Content, Content, Ransomware

Ransomware Dips During 2022: Are Cyberattacks Slowing or Just a Blip?

One in four organizations were victims of ransomware attacks over the past 12 months, a 61% decline from the previous 12-month period when 64% of organizations reported being victimized by extortionists, said Delinea, a privileged access management provider, in a new report.

Ransomware Payments Drop

In a study of some 300 U.S.-based IT professionals, the number of organizations coughing up ransom payments slid from 82% to 68%, signaling either that companies are better prepared to withstand and recover from a cyberattack, or as Delinea suggested, more were paying heed to law enforcement’s warning not to accede to hackers’ demands.

Moreover, the study found that larger companies are much more likely to be victims of ransomware, as 56% of companies with 100 or more employees said they were victims of ransomware attacks.

The survey also revealed that the consequences of ransomware attacks are now more tangible, as more respondents specified that their companies lost revenue (56%) and customers (50%) compared to the previous year. Fewer organizations (43%) reported reputational damage as a result of being victims of a ransomware attack.

"The reduction of ransomware attacks is an encouraging sign, but organizations need to make sure they keep their guard up against this constant, evolving threat," said Art Gilliland, Delinea chief executive. "Staying vigilant by maintaining a strong least privilege approach backed by stronger password protection, authentication enforcement, and access controls can help continue this downward trend."

Here are some additional study findings:

Larger companies are much more likely to be victims of ransomware, as 56% of companies with 100 or more employees said they were victims of ransomware attacks.
Budget allocations for ransomware are in decline, as only 68% of those surveyed said they are currently allocated budget to protect against ransomware versus 93% during the prior year.
The number of companies with Incident Response Plans also declined from 94% to 71%, and only half are taking proactive, proven steps to prevent ransomware attacks such as enforcing password best practices (51%) and using Multi-Factor Authentication (50%).

Healthcare a Favored Attack Target

The healthcare industry has long been among the most consistently lucrative and favored targets for hackers for its plethora of personal data and at times its subpar protections. Last October, The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) warned healthcare organizations about the Daixin Team, a cybercrime crew targeting U.S. businesses in the healthcare sector with ransomware and data extortion campaigns since June 2022.

The Daixin Teams’ tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) provides a good example of how ransomware attackers go after healthcare and other organizations:

  • Deployed ransomware to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
  • Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.
    Gained initial access to victims through virtual private network (VPN) servers.

Securing Against a Ransomware Attack

The federal agencies also provided a list of measures organizations can take to secure against a ransomware attack:

  • Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities.
  • Require phishing-resistant MFA for as many services as possible, particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
    Turn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
  • Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
  • Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
  • Secure PII at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security.
  • Only store personal data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
  • Protect stored data by masking the permanent account number when it is displayed and rendering it unreadable when it is stored.
  • Secure the collection, storage, and processing practices for PII per regulations such as HIPAA. Implementing HIPAA security measures can prevent the introduction of malware on the system.
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.