Expert opinions, information and comment from the LTO Program

The success of ransomware gangs has spurred a significant trend of professionalisation among cyber criminals, where different groups develop specialised services to offer one another, according to a new report from WithSecure (formerly known as F-Secure Business).Ransomware has been around for decades, but the threat has continuously adapted to improvements in defenses through the years. One notable development is the current dominance of multi-point extortion ransomware groups, which employ several extortion strategies at once (usually both encryption to prevent access to data and stealing data to leak publicly) to pressure victims for payments.According to an analysis of over 3 000 data leaks by multi-point extortion ransomware groups, organisations in the United States were the most common victims of these attacks, followed by Canada, the United Kingdom, Germany, France and Australia. Taken together, organisations in these countries accounted for three-quarters of the leaks included in the analysis.The construction industry seemed to be the most impacted and accounted for 19% of the data leaks. Automotive companies, on the other hand, only accounted for about 6%. A number of other industries sat between the two due to ransomware groups having different victim distributions, with some families targeting one or more industry disproportionately to others.While the threat of ransomware has inflicted considerable pain on organisations in different countries and industries, its transformative impact on the cyber crime industry cannot be overstated.“In pursuit of a bigger slice of the huge revenues of the ransomware industry, ransomware groups purchase capabilities from specialist e-crime suppliers, in much the same way that legitimate businesses outsource functions to increase their profits,” explained Senior Threat Intelligence Analyst Stephen Robinson. “This ready supply of capabilities and information is being taken advantage of by more and more cyber threat actors, ranging from lone, low-skilled operators, right up to nation state APTs. Ransomware didn't create the cyber crime industry, but it has really thrown fuel on the fire.”In one notable example highlighted in the report, WithSecure investigated an incident that involved a single organisation compromised by five different threat actors, each with different objectives and representing a different type of cyber crime service: The Monti ransomware group.Qakbot malware-as-a-service.A cryptojacking group known as the 8220 Gang (also tracked as Returned Libra).An unnamed initial access broker (IAB).A subset of Lazarus Group, an advanced persistent threat associated with North Korea’s Foreign Intelligence and Reconnaissance General Bureau.According to the report, this professionalisation trend makes the expertise and resources to attack organisations accessible to lesser-skilled or poorly resourced threat actors. The report predicts it is likely the number of attackers and size of the cyber crime industry will both grow in the coming years.“We often talk about the damage ransomware attacks cause to the victims. Less attention is paid to how ransom payments provide additional resources to attackers, which has encouraged the professionalisation trend described in the report. Near-term, we’re likely to see this changing ecosystem shape the resources and type of attacks facing defenders,” said WithSecure Head of Threat Intelligence Tim West.The full report, The Professionalisation of Cyber Crime, is available at: https://www.withsecure.com/en/expertise/research-and-innovation/research/the-professionalization-of-cyber-crime.More information on ransomware is available at: https://www.withsecure.com/en/expertise/blog-posts/ransomware-profits-are-transforming-cyber-crime.

Veeam's 2023 Ransomware Trends Report shows many pay ransom but don't always recover. Organizations with the proper data protection architecture are ...

