Cybersecurity trends ebb and flow according to a range of factors. Yet there has been one consistent (and persistent) threat over the past few years – ransomware, the practice of demanding payment to return stolen data.
Ryuk, REvil, NHS, Clop, Cezar, Pubg, Webroot, and Cryptolocker are just some examples of ransomware that have been prevalent – there are others, and there undoubtedly will be more to come. Whenever an organization thinks it has ransomware under control, it feels like another attack is just around the corner. The situation is getting worse. In 2020 it was estimated that there were three times as many ransomware attacks as there had been in 2019.
Even this is likely to be a conservative estimate, given that many companies are reluctant to admit they have been the victim of a ransomware attack. So what are the main forms of ransomware currently in circulation, what damage can they cause, and what kind of measures must organizations implement to prevent ransomware?
Ransomware – a growing problem
The threat posed by ransomware in all its myriad forms is such that different stakeholders are coming together to try and combat it. Originated by the Institute for Security and Technology, the Ransomware Task Force (RTF) is a collaboration between more than 60 such stakeholders, including tech firms such as Microsoft and Amazon, and law enforcement bodies, including the UK’s National Crime Agency.
The RTF aims to develop a robust plan to tackle the global ransomware threat by deterring and disrupting cybercriminals and ensuring organizations are prepared to defend themselves. This is a welcome initiative and one which we wholeheartedly support at Fortra and Clearswift.
There is great power in collaboration when facing such a universal threat, and coordinating efforts in this way will have a positive impact. Yet ransomware is so pervasive and cybercriminals so persistent, that it's of equal importance for each organization to be secure its own defenses, especially in the face of some of the current strains of ransomware.
Ryuk has been one of the most prominent types of ransomware since it first appeared in August 2018. The generally accepted view is that Ryuk is the brainchild of a Russian group of cybercriminals that obtained access to Hermes, an older ransomware program. Ryuk typically charges a higher ransom than other ransomware, usually between $100,000 and $500,000.
Businesses, hospitals, government institutions, and other organizations are targeted, with the cybercriminals mainly using manual hacking techniques and open-source tools to move through networks and gain access to systems before initiating the file encryption. In addition, because those organizations often hold critical assets, they are generally more likely to pay, so Ryuk cybercriminals are adept at monetizing their campaigns.
At the RSA Conference 2020, FBI agent Joel DeCapua revealed that organizations had paid $61.26 million in bitcoin to the Ryuk gang, three times the next most successful gang. Ryuk is a dangerous form of ransomware that shows no sign of letting up – a school authority in the US recently revealed that it had spent $8.1m over seven months recovering from Ryuk ransomware.
REvil is short for Ransomware Evil and was supposedly inspired by the Resident Evil series of films. A ransomware-as-a-service (RaaS) operation, REvil first appeared in April 2019 and is now among the most widespread ransomware threats.
It carries a double threat, as the cybercriminals behind it also steal business data from organizations and threaten to release that data to the wider world. As a RaaS, REvil developers rely on other criminals – known as affiliates - to distribute the ransomware for them. The more potent and successful a RaaS, the smarter and more accomplished affiliates it can attract.
REvil certainly falls into that category. In 2020, the IBM Security X-Force Incident Response team revealed that one in three ransomware infections it was called to remedy involved REvil.
The clop variant of ransomware is so named because it appends the .CLOP or .CIOP extension to encrypted files. When CLOP ransomware has entered an organization, affected files are encrypted. If the victim does not pay, the East European cybercriminals behind CLOP post the files to their ransomware website for all to see.
Ukrainian Police recently arrested six alleged members of the CLOP gang in a joint operation with the U.S and South Korea. But CLOP ransomware has been around since 2019. It has become known for attackers targeting entire networks rather than individual computers, so it is likely to be a significant threat for a good while yet.
There are measures that organizations can take to protect themselves from ransomware threats. The first step to take is education. Clearswift research with UK public sector workers revealed that almost half of respondents had either not heard of, or do not know what ransomware is. More than three-quarters had been given no instruction in how to recognize ransomware.
This is likely to be similar in other sectors and other geographies, so training on what to look for in ransomware and what to do if you think you have been breached is essential.
The right cybersecurity solutions also play a massive role in preventing ransomware, and Clearswift's Adaptive Data Loss Prevention (A-DLP) is doing so for organizations worldwide. A-DLP is a significant advance from the 'stop and block' of traditional DLP and automatically removes any sensitive or malicious content as it enters or exits a network. Only content that breaks policy is removed, meaning communication continues unrestricted.
It uses advanced Deep Content Inspection (DCI) to remove code and malicious content buried deeply in attachments and downloads. In addition, because it understands document structures, it provides greater protection against ransomware entering the network. Given the volume of sporting-based attacks currently at large, this gives organizations greater peace of mind.