zephyr_p - stock.adobe.com
Shared files in the cloud are a top ransomware target
Vectra 2019 Spotlight report shows recent ransomware attacks cast a wider net to ensnare cloud, datacentre and enterprise infrastructures
The network is the most effective weapon for cyber criminals in a ransomware attack, according to researchers at threat detection and response firm Vectra.
This is because the network itself enables the malicious encryption of shared files on network servers, especially files stored in infrastructure-as-a-service (IaaS) cloud providers.
Attackers can easily evade network perimeter security and perform internal reconnaissance to locate and encrypt shared network files, according to the researchers.
“By encrypting files that are accessed by many business applications across the network, attackers achieve an economy of scale faster and far more damaging than encrypting files on individual devices,” they said.
According to the Vectra 2019 Spotlight report on ransomware, recent ransomware attacks cast a wider net to ensnare cloud, datacentre and enterprise infrastructures.
The report notes that the cost of downtime due to operational paralysis, the inability to recover backed-up data, and reputational damage are particularly catastrophic for organisations that store their data in the cloud.
“The fallout from ransomware attacks against cloud service providers is far more devastating when the business systems of every cloud-hosted customer are encrypted,” said Chris Morales, head of security analytics at Vectra. “Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”
Ransomware continues to be a popular way for cyber criminals to make money because it is fast and easy, and typically results in a bigger payout than stealing and selling credit cards or personally identifiable information.
Ransomware and other forms of cyber extortion are currently the most popular forms of cyber criminal activity in the UK, Rob Jones, director of threat leadership at the National Crime Agency (NCA), told Computer Weekly in a recent interview.
“Our research indicates that 53% of organisations say they have a ‘problematic shortage’ of cyber security skills today and the ramifications of it are very evident with fast-moving ransomware attacks,” said Jon Oltsik, senior principal analyst at the Enterprise Strategy Group.
“The industry simply doesn’t have enough trained security folks scanning systems, threat hunting or responding to incidents,” he added.
“This Vectra offers important insights into the weaponisation, the shift from opportunistic to targeted attacks, and the industries targeted by ransomware that can help organisations be better prepared.”
The report shows that the industry sectors in Europe and the Middle East with the most incidents of ransomware network file encryption from January to June 2019 were the finance and insurance industry (35%), followed by healthcare (18%), energy (17%) and manufacturing (13%).
Read more about ransomware
- Despite a global decrease in the volume of malware in the past year, ransomware is surging once again, and the UK is one of the worst-hit countries, a report reveals.
- St John Ambulance’s response to ransomware attack demonstrates that it is possible to ensure minimal disruption if properly prepared.
- Security researchers are warning that a recently discovered type of ransomware is now exploiting a zero-day Windows vulnerability, and does not require user interaction to trigger an infection.
At the lower end of the scale were the services sector (8%), followed by technology (4%), retail (4%) and the public sector (1%).
Germany experienced almost as many instances of network encryption in ransomware as every other country in Europe and the Middle East combined, accounting for 42% of instances in the region. It was followed by Switzerland (26%), the UK (18%), Denmark (8%) and Saudi Arabia (2%).
To detect and respond to ransomware, the Vectra report recommends that organisations look for early indicators of a ransomware attack.
It notes that because modern ransomware attacks are targeted and modular, attacker dwell times can be quite lengthy before shared network files are encrypted.
“There are many steps in the attack lifecycle that organisations can proactively monitor for early signs of ransomware behaviours inside the network,” the report said.
A documented and rehearsed incident response process is as important as the ability to proactively detect attacks, it added.
“This should include knowing how to hunt for ransomware and precursor behaviours, investigate incidents, and understanding the appropriate response methods.”
According to Vectra, artificial intelligence can also be used to detect subtle indicators of ransomware behaviours and enable organisations to prevent widespread damage.