As I walked the show floor at the RSA conference and held meetings with vendors and clients in San Francisco last month, I heard a surprising theme that I disagreed with.The conversation often started with something like this: “Great book with cyber stories, but isn’t ransomware dying?” (Note: They were referring to the book I co-authored with Shamane Tan called Cyber Mayday and the Day After.)Or, “Ransomware is way down, isn’t it?”Or, “What’s your biggest fear, now that ransomware is going away?”And no, these colleagues and “industry experts” from an assortment of cyber vendors were not delusional, just misinformed. When I asked one colleague to send me some proof, he sent me several articles backing up his claims:Security Magazine — Ransomware attacks decreased 61% in 2022: “The 2022 State of Ransomware Report from Delinea and conducted by Censuswide surveyed 300 U.S.-based information technology (IT) decision-makers about the impact of ransomware on their organizations over the past year. The survey found that 25% of organizations were victims of ransomware attacks over the past 12 months, a 61% decline from the previous 12-month period, when 64% of organizations reported being victims.”Security Week — Ransomware Revenue Plunged in 2022 as More Victims Refuse to Pay Up: “According to data from Coveware, a company that helps organizations respond to ransomware attacks, the percentage of companies that paid up in 2022 dropped to 41%, from 50% in 2021 and 70% in 2020.”TechTarget — July [2022] another down month in ransomware attack disclosures: “SearchSecurity has tracked ransomware in 2022 via a database of public reports and disclosures, as well as an article series that covers the most notable attacks each month. According to SearchSecurity's data sets, there was approximately a 300% drop between attacks in January and June. July saw similar numbers, with just 13 confirmed disclosures last month; in addition, only three disclosures were for attacks in July.”Inside P&C — Cyber frequency fell 22% in 2022 as ransomware dropped 54%: Coalition: "Cyber claims frequency declined 22% year over year in 2022, driven mostly by a 54% drop in ransomware attacks, according to InsurTech Coalition.”BUT NOT SO FASTWhile there is debate about how much ransomware incidents dropped in 2022, the trend (if there ever was one, which I doubt) has certainly flipped in 2023. Consider these reports:Politico — Ransomware comes back with a vengeance: “Researchers at a leading cryptocurrency tracing company have bad news for Washington: Ransomware is back, and it might be worse than ever.“Through the first four months of this year, cybercriminal gangs are on pace to surpass their earnings from a record-setting 2021, according to new data collected by Chainalysis.“The bounceback in extortion revenue follows a 40 percent dip in ransom payments in 2022, which many had interpreted as a promising sign the Biden administration was making headway against keyboard crooks.”WION: Nearly two-thirds of India-based companies victims of ransomware attack: “In an alarming statistic that describes the State of Ransomware in 2023, it has been revealed that 73 percent of India-based organisations surveyed by cybersecurity company Sophos were victims of ransomware attacks.”The Hacker News — Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code: "The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems."While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News."Insurance Journal — Viewpoint: Could Increasing Ransomware Frequency Bring Back Repeat of Hard Market?: “Insurance pricing is cyclical. When loss ratios are sustainably higher, over time prices rise in response, creating a hard market. The last hard market in cyber was in 2021 when an onslaught of ransomware and high-profile cyber attacks drove a spike in demand for cyber insurance and a decreased supply of capital, which led to increased premiums.“Once prices are higher and loss performance begins to improve, the market looks appealing — driving new entrants and adding pressure on existing players trying to stay competitive. This drives prices back down and creates a soft market. Eventually, the loss ratio climbs back up, and the cycle inevitably begins anew.”NEW RANSOMWARE TRENDS TO WATCHSo if ransomware isn't going away, what are some important 2023 ransomware trends to watch?First, be aware that backup repositories are targeted in 93 percent of ransomware attacks, according to Infosecurity magazine and Veeam’s 2023 ransomware trends report: “Veeam also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories being completely lost."Second, the report showed that organizations are still ill-prepared to face this threat: “Most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don’t, even after paying the ransom.”Third, Infosecurity magazine also claims that the time to deploy ransomware has dropped 94 percent: “Phishing remained the No. 1 initial access vector last year, identified in two-fifths (41%) of incidents, followed by exploitation of public-facing applications (26%).”FINAL THOUGHTI found this U.K. ransomware story with a twist to be interesting: “Rogue IT worker extorted company after hijacking ransomware attack.” Here's an excerpt: “An IT worker in the UK has been convicted of unauthorized computer access and blackmail after attempting to take advantage of a ransomware attack on his employer.“Ashley Liles was found to have attempted to blackmail his employer, Oxford Biomedica, into paying a ransom in the wake of a 2018 security breach. …“Liles accessed board members’ private emails more than 300 times and altered the original ransom note to change the payment address to his own cryptocurrency wallet.”This story just highlights the importance of addressing insider threats and employee ethics and integrity — even during a ransomware emergency.

Data protection against ransomware and cyberattacks is becoming ... associated with data breaches, ransomware, and other cybersecurity incidents.

SiliconAngle reports that increasingly severe ransomware attacks have been accompanied by the growing willingness to pay attackers' demands.More than 80% of data among one in seven organizations could be compromised in ransomware attacks, with 93% of attacks aimed at backups and 75% of those hindering recovery efforts, while the rate of organizations paying ransoms rose by 4% to 80% in 2022 even though anti-ransomware payment policies were in effect among 41% of organizations, according to a report from Veeam.Researchers also found that risk management programs have been in place among 87% of organizations but only 35% noted that their programs were well-suited. Moreover, cyber insurance coverage for ransomware attacks has also been declining, with 20% of surveyed IT leaders citing ransomware exclusions from their policies, despite increasing insurance costs.Organizations have been urged to conduct regular evaluations of ransomware recoverability in their risk management plans, ensure clean backups, and leverage a staged restoration approach in the event of a ransomware attack.

