By Ryan Estes, Intrusion Analyst, WatchGuard Technologies
Ransomware is a rapidly accelerating problem for organizations around the globe, with schools, hospitals, small businesses, and local governments all in the crosshairs. Last year’s ransomware attack on the Hospital for Sick Children (SickKids) in Canada showed that any organization can be a victim of these attacks – and that a growing number of threat actors can leverage ransomware-as-a-service (RaaS) and open-source tools to launch an attack. Unfortunately, the problem is not going away. According to the most recent WatchGuard Internet Security Report, endpoint ransomware detections increased by 627% in Q4 of last year, underscoring the need for security teams to step up their efforts to protect against these threats.
Keeping vigilant is key to staying protected. Data from last year through the first half of 2023 provides useful insights for security monitoring and can help teams optimize their approaches to defending against this ongoing threat. Below, we walk through three recent ransomware trends that have emerged and share tips for maintaining network security.
- The rise of pseudo-ransomware
The conflict in Ukraine has had a significant impact on global cyber activity, resulting in a sharp increase of pseudo-ransomware wipers appearing in the networks of Ukrainian organizations. Media outlets often characterize any attack that produces a ransom note as ransomware. However, many recent instances were technically wipers, as the ransom note didn’t always provide an avenue for paying the extortion, or the files were encrypted in a way that didn’t allow decryption. For example, WhisperGate, PartyTicket (also known as HermeticRansom), Azov, Somnia, and RU_Ransom were all novel wipers discovered in Ukraine that masqueraded as ransomware, while CryWiper was a pseudo-ransomware instance found on Russian government networks. This trend is highly correlated with the conflict in Ukraine and, hopefully, will subside, as does the conflict.
- The emergence of Rust programming
An emerging practice among ransomware gangs is using the Rust programming language to develop ransomware. The first known group to use Rust is the ALPHV group (also known as BlackCat or Noberus), though other groups have followed suit. RansomExx created a new variant in Rust and rebranded it to RansomExx2. Other operations such as Agenda, Luna, Nokoyawa, and the recently taken-down Hive group have also used variations of Rust programming. While this emerging trend primarily impacts malware analysts and threat researchers, it also affects endpoints, as anti-virus engines may not detect newer programming languages as effectively. The ability of Rust to go undetected could indicate how groups like ALPHV have used it successfully.
- The increasing rate of double extortion
Double extortion – or when threat actors encrypt their target’s files and exfiltrate data in an attempt for further extortion – is not new when it comes to ransomware. But instances of double extortion are occurring at an increased rate. In the past, encrypting files was enough to elicit payment. However, ransomware is typically a “cat-and-mouse” game, with ransomware operators trying different blackmail and extortion techniques to find the most successful one. For example, some groups have threatened victims with distributed denial-of-service (DDoS) attacks or contacting the victim’s clients and customers to coerce payment. The success of these tactics sets a dangerous precedent among ransomware groups as they take blackmail to the extreme.
Bolstering security against ransomware
While ransomware continues to evolve, a few tried and true practices can help ensure protection. In combatting ransomware attacks, security teams should focus on strengthening network perimeters, monitoring endpoints for anomalous behavior, and employing swift incident response protocols. Employing technologies such as zero-trust networks is a crucial step in maintaining security. Ransomware is ultimately malware, but with different implications, if it’s deployed successfully. Therefore, many of the preemptive security measures are similar. Some typical actions that every security team should take include:
- Keep all software up to date.
- Identify all assets in your network and identify vulnerabilities within them to patch and fix.
- Regularly back up systems and, if possible, replicate data to a different server or network.
- Implement email security measures such as scanning attachments for malware and implement phishing training.
- Leverage an anti-virus solution on endpoints with a heuristic engine that detects ransomware behavior, such as mass encryption events.
Most importantly, since more than 90% of malware instances begin with a social engineering attack, organizations should require social engineering training for all end users so they are aware of what not to click and the best practices for what they should do if a threat attempt is successful. Regular training on how to combat threats such as phishing – possibly through gamification methods to help ensure the training is effective – will help raise and maintain
awareness and deter successful attacks. A well-trained employee coupled with heuristic-based anti-virus software to detect abnormal behavior on the endpoint is a potent combination for stopping ransomware attacks. If all else fails, a swift incident response can snuff out attacks before they become too damaging. This sort of defense-in-depth approach, with multiple layers of protections and responses, is most effective.
Today’s ransomware operations have grown in complexity and often involve many threat actors. Organizations can only stop these attacks through careful and strategic planning. They should focus on the tactics, techniques, and procedures (TTPs) employed by threat actors that ultimately lead to a ransomware attack. Security teams should follow a defense-in-depth strategy that first deters malware from even touching their network, and have protections in place to neutralize it as soon as possible when it does. Adopting a layered security approach will go a long way in fending off ransomware and keeping the malicious actors out.
Ryan Estes is an intrusion analyst at WatchGuard Technologies. His research focuses on malware analysis, malware reverse engineering and ransomware threats, and he frequently covers these topics as a contributor to WatchGuard’s Secplicity blog. During his time in the cybersecurity field, he has earned 12 certifications from organizations such as (ISC)², CompTIA, Offensive Security, CWNP, and Saint Louis University (SLU). Ryan holds a bachelor’s in computer science from Southern Illinois University Edwardsville (SIUE), a master’s in cybersecurity from SLU, and is pursuing an MBA with a focus in management information systems at SIUE.