Ransomware is on the rise: Ways to lower your risk

Ransomware is an ever-evolving form of malware with especially damaging consequences for organizations across all sectors.

With experts linking current events to a potential increase in cyber risks, now is a crucial time to stay vigilant and put the right protective measures in place.

The growing threat of ransomware

Ransomware-related data breaches soared in 2021, and cybersecurity authorities recently highlighted the rising global threat of these attacks. According to a Cybersecurity & Infrastructure Security Agency (CISA) joint advisory between cybersecurity authorities in the United States, Australia, and the United Kingdom, 14 of the 16 US critical infrastructure sectors were involved in ransomware incidents within the last year, and ransomware is recognized as the leading cyber threat facing the UK.

The alert also states that while phishing emails, stolen Remote Desktop Protocols (RDP) credentials, and exploitation of software vulnerabilities remain the leading infection vectors for ransomware attacks, threat actors are moving toward increasingly sophisticated tactics. These include leveraging cybercriminal services-for-hire, sharing victim information with other ransomware groups to enable follow-up attacks, and increasing the use of triple extortion.

Furthermore, ransomware groups are strengthening their impact by targeting cloud infrastructures, managed service providers (MSPs), industrial processes, and the software supply chain. There was additionally an uptick of attacks against US entities on holidays and weekends throughout 2021, which cybersecurity authorities attribute to the lower amount of network defenders and support personnel on-site.

Geopolitical tensions heighten cybersecurity concerns

In light of the ongoing conflict between Russia and Ukraine, federal and local officials are advising Americans to stay prepared for a potential spike in cyber intrusions. Although there are no specific threats to the US at this time, CISA is warning that cyber attacks on the Ukrainian government and critical infrastructure organizations “may affect organizations beyond the region to include the US homeland.”

Two particularly destructive malware variants that have been used to target organizations in Ukraine are HermeticWiper and WhisperGate. As both are designed to destroy computer systems and render them inoperable, HHS’ Health Sector Cybersecurity Coordination Center (HC3) is urging healthcare organizations to stay on especially high alert of these strains.

The American Hospital Association (AHA) also recently outlined additional concerns for the healthcare sector. The advisory warns that along with the risk of direct attacks by Russian-sponsored cyber actors and potential disruptions in mission-critical services, “hospitals and health systems may become incidental victims of destructive ransomware that inadvertently penetrates US healthcare entities.”

Emerging ransomware groups

To help organizations take precautions against the latest ransomware risks, authorities are regularly releasing and updating alerts on emerging groups with technical details and known indicators of compromise (IOCs).

A recent flash alert from the FBI offers guidance on RagnarLocker ransomware, which was initially discovered in April 2020. The group has since compromised at least 52 entities across 10 critical infrastructure sectors including manufacturing, energy, financial services, government, and information technology.

CISA, the FBI, and the United States Secret Service (USSS) also just re-released their September 2021 alert on Conti ransomware group, which was responsible for at least 16 cyberattacks against US healthcare entities last year. The new advisory states that the threat actors remain active and attacks against US and international organizations have now surpassed 1,000.

How to protect your organization

CISA continues to encourage all organizations to visit StopRansomware.com, a centralized webpage with key tips and resources for preventing attacks. Some of these best practices include:

• Maintain offline, encrypted backups of data.
• Implement a cybersecurity user awareness and training program that includes guidance on how to identify a malicious email.
• Create and implement a basic cyber incident response and communications plan, which incorporates procedures for a ransomware incident.
• Conduct regular scanning to identify and address vulnerabilities, particularly those on internet-facing devices.
• Confirm that devices are properly configured and security features are enabled, disabling ports and protocols that are not being used for a business purpose.
• Implement best practices for use of RDP and other remote desktop services.
• Ensure that antivirus and anti-malware software is up to date.
• Employ multi-factor authentication (MFA) for as many services as possible.
• Apply the principle of least privilege to all systems.

With email serving as one of the leading entry points for ransomware, cybersecurity training is a particularly crucial piece of preventing ransomware attacks. However, as threat actors continue to evolve their tactics, sending HIPAA compliant email alone isn't always enough to safeguard sensitive data. That’s why healthcare providers should go one step further by making strengthening inbound email security measures a top priority. This will prevent ransomware attempts from reaching the inbox right off the bat.

Hoala Greevy has over 20 years of experience in the email industry, dating back to his first job out of college at Critical Path in San Francisco in 1999. Prior to founding Paubox, Hoala started Hawaii’s first SaaS company (Pau Spam) in 2002. Hoala holds two patents related to email security. An avid kayak fisherman, Hoala has caught three blue marlin from his ocean kayak Scupper Pro. He also holds the IGFA world record for the finescale triggerfish.