Ransomware, the highly profitable method used by cybercriminals to encrypt data on computer networks and demand a ransom payment in return, is constantly evolving. One of the leading groups that perpetrates these attacks, Babuk, has stated that is no longer interested in encrypting data on its victims’ networks. Instead, the group are now focusing on stealing sensitive and personal data and then demanding a ransom payment in order to not publicly release it.
Why the change of attack?
Firstly, it allows the group to extort the company even if they have robust backups of their data. In a traditional ransomware attack, the data is encrypted, but can be restored if the company has a backup of that data. With this new method focused purely on stealing data, the backups become irrelevant. The second advantage to the ransomware groups is that it attracts less attention from the authorities. The highly disruptive ransomware attack on the US Colonial pipeline brought the ransomware gangs a level of attention from US authorities that they were not prepared for, with the DarkSide gang shutting down in the wake of the attack. By stealing data instead, the attacks can be less disruptive to the victim organisation and therefore less likely to attract that level of attention from the authorities.
There are disadvantages to this new strategy too. There is no guarantee that the victim organisation will pay any money to stop the data being revealed. If we look at it from the perspective of the victim, they are able to operate as normal after the attack and therefore do not have the same pressure to restore normal business operations. There is also no guarantee that the criminals won’t go back on their word or decide that they want to extort the company repeatedly. It is also significantly more difficult to breach a company’s network and then extract a large volume of data without triggering alerting systems or competent IT teams.
From a criminal perspective, the ideal is a combination of the two methods. Encrypt the data but also extract it, providing two potential threats and therefore increasing the likelihood that the victim company will pay the ransom fee.
Ransomware is a highly effective method to make money for criminal organisations and is therefore likely to remain a threat for many years.
What can you do to protect your organisation from Ransomware attacks?
In order to stop cybercriminals from being able to conduct either of these attacks, you need to be able to detect ransomware activity on a network and prevent it from encrypting files, as well as preventing many methods used to deliver the ransomware to your network. Falanx Cyber can help in a number of ways: primarily through our Triarii Managed Detection and Response (MDR) service.
Our penetration testing services will help to identify vulnerabilities that can allow ransomware to be deployed.