present in the attack on Migrations, in Argentina. As it was learned, Netwalker, a type of ransomware that is part of a distribution chain. In RaaS models, the developer of the malicious software makes it available to third parties so that they can buy it as a tool through different distribution models. The developer charges for that kit and multiplies the ways to infect organizations.
These ransomware families often operate for some time and cease their activities, leading to the creation of other ransomware groups that acquire the source code and in some cases they add variations. Egregor, for example, is a ransomware that emerged in September 2020 and that it operates under this business model. Recently the FBI issued a statement warning companies around the world about the attacks of this ransomware and its increasing activity.
Egregor began operations shortly after the Maze ransomware announced it was ceasing its activities. Threat actors told BleepingComputer, this caused many Maze affiliates to go to work with Egregor as RaaS.
The acceleration of digital transformation caused by the pandemic forced many businesses and organizations to work from home without training people on good safety practices, and in many cases without providing the necessary infrastructure to work safely.
According to a survey carried out by Eset in the midst of a pandemic, Only 24% of users said that the organization they work for provided them with the necessary security tools to work remotely and 42% of participants said that their employer was not prepared in terms of equipment and security knowledge to cope with teleworking.
Many people telecommuting equates to many devices, different networks, in different locations, and with professionals —And even companies— that in a hurry or due to ignorance could not implement a plan to work remotely in a safe way, Eset highlights.
This means that the attack surface increased exponentially.. According to data from a survey carried out by the cybersecurity company, in December, 87.67% of the participants believed that cybercriminals have seen an opportunity in the increase of remote work to launch attacks directed at companies. In addition, when asked whether they believe that companies and government entities are prepared to deal with ransomware attacks, 67.76% believed that only a few companies are, while 50.96% consider that only a few entities Governments have the capabilities.
If a user falls for the trap and opens a phishing email and then clicks on a link or opens a malicious attachment, your computer will be compromised with malware that can in turn download other malicious code such as ransomware.
If he later accesses the corporate network by connecting to the VPN service that the company or government entity provides, the attacker will have access to the network and can move around to collect information and look for other access credentials that give you administrator permission to distribute the ransomware within the general network.
The use of the Remote Desktop Protocol (RDP) has been one of the most used mechanisms to launch ransomware attacks, also taking advantage of the use of weak passwords. Although different groups of ransomware use different attack vectors to distribute the threat, several reports agree that RDP has been the most widely used intrusion vector for ransomware attacks in 2020.
In fact, in the first quarter of last year, Eset reported the increase in attempts to attack the RDP by brute force globally; an increase that in Latin America for the month of November had been 141%, with peaks that reached 12 thousand daily attempts to attack the protocol. Once the attacker manages to compromise security through RDP, he can perform different types of malicious activities within the systems.
1. Offer a basic cybersecurity education to employees so that they are aware of possible deception, as well as so that they know how to activate a second factor of authentication and other basic care measures.
2. Use a VPN.
3. Make backups periodically. In this way, if the material is kidnapped or lost, there will be a backup of that data.
4. Have an update policy to correct vulnerabilities.
5. The implementation of multi-factor authentication and security strategies as the principle of least privilege and least exposure.
6. It is important that organizations evaluate the accessibility mechanisms to the information and what are the ways that an attacker can have to get to this data.