Data protection vendor Rubrik reintroduced itself as cybersecurity specialists at its user conference last year, arguing the future of data backups and disaster recovery lies in merging with security. This year, the vendor will once again make ransomware and data security a focus of discussion as ransomware attacks increase against enterprise customers. Even Rubrik hasn't been immune to the fight; it suffered a data breach in March. Like other data backup vendors, Rubrik unveiled features last year designed with cyberattacks in mind, such as machine learning and AI tools as well as SaaS backup capabilities for Microsoft 365. These capabilities contribute the fight against ransomware, said Phil Goodwin, research vice president at IDC. Ransomware, a risk that traditionally falls under security's purview, remains top of mind for backup administrators. "We see a trend among IT organizations. They are not really differentiating between data security and data protection," Goodwin said. "The label data protection is being applied on a more frequent basis to anomaly and intrusion protection." How vendors respond to the dual needs of security and data protection will become a balancing act of building useful features that don't overpromise nor underdeliver. As Rubrik attempts to redefine itself as a cybersecurity vendor, other backup vendors don't want to muddy the waters. Executives at Commvault, a rival to Rubrik, are adamant their new detection and cyber deception tools are still firmly in the realm of data backup. Backup vendors will need to continue showing they can handle the challenges associated with being a security company as the backups under their control are targeted more. Western Digital, a storage vendor selling a backup SaaS, confirmed it was the victim of a ransomware attack that knocked out services for almost two weeks. "No one company can address it all," Goodwin said. "It's a journey. [Rubrik is] one of the companies that has driven aggressively to address cyber protection and cyber security from a single platform." Thin silicon line Veeam, which will host its VeeamON 2023 conference just days following Rubrik Forward, joined Rubrik last year in positioning itself with greater cybersecurity features. Druva, too, added security features into its data backup platform in 2022. All these vendors are looking to posture their products as hardened against ransomware, according to Christophe Bertrand, an analyst at TechTarget's Enterprise Strategy Group. Ransomware attacks remain a priority for IT teams and executives, dictating strategy and buying decisions, he said. Data backup is now a market where vendors can better differentiate themselves depending on what cybersecurity capabilities they offer. "We're seeing this area of cyber response meets disaster recovery," Bertrand said. "A lot of the data protection vendors work on their security but also improve and enhance their ability to detect ransomware." Backup capabilities often include immutable snapshots or air gaps, but vendors are now expanding their software to include traditional security tools. Customers expect backup software and services to include multifactor authentication to prevent unauthorized access and machine learning capabilities to detect changes in data copies that could contain ransomware payloads. These are positive additions to data backup platforms but do not replace the comprehensive set of security features enterprise IT might need, said Jerome Wendt, an analyst and CEO at Data Center Intelligence Group. Backup companies might be better off going for a partnership than building in security features themselves. "Everyone is getting a little more mature about it," Wendt said. "I'm still not convinced those who do it themselves will do it as well as those partnering with third parties." The cloud hyperscalers, which include AWS, Microsoft Azure and Google Cloud Platform, have remained distant from the data backup and data protection market, said Steve McDowell, an analyst and founding partner of NAND Research. Outside of some simple disaster recovery offerings, such as AWS Elastic Disaster Recovery, McDowell said the hyperscalers have little in their portfolios attempting to replicate the features of dedicated vendors. "It surprises me the big guys [are] not rolling out the robust feature set," McDowell said. "That's a huge opportunity for those guys to grab and control their customers lives a little more." SaaS data backup capabilities will remain popular for backup vendors, analysts agreed, because many users remain unaware of the shared responsibility model they enter into when choosing SaaS applications or platforms. In this model, the service provider is responsible for maintaining quality of service, and the customer is responsible for protecting the data it uses within that service from loss, corruption or attacks. "The adoption lags the hype pretty significantly," Goodwin said. "[SaaS] will continue to be a growing market for a number of years."Ghost in the air gap Like other IT vendors, Rubrik will also likely include a generative AI narrative at this year's Rubrik Forward. The hype and saturation of generative AI, particularly surrounding products such as OpenAI's ChatGPT, will come to the backup space as well. But analysts said enterprise buyers will remain skeptical. I'm still not convinced those who do it themselves will do it as well as those partnering with third parties. Jerome WendtCEO, analyst, Data Center Intelligence Group "It's really hard to separate the hype from the reality," McDowell said. "There's a little bit of AI fatigue right now." Rubrik, Commvault, Cohesity and other backup vendors already include machine learning in their products. Rubrik uses machine learning to find when user data has been compromised as well as find anomalies or encryptions in backups. Cohesity is partnering with Microsoft Azure and OpenAI to add generative AI capabilities into data protection, such as generating readable after-action reports following a security incident or action. AI washing will contribute to the confusion, Bertrand said. Vendors will not use consistent language in their marketing and will inflate AI functionality. "I haven't seen anybody come out with a clean AI message and positioning," Bertrand said. "It's really more of an efficiency play in the end." IT teams should still brace themselves for AI usage both for and against them, however. Goodwin expects more ransomware gangs to take advantage of the technology as well. "If you don't think the bad guys are going to use it against us, you're dreaming," he said. Tim McCarthy is a journalist from the Merrimack Valley of Massachusetts. He covers cloud and data storage news.