What is Ransomware and How Can You Protect Your Enterprise?

Lightyear is excited to share the first post in our Intern Blog Series. Neha Ashwin interned with Lightyear in Summer 2021 in our marketing department.

---

As the technological advancements of our world expand, so do the dangers of becoming more digitally oriented.

Ransomware is a type of malware (malicious software) that is designed to encrypt files or data, locking the user out of their network until a ransom is paid for the key.

There are various types of ransomware, and new variants are on the rise - growing 45% in 2019 alone. Ransomware types vary from locking basic computer functionality to encrypting entire databases, publicly exposing intellectual property or customer data and/or threatening data deletion. All flavors of ransomware use deceptive tactics and social engineering to take advantage of vulnerabilities in systems and enterprises.

Attacking enterprises through third parties in the technology or software supply-chain has increased 4 fold from 2020 to 2021. Further enforcing the security doctrine, you are only as strong as your weakest link. In a recent study, nearly 60 percent of companies have experienced a breach originating from a 3rd party vendor.

Recent Stats on Ransomware

Ransomware attacks have been increasing at alarming rates all over the world - growing 350% from 2018 to 2021 - and they are causing political and economic disruptions in their wake. In fact, the amount of ransom paid by victims grew 311% in 2020.

Ransomware has not just grown in popularity, it is now a fully fledged industry. There’s even something for the DIY fans out there, with ransomware kits being sold on the dark web for as little as $175. Whether attackers are looking to deploy trojans, malware or build stolen databases of highly valuable, personally identifiable data (PII): out-of-the-box software is cheap and readily available.

The statistics don’t lie - ransomware is on the rise and it’s important to stay up to date on the latest trends and news so your enterprise can stay protected. Not only are today’s understaffed security teams struggling to keep up with the broadening attack surface at their respective enterprises, but even more daunting is managing the ever growing third-party supply-chain and partner ecosystem.

Top Ransomware Attacks of 2021

Although smaller companies are more vulnerable to ransomware attacks given their less sophisticated networks, it is not uncommon for larger companies to be targeted.

Unlike small companies, larger enterprises have more advanced security measures in their software. However, hackers are sophisticated and are actively identifying security vulnerabilities in an enterprise’s software before they become aware of them (or have the chance to patch them). This is known as the zero-day attack method.

Here are a few examples of the largest ransomware attacks of 2021.

JBS

Just a month after the notorious Colonial Pipeline attack, JBS USA Meat Supplier suffered a ransomware cyber attack. JBS is one of the top meat suppliers in the U.S., producing 25% of meat products in the U.S., and the world’s largest meat processing company.

On May 30, 2021, JBS’ network was compromised by the attack which paused production at facilities across the U.S., Canada, and Australia. Given the critical role JBS plays in the food supply chain, the attack inspired a response from the U.S. Department of Agriculture (USDA) and the White House. Regarding the attack. The USDA was quoted saying “USDA will continue to encourage food and agriculture companies with operations in the United States to take necessary steps to protect their IT and supply chain infrastructure so that it is more durable, distributed and better able to withstand modern challenges, including cybersecurity threats and disruptions.”

By June 2, 2021, all of JBS’ facilities were back up and functioning, but that came at the costly decision by JBS to pay the ransom request of $11 million in bitcoin. Andrew Nogueria, the CEO of JBS, was quoted saying: “This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers.” Politicians and cyber experts were critical of the company’s decision to pay the ransom, saying it could incentivize future attacks.

It took the FBI just a few days to attribute the attack to REvil. While REvil never explicitly took credit for the attack, a representative from REvil was quoted in October saying “the agriculture sector would now be a main target for the syndicate.”

Kaseya

Just a month later on July 2nd, 2021, Florida-based IT service company Kaseya was hit with a ransomware attack. Kaseya is an IT service company that sells software used to manage IT networks and devices.

The hackers used the zero-day attack method; they took advantage of an already existing vulnerability in the Kaseya VSA (Virtual System/Server Administrator) - the system used by Kaseya to oversee the networks of its customers. That means when Kaseya was hacked, so were its hundreds of customers.

The attackers locked hundreds of enterprises out of their IT systems and offered them a special key in exchange for ransom. The cybercriminals demanded $50,000 from smaller companies and $5 million from large businesses.

The hacking group REvil/Sodinikibi was held responsible for this attack after they claimed responsibility on its Dark Web site called the “Happy Blog”. REvil is believed to have ties to Russia, and after the attack President Biden pressed Russian