Ransomware, a type of virus that hackers use to encrypt data and extort money from victims, continues to make headlines. According to some estimates, the number of attempted attacks increased by over 700% compared to 2019, and this trend shows no signs of slowing down. Not only has the number of attacks increased— so has the severity and sophistication of techniques used by hackers.
The average amount of ransom demands increased significantly over the last year, and there was a shift towards more complex, targeted attacks on larger organizations. So what is behind this growing threat, and what can we do about it?
The Evolution Of Ransomware Gangs
As ransomware gangs saw some success in recent years, the problem has compounded. With more funding available, these gangs have expanded their operations and become more organized and specialized. The groups producing ransomware are focusing more on improving their code, allowing ransomware to spread through networks undetected by antivirus software.
They then “license out” their software to smaller gangs, looking for targets and attempting to break-in. This approach, dubbed “ransomware-as-a-service,” has contributed to one gang, who call themselves “Sodinokibi,” rising to the top among ransomware criminals.
The Secret To Sodinokibi’s Success
Most experts believe that the Sodinokibi group, also known as REvil, is the most prolific ransomware gang. Some research suggests their software was responsible for 26.7% of total ransomware attacks in 2020.
One of the reasons for their success is their long industry experience. Experts believe Sodinokibi is an offshoot of the group responsible for the GandCrab ransomware variant, which was retired in 2019 after claiming earnings of $2 billion, or $2,500,000 a week.
According to research by BeforeCrypt, a cybersecurity firm specializing in ransomware removal, Sodinokibi offers a bonus to affiliates who bring in at least $1 million in profit per week. It’s unknown exactly how many teams are working with Sodinokibi, but even by the most conservative estimates, their profits in 2020 were not less than $80 million.
The actual number is likely to be much higher because many companies do not publicly disclose ransomware payments. Sodinokibi claims to have a shortage of manpower and is actively recruiting, which indicates that the problem may worsen as time goes on. They request resumes from potential partners and even organize competitions to attract top talent.
The gang is believed to be located in Russia, where it can operate with relative freedom. The Russian government is known to turn a blind eye to hackers as long as they do not target victims inside of Russia or countries allied with Russia.
How Can I Protect Myself?
There is no way to achieve 100% immunity to ransomware attacks, but a few security measures can greatly reduce the risk.
Conduct Regular Pentesting
One of the reasons Sodinokibi is so effective is because their software is designed to evade detection. This is why the syndicated model has been so successful. The best way to protect yourself is to prevent attackers from breaking into your network in the first place.
The research conducted by BeforeCrypt indicates that Sodinokibi is actively searching for hackers proficient in the use of software like Metasploit and Cobalt Strike. Conducting regular penetration testing with this software is a good way to find and patch vulnerabilities these attackers might use.
If attackers do get in, however, the first line of defense is backups. Ransomware encrypts files and denies you access, but if you have a recent backup, you can simply patch the vulnerability and restore your system. Unfortunately, hackers are aware of this and go to great lengths to encrypt any backups before demanding a ransom.
The “3-2-1” backup strategy is one strong method for improving backup security. 3-2-1 means that you keep at least 3 copies of your data, use 2 different media formats (i.e., SSD drive, network share), and keep one copy of the backup in a separate location away from your main network.
It may also be worth encrypting backups. Sodinokibi is known for extorting victims by threatening to release sensitive data. If they gain access to your backups, they may be able to shut down your system by encrypting it, but if the data is encrypted, it could prevent them from asking for a second ransom to keep stolen data private.
Apply The Principle Of Least Privilege
Hackers tailor their ransom demands for each target. Attackers usually demand more money from larger companies, and the more data they are able to compromise, the more money they will demand. You can reduce the amount of data they are able to access by following the “principle of least privilege.” This means ensuring that every user in a network has access to the absolute minimum level of privilege they need to do their work.
Maintain Phishing Awareness
Higher profile attacks are starting more and more with phishing attacks, so it’s also important to ensure that all employees follow best practices to prevent phishing. This means taking extra precautions with attachments and links, even if they come from co-workers.
Ransomware hackers have been known to hack one employee’s email and then impersonate them to trick other employees into clicking malicious links. A short monthly or quarterly briefing on hackers’ latest techniques can help prevent employees from being duped into phishing attacks.
Monitor Network Activity
If you can afford it, having a dedicated IT security staff or a contracted service monitor your network activity can be a good move.
It’s Probably Going To Get Better Before It Gets Worse
All this may sound like a pain, but an ounce of prevention really is worth a pound of cure. The cost of a few security measures is relatively minor compared to the cost of having your entire operation shut down for days— not to mention the damage a data breach can do to your organization’s reputation. With attacks still on the rise, more cybersecurity vigilance will have to become the “new normal.”
If you are interested in even more geek-related articles and information from us here at Bit Rebels, then we have a lot to choose from.