Study: Hackers Look to Maximize Damage With New Ransomware Strategy

Cybersecurity threats are becoming more sophisticated, targeted, and potentially catastrophic. This is particularly true of the most dominant form of cyberattack – ransomware.

Rather than a mass opportunistic, shotgun approach to distributing ransomware campaigns, today’s cyber criminals are being highly strategic in how they direct attacks, as seen in the recent coordinated ransomware attack against 23 towns in Texas. In their field of view are organizations in possession of lucrative data, such as healthcare, government, utilities, financial, and professional services sectors. Hackers are also honing in on organizations with known vulnerabilities, such as open ports and unpatched systems.

But a disturbing new strategy is rapidly changing the hackers playbook. A study from researchers at security firm Vectra reveals that, in the search for bigger payoffs from victims, cybercriminals are setting their sights on shared files stored on-premises, in data centers, and in the cloud.

Discriminating criminals see rewards in network-centric attacks

Traditionally, criminals have propagated ransomware by targeting isolated endpoints and holding local files hostage. As the Vectra study states: “The most effective weapon in carrying out a ransomware attack is the network itself...When the infected computer has access to documents in network share volumes – with their high capacity data storage – that single host can lock access to documents across several departments in a targeted organization.”

This mode of attack becomes far more devastating when it scales to cloud infrastructures. Organizations can find themselves locked out of their cloud-hosted business systems without any warning that a ransomware attack has taken place. Data loss is bad enough, but without access to key files or the ability to access cloud-based productivity apps and email, the outcome can be devastating. This scenario occurred earlier this year when a ransomware strain impacted two cloud service providers: DataResolution.net and iNSYNQ. More than 30,000 customers were unable to access their cloud-based services.

Ironically, many of these file shares and cloud providers are used to store files to maintain proper backup in the event of a cyberattack – making recovery a challenge.

“It’s an efficient, premeditated criminal threat with a rapid close and no middleman,” – ominous words from Vectra’s researchers.

Think like a cybercriminal, see what they see

As cybercriminals become increasingly adept at understanding where common vulnerabilities are and use new tactics, techniques and procedures (TTPs) to exploit them at scale, organizations must do everything they can to ensure their security postures are as robust as possible.

To better protect network file shares and systems from sophisticated ransomware attacks, security leaders must first be able to anticipate the attacks before they occur. This requires expanding their viewpoint from an internal focus on protection, detection, response, and recovery to encompass a more empathetic understanding of how an attacker sees their network – its systems, high-value targets, and vulnerabilities. An open port or two may seem inconsequential, but to a clever and persistent hacker it’s an easy loophole to exploit.

Of course, viewing the network in the same way that a hacker does isn’t easy. To reveal key areas of risk and potential holes in their security apparatus, organizations must be able to effectively visualize and quantify the performance of their cybersecurity program – in real-time. Only then can they identify the steps they need to take to strengthen their own on-premises security postures, whether that means closing open ports or patching vulnerabilities that correlate with a potential attack.

As the Vectra study shows, attention must also be paid to the security of cloud service providers. It’s critical that organizations understand the cloud shared security responsibility model (many don’t, which can lead to complacency and security events like the recent Capital One breach). In addition to the proper controls, cloud customers can leverage third-party risk management tools to immediately discover and expose cyber risk in cloud infrastructures.

The ransomware risk is more serious than ever

According to Vectra’s researchers, the number of ransomware attacks is on the decline. Yet, as recent attacks, such as those on the City of Baltimore, Texas government agencies and the plethora of high profile companies impacted by 2017’s WannaCry prove – ransomware remains a threat that can have devastating consequences on an organization’s productivity, bottom line, and reputation. As such, it’s not so much that ransomware is going away; it’s that attackers are using it in a more intelligent manner designed to provoke maximum damage.

As criminals evolve their attacks and cast a wider net to ensnare shared network files – on-premise and in the cloud – it’s imperative that organizations have their own TTPs to instantly assess the security posture of their own infrastructure and that of their supply chains. Only then can they prioritize remediation efforts and stay one step-ahead of the “next biggest threat”.