Ransomware as a concept isn’t exactly bleeding edge. For years, cybercriminals have been using ransomware along with a variety of different attack vectors to compromise companies both big and small around the globe.
What is new, however, is the recent uptick in the quantity and frequency of ransomware-based attacks. According to Verizon’s 2021 Data Breach Investigations Report, ransomware has appeared in 10% of data breaches so far in 2021, which is more than double the frequency from last year. This increase is thanks to new tactics, where some ransomware steals data while simultaneously encrypting it. From the attack on the Colonial Pipeline, JBS Foods, and now most recently a multitude of different organizations globally stemming from Kaseya (all of which happened in the first half of 2021) – ransomware-based attacks have seemed to become the weapon of choice for many cybercriminal organizations.
The driving force behind the attack is ultimately money. In 2020, Proofpoint researchers found that almost 70% of companies who paid ransom were able to successfully unlock their data and systems. This tactic makes payment a potentially attractive option to organizations who might otherwise be facing total collapse. And unfortunately, this only further incentivizes the use of ransomware for other threat groups. According to Harvard Business Review, the amount that compromised companies paid in ransom grew 300% in 2020 alone, due in part to the surge in remote work and lax security protections at home. Vulnerable home networks gave way for these cybercriminals to find all sorts of different ways to drop ransomware on these corporate networks and bring their online infrastructure crumbling down.
Not only are cybercriminals getting greedier, but the cost of dealing with the fallout is becoming even more costly for organizations. A global survey conducted by Sophos found the average cost of remediating a ransomware attack more than doubled since 2020. Ransomware remediation costs, including downtime, operational costs, lost revenue, etc. rose globally from an average of $761,106 in 2020 to $1.85 million in 2021.
REvil – also known as ‘Ransomware Evil’ or ‘Sodinokibi’ – is a group that provides ransomware as a service. On Friday, July 2nd, 2021, REvil’s ransomware infected at least hundreds – if not thousands of businesses worldwide with ransomware. Businesses such as a railway, pharmacy chain, and hundreds of grocery storefronts were compromised by this attack.
So … what happened now?
To spread ransomware onto their targets, the REvil went straight for the supply chain. After all, why do all the heavy lifting yourself when a trusted source can do it for you? REvil took advantage of a previously-unknown (now thankfully patched) zero-day vulnerability in the Kaseya Virtual System Administrator service (VAS) (CVE-2021-30116). Kaseya’s VAS is used to manage business networks and devices, marketed to small and medium sized businesses, and REvil utilized this vulnerability to seed & push ransomware using Kaseya’s trusted distribution mechanism, granting them access to an estimated 1,500 companies. REvil further took advantage of the situation by sending out malicious Microsoft update notifications as a way to further spread the attack. As of the time of the this writing, Kaseya has delayed the patch to plug the exposure.
REvil and its affiliates averaged $2.25 million in payouts per breach over the first six months of 2021 – pennies compared to the $70 million they are demanding for the Kaseya attack’s decryption key.
While supply chain attacks are a high visibility vector, ransomware gangs’ usual methods of choice seem to be just that – phishing and credential stuffing remote desktop servers. Other newer methods have included the exploitation of Microsoft Exchange vulnerabilities ZeroLogon and ProxyLogon.
Preparedness and Testing
These staggering numbers and insane breach analytics serve to be eye opening to security professionals and business owners alike. Ransomware is not going away anytime soon and will likely only get worse for the foreseeable future. Companies all around the world should harden themselves and defend from ransomware attacks by following industry standard security best practices. Things like companywide patch management, annual phishing training, routine internal/external penetration tests, and red team engagements are all invaluable aids in the defense against the exponentially growing threat that is ransomware. Testing tailored to identify and assess controls specific to ransomware are also an important next step when it comes to mitigating the fallout of this type of an attack. The War Room has a more detailed article regarding ransomware defense located here.
AJ Hammond (AJ.Hammond@rsmus.com)
Nick Woodman (Nick.Woodman@rsmus.com)