Content, Content

Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers

Cyber Security Ransomware Phishing Encrypted Technology

While ransomware attacks against highly targeted industries grab the headlines, it’s the assaults on smaller businesses typically lacking resources to defend themselves and recover that may have the greater impact, a new study by Barracuda found.

In a one-year research effort, Barracuda’s researchers analyzed 106 highly publicized ransomware attacks between August 2021 and July 2022. They found an increase in attacks across all of the most highly targeted industries, with those on critical infrastructure quadrupling. In addition, the company’s security operations center (SOC)-as-a-service team examined the volume of ransomware the SOC detected.

1.2 Million Attacks Per Month Detected

Here are 10 key results as detailed in the company's Threat Spotlight report:

  • The volume of ransomware threats the SOC detected spiked between January and June of 2022 to more than 1.2 million per month. By comparison, the number of actual ransomware incidents spiked in January and then started to slow down in May.
  • In 2021, the double extortion trend emerged, where attackers steal sensitive data from their victims and demand payment in exchange for a promise to not publish or sell the data to other criminals.
  • In 2021, hackers began demanding a late fee or penalty if ransom payments are not made promptly.
  • The dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%).
  • The number of ransomware attacks increased year-over-year across each of these five industry verticals.
  • In the past 12 months, ransomware attacks on educational institutions more than doubled. Attacks on the healthcare and financial verticals tripled, and infrastructure-related attacks quadrupled.
  • Aside from ransomware hijackers’ favored targets, service providers were hit the most (14%) for their access to client systems.
  • Law enforcement agencies are recovering more ransomware payments, as new levels of cooperation between the United States and the European Union fight ransomware attacks.
  • There have been a large number of successful attacks against VPN systems without stronger authentication schemes. The rapid shift to remote work due to the COVID-19 pandemic exposed this as an area of weakness for many organizations.
  • Fewer victims are paying the ransom, and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure.

Phishing, Brute Force and PowerShell Attacks Documented

Barracuda also detailed three “real-life” ransomware attacks in which the hackers used three different tactics to gain entry. In one instance, the attackers used a phishing email sent in August 2021 to compromise one of the victim’s accounts.

In a second event, the attackers executed a brute force attack on a VPN login page and then used remote desktop protocol (RDP) to get into the compromised systems.

In a third case, the hackers got in with stolen credentials and then used malicious PowerShell scripts and installed system-level dynamic link libraries (DLLs) to steal more credentials and harvest passwords.

In each case, the victims turned to managed service providers or managed security service providers for assistance with analysis, forensics and recovery.

Barracuda's Security Recommendations

Here are five steps businesses can take now to protect against this type of attack as Barracuda recommends:

  1. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
  2. Implement robust network segmentation to reduce the spread of ransomware if it does get into your system.
  3. Investigate any unauthorized software, particularly remote desktop or remote monitoring, which could be signs of compromise.
  4. Secure web applications from malicious hackers and bad bots by enabling web application and API protection services, including distributed denial of service (DDoS) protection.
  5. Backup should be offline/cloud credentials and should be different than normal credentials.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.