Ransomware attacks in 2021
Date published: 18 Oct 2021
Cyberattacks are on the rise and ransomware is one of the most prominent threats to an organization’s network security. It has been reported by Trend Micro that 84% of organizations in the United States have experienced some form of ransomware or phishing attack within the last 12 months.
Ransomware attacks are extremely costly to organizations due to extortion activities and the remediation required in the aftermath. These costs continue to rise, and it has been estimated that this year the global damage caused by ransomware will amount to $20 billion, a sharp increase from five billion spent in 2017.
One decade from now, it has been predicted that the frequency of these incidents will increase from once every 11 seconds to once every two seconds and the cost could reach as high as $265 billion globally.
Ransomware is on the rise as more organizations pay the ransom and so there is more incentive for criminals to launch an attack. Once an organization has shown that they are willing to comply, they open themselves up to future attacks from either the same actor or other groups of cybercriminals.
Many of these attacks have targeted high-profile organizations and put essential infrastructure at risk. In the aftermath of these incidents, investigations must take place to identify what network weaknesses have been exploited and solutions must be found to prevent future occurrences.
Performing regular audits on your core network devices will allow you to understand where your organization’s security vulnerabilities lie and help to minimize an attacker’s system access in the event of a targeted ransomware attack.
Victims of costly ransomware attacks this year have included Acer, CNA Insurance, Colonial Pipeline and JBS, by understanding what events took place in each of these incidences we can gain a greater understanding of what vulnerabilities could be exploited within our own networks.
Taiwanese computer manufacturer Acer fell victim to a large-scale ransomware attack earlier this year. The group claiming to be behind the attack was REvil, a notorious operation offering ransomware as a private service.
They initially demanded $50 million from Acer for the decryption key before increasing the sum to $100 if the deadline was not met, making this one of the largest ransomware incidents in history. Bitcoin is the most common currency that is demanded by bad actors, however in this case Monero cryptocurrency was chosen.
A large amount of sensitive, confidential information was stolen from the network. This was a double tap attack with the group releasing a file showing a customer database with account numbers and credit limits on their site, making the public aware of the ransom and increasing the pressure on Acer to make the payment. While unconfirmed, it is believed that REvil was able to gain access by exploiting an MS Exchange vulnerability.
CNA Financial Corporation
Chicago based insurance giant CNA were the victim of a ransomware attack in March this year, the group claiming responsibility was the Phoenix Cryptolocker Ransomware gang, who are said to be linked to the Evil Corp hacking group.
Prior to the ransomware attack, the bad attacks accessed the network several times to copy information.
After two weeks of negotiations, CNA reportedly agreed to pay the $40 million ransom payment to recover their stolen data. The Cryptolocker ransomware encrypted personal data about current and former employees and contract workers from 15,000 machines on the company’s network, as well as machines used by remote workers connected to the company VPN, up to 75,000 customers may have also been affected.
The firm has since carried out an investigation and enhanced its network security. They have also offered those impacted by the attack two years complimentary access to a credit monitoring service.
The attack on the Colonial Pipeline corporate network illustrates the impact that ransomware attacks can have on essential infrastructure. The incident that took place in May led to gas shortages at stations between Washington DC and Florida.
DarkSide, the group behind the attack, loans its ransomware out to cybercriminal partners who carry of the attacks on their behalf. With emergency services, hospitals, airports, and truck drivers reliant on Colonial Pipeline’s supply, the company were under immense pressure and paid 75 Bitcoin ($5 million) for the decryption key the day after the network was attacked.
The threat attackers also used a double-tap attack, first exporting sensitive data and then launching the ransomware, with the threat of releasing the data to the public if no payment is made.
In order to stop the attackers from infiltrating Colonial’s operation controls, the pipeline was temporarily shut down. This led to panic-buying as stations began to face shortages, full service was not resumed for nearly one week.
One of the world’s largest meat production companies JBS was struck by a ransomware attack which is believed to have been executed by REvil. IT severs in North America and Australia were affected and temporarily suspended, while backup servers were believed to have remained secure.
The attackers demanded that $11 million be transferred to them in bitcoin to recover the stolen data. JBS made the decision to pay the ransom to prevent company and customer data from being compromised.
The company supplies around one fifth of all beef product in the United States and was focused to temporarily shut down operations in the US, Canada, and Australia. This caused shortages of some products in supermarkets, leading to food price inflation.
How can ransomware attacks be prevented?
In the aftermath of such high-profile incidents, preventing ransomware attacks becomes a heightened concern for all organizations.
Using anti-virus and anti-malware technologies, automated ransomware attacks can be prevented. However, even with these in place, it is still possible for ransomware to infect systems. Those responsible for the network’s security should consider what information becomes accessible when any part of the network is compromised. Having good network segmentation in place is essential for preventing lateral movement within the network and limiting the amount of damage caused by an attack.
Auditing all connected systems and devices is necessary for maintaining a strong and resilient network. Assessment tools like Titania Nipper can prevent ransomware attacks by discovering vulnerabilities in firewalls, switches and routers and ensure that firewall rules are not too permissive.
Nipper provides automated risk prioritization and significantly reduces the number of false positives to investigate. The Nipper Risk Management Framework (RMF) combines vendor configuration management best practice with pen testing checks for exploitable vulnerabilities, to identify and prioritize mitigation for critical misconfigurations.
The software also provides risk remediation advice and exact technical fixes for these misconfigurations, helping to prevent system access in the event of a targeted ransomware attack. Request a free trial to see for yourself how your organization can benefit from using an auditing tool.
- OpenSSL Vulnerability Downgraded - a Sigh of Relief?
- New Report Reveals U.S. Federal Government Exposed to Significant Cybersecurity Risks Due to Exploitable Network Misconfigurations
- Misconfigurations overlooked as the cause of network security breaches
- New Report Reveals Exploitable Network Misconfigurations Cost Organizations 9% of Total Annual Revenue
The paradigm for how we defend our networks has changed in the last decade from how we defend the perimeter by making sure no one gets in, to understanding that people are always going to get in. Therefore it’s crucial to ask, what can we do to build cyber resilience and protect our networks even if someone has been able to get in?
In a zero-trust environment the network checks will make no assumptions about any traffic being trusted, for each transaction you need to perform, the receiving node will ask for proof of your right to be there.
This means that if an attacker were able to enter the network, your policies would make it incredibly difficult for them to move around inside.