When Ransomware Strikes at Night, How Can Your Organisation Stay Safe?
Table Of Contents:
Ransomware is the cybersecurity story of the past decade. But over that time, adversary tactics, techniques, and procedures (TTPs) have continued to shift according to the continuously evolving arms race between attackers and network defenders. With historically low numbers of victim companies electing to pay their extortionists, ransomware affiliates are focusing on speed, timing, and camouflage.
The question is: with most attacks now coming at weekends and in the early hours of the morning, do network defenders still have the right tools and processes in place to mitigate the threat? Financial services organisations, in particular will need an urgent answer to such questions ahead of compliance with the EU’s Digital Operational Resilience Act (DORA).
From Strength to Strength
By one measure, ransomware continues to thrive. This year is set to be the highest-grossing ever, according to analysis of crypto payments to addresses linked to criminality. According to an August report from blockchain investigator Chainalysis, ransomware “inflows” year-to-date (YTD) stand at $460m, up around 2% from the same time last year ($449m). The firm claims this increase is largely due to “big-game hunting” – the tactic of going after fewer large corporate victims that may be more capable and willing to pay larger ransoms. The theory is borne out in one payment of $75m by an unnamed company, to the Dark Angels ransomware group earlier this year – the largest ever recorded.
Overall, the median ransom payment to the most common ransomware strains has also surged—from just under $200,000 in early 2023 to $1.5m in mid-June 2024. Chainalysis claims this suggests “that these strains are prioritising targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance. ”
The apparent strength of the ransomware ecosystem is more impressive given the law enforcement wins of earlier this year, which seemed to disrupt two major groups: LockBit and ALPHV/BlackCat. Chainalysis claims these efforts have fragmented the cybercrime underground somewhat, with affiliates moving to “less effective strains” or launching their own. This chimes with a Q2 2024 analysis by ransomware specialist Coveware, which claims to have observed an increase in the number of “lone wolf” groups not affiliated with any major ransomware “brand”. Many have taken this decision “due to the increasing threat of exposure, interruption, and profit loss associated with ‘toxic’ ransomware brands,” it says.
However, the bottom line is that these threat actors are still active. And with payment rates declining from a high of around 85% of victims in 2019 to roughly a third of that today, they are always looking for ways to make their efforts more effective.
Timing Is Everything
A new report from Malwarebytes’ ThreatDown group reveals exactly how they hope to do so. It claims that, over the past year, more ransomware groups have attacked victims on weekends and in the early hours of the morning. The threat team dealt with most attacks between 1 and 5 a.m. local time.
The reason is obvious: the threat actors hope to catch an organisation when its IT team is fast asleep or recharging its batteries at the weekend.
Further, the report claims that attacks are getting faster. Back in 2022, a Splunk study tested 10 top ransomware variants and found the median speed for encrypting 100,000 files was just 43 minutes, with LockBit the quickest of all at just four minutes. But what Malwarebytes is seeing is an acceleration of the entire attack chain – from initial access to lateral movement, data exfiltration and finally, encryption. That gives bleary-eyed network defenders even less time to respond and contain a threat before it’s too late.
The report also claims that more malicious actors use Living Off the Land (LOTL) techniques, which use legitimate tools and processes to stay hidden inside networks while achieving these ends. “Recent customer incidents from top gangs such as LockBit, Akira and Medusa reveal that most of the modern ransomware attack chain is now composed of LOTL techniques,” it says.
How to Mitigate Ransomware Risk in 2024
Big-game hunting attacks may garner most of the headlines, but the truth is that most ransomware victims are technically SMBs. Coveware claims that the median size in Q2 2024 was just 200 employees. So how can these organisations hope to defend against stealthy attacks at night and on weekends?
“The only solution is to ensure that those assets are monitored with the same diligence at 1am as they are at 1pm,” Malwarebytes senior threat intelligence researcher Mark Stockley tells ISMS.online.
“That can be achieved by staffing an in-house Security Operations Centre (SOC) that operates 24/7. But for most organisations, it’s more practical and cost-effective to use a third-party service, like Managed Detection and Response (MDR), or to have a Managed Service Provider (MSP) do it.”
As the DORA era looms, such measures will be increasingly necessary for financial services organisations and their suppliers. Continuous monitoring, 24/7 incident response readiness, robust business continuity planning, and regular testing will all be required to satisfy regulators that resilience is at an appropriate level.
Stockley believes best practice standards and frameworks like ISO 27001 can help to get organisations to this point.
“Like any standard or framework, ISO 27001 is a means to an end. Organisations can arrive at the level of information security they need without it, but standards and frameworks can act as useful maps to help them get there and stay there,” he adds. “The right choice of framework depends on the organisation’s level of security maturity. Ultimately, cyber-criminals don’t care what certifications you have; they only care if they get stopped.”