Threat researchers have recently observed a sizable increase in ransomware attack activity, and our internal threat data corroborates this finding. Given the volume, cybersecurity companies each encounter only a small sample of the entire population. So, when they start seeing trends and patterns emerge, it’s wise to take notice.
For example, we were involved in remediating four separate attacks targeting organizations in the greater Chicago area within the past month. While these companies varied in size, industry vertical, and level of cybersecurity maturity, their one commonality was that none had adequately invested in preparedness, namely MDR, IR support, training and threat assessments. Given the prevalence of ransomware attacks at present, forward-thinking business leaders should carefully consider the risks their own organizations face.
A relatively new Ransomware-as-a-Service (RaaS) group, Cl0p, may be responsible for the recent surge in activity. Multiple threat intelligence teams found that Cl0p’s ransomware was the most prevalent ransomware strain in March 2023, dethroning former front-runner LockBit. Cl0p is known to have ties to Russia, and the group specializes in extortion, exfiltrating data as well as encrypting it, and then threatening to release it if the ransom isn’t promptly paid. The group has been active since 2019. It’s become infamous for successfully attacking high-profile targets including Hitachi and Shell. Recently, Cl0p’s affiliates have been leveraging zero-day exploits, making organizations that don’t keep their software up to date especially vulnerable to these attacks.
We can’t say for sure which cybercriminal gang was behind the recent wave of attacks, but we do think that it’s extremely important for organizational leaders, board members, and risk managers to be aware of the current threat.
Among the ransomware attacks we helped remediate for these four clients, there were relatively few commonalities in terms of company size and sector. The victim organizations included a mid-sized food and beverage manufacturer, a small healthcare organization, a construction services firm, and a small financial organization. All were located in the greater Chicago area, but there’s no evidence that companies in other locations face fewer risks.
“The lesson here is simple,” says Matt Wilson, Director, Sales Engineering at Netrix. “No matter how large or small your company is, or what vertical it operates in, you’re at risk. Organizations that don’t invest in risk assessment, penetration testing, or understanding the blind spots in their environment are the ones that get hit. Those that don’t maintain visibility through ongoing security monitoring won’t be able to detect malicious activities quickly, and those that haven’t built and tested a disaster recovery plan will lose more time and money, and see more profound business disruptions.”
From a process perspective, we did observe some weaknesses that were present in all of the ransomware victim organizations we helped. We’ll elaborate on these so that stakeholders can better understand which areas to focus on first. We recommend, though, that every organization undergo an individualized ransomware risk assessment and that they reassess at least monthly, so that it can evaluate its own unique risk profile in depth.
Every one of the recent Chicago-area ransomware victims was reliant on legacy on-premises systems at the time of the attack. Not only are older on-premises servers more expensive to maintain than modern cloud-based systems, but it takes much more time and effort to ensure that operating systems and software applications are up-to-date. In some cases, this is no longer even possible, since some systems are simply incapable of running the latest software.
Older systems will inherently have far more vulnerabilities than newer ones. Organizations that want or need to maintain on-premises hardware should ensure that operating systems are continuously updated, so that the most recent version is always running. We also recommend that security monitoring be in place, with a security operations team watching over the environment and standing ready to issue an alert—and initiate incident response procedures—whenever suspicious activities are observed.
Inadequate vulnerability management processes are a major source of cybersecurity—and ransomware—risk.
“Very often, it’s an orphaned server or an unmanaged PC that’s the entry point for the attackers,” explains David Menichello, Director of Security Product Management at Netrix. “Attackers are constantly scanning, often automated, for less-protected assets that they can leverage as a starting point. Then, they’ll move laterally to higher-value systems containing sensitive and business-critical data. But the seemingly unimportant systems—ones that aren’t monitored closely—are what they often find as an entry point.”
If your security team knows about every asset you have, what they are, what they do, and who is responsible for each system, you’ve covered one of the basics—maintaining an asset inventory. However, because real-world technology environments are constantly changing, you’ll need to repeat this asset inventory exercise often, or, ideally, perform it on a continuous basis.
In addition, your team should ensure that every technology asset within your inventory has regularly updated software. This is of critical importance for preventing many of today’s most damaging attacks.
Because today’s ransomware attackers are capable and sophisticated, and tomorrow’s will be even more so—and because attackers rely on tactics like social engineering that take advantage of human weaknesses—it’s important to ensure that you can detect incidents quickly and respond effectively when they inevitably occur. Real-time security monitoring and detection and response capabilities make this possible.
Not only does security monitoring give you the ability to stop in-progress attacks, but it allows your team to collect data about the tactics that attackers are currently using against your organization. This not only gives stakeholders across the business deeper insights into the value of your security program, but also allows you to take more targeted (and thus, effective) steps to combat future threats. The better you understand the risks you face, the wiser you can be when it comes to investing in prevention and defense.
“It’s not a fair fight,” says Menichello. “Attackers need to find only one way in, one time. Companies need to defend thousands of potential entry points on an ongoing basis, and these defenses have to be bulletproof. Having security monitoring in place makes it possible to rapidly detect and quickly recover from incidents, which can save enormous amounts of time and money, and prevent damage that may be irreparable.”
Security leaders and risk managers can no longer assume that they’ll never be a victim of ransomware, no matter how expert their managed security service partner or how mature their internal security operations program. Instead, it’s essential to ensure that every organization has the tools to rapidly recover from real-world attacks. All four of the organizations we’re highlighting had significant weaknesses in their disaster recovery plans.
Disaster recovery planning should include creating backup copies of business-critical data, of course, but it should also include testing those systems to verify that your business could restore itself to an operational state within an acceptable timeframe. This will mean different things to different organizations. Some are extremely intolerant of downtime, perhaps because of its high cost, or because—as is the case in healthcare—patients’ lives are at stake. Others may hold little confidential customer data or financial information, and may find it’s faster and more cost-effective to simply replace PCs that were impacted than to try to restore to a clean state.
“Risk-based assessments are critically important, says Lindsay Haun, Vice President for Managed Support Operations at Netrix. “They help organizations understand which cybersecurity investments will generate the greatest return in terms of real-world risk mitigation. For some, engaging with a Disaster Recovery as a Service (DRaaS) provider is a smart move, because it ensures that all their bases will stay covered on an ongoing basis in a fast-changing world.”
Ransomware attacks are extremely prevalent, especially right now. And any organization can be a victim. If it happens to you, you’ll need to take short-term remediation steps to get the business back up and running, but you’ll also want to be sure that you’ve addressed the root cause, so that attackers can’t exploit the same vulnerability a second time.
You’ll want to contact your cyber insurance provider to ask about what’s covered, of course. But you should also contact a managed security service provider with expertise in ransomware remediation to ensure you’re not destroying valuable forensic evidence that you may need later, or leaving the attack pathway open, so that attackers can follow it again.
Here at Netrix Global, we’re always available, standing ready to help. To learn more about how we assist companies around the globe in preventing, detecting, and recovering from cybersecurity incidents, contact a member of our team of experts today or visit our assessment page to learn more.