In the field, we are seeing a great deal of extortion, as a backup to the ransom not being paid by organizations hit by ransomware. Once they have the proper access internally, they are often able to pipe out some of the data before encrypting, thereby giving them a backup should the organization choose not to pay.
The public sector has seen a great deal of ransomware activity, as their environments often are more vulnerable. In addition, their constituents, students, etc… are not able to do without the services this public organizations provide.
It creates what is effectively a perfect storm and one in which the bad actors and ransomware gangs are able to enrich themselves with repeatedly.
? #ransomware gangs are going after top execs to pressure companies into paying https://t.co/rAyNmp9F6I@ZDNet @Shirastweet @archonsec @chuckdbrooks @digitalcloudgal @avrohomg @SpirosMargaris @TamaraMcCleary @avrohomg @NetsyncNews @robmay70 @cybersecboardrm #cybersecurity pic.twitter.com/oFfard1pY1
— Mark Lynd ?CISSP ISSMP ISSMP (@mclynd) January 9, 2021
In this ZDNet article by Catalin Cimpanu, he further explains some of the malicious activities and tactics that these bad actors are utilizing.
A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain “juicy” information that they can later use to pressure and extort a company’s top brass into approving large ransom payouts.
ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang.
Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn’t just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months.
MAKING THE EXTORTION PERSONAL
The technique is an evolution of what we’ve been seen from ransomware gangs lately.
For the past two years, ransomware gangs have evolved from targeting home consumers in random attacks to going after large corporations in very targeted intrusions.
These groups breach corporate networks, steal sensitive files they can get their hands on, encrypt files, and then leave ransom notes on the trashed computers.
Read much more of this interesting article on ZDNet
if you are hit with ransomware, first be calm and start incident response. If you do not have incident response, then you should notify your leadership, the proper local authorities and others as instructed. Good incident response has several keys steps like these from SANS, although you will see other valid variations of this list:
The SANS Incident Response Process consists of six steps:
-
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Having a calm structured approach will definitely be an asset given the drama that more often than not ensues during and after a ransomware attack.
Because of the prevalence of ransomware, I am literally pleading with all to ensure they have tested incident response in place. Based on what we are seeing in the field, 2021 is looking to be a banner year for bad actors utilizing ransomware. Don’t be one of their victims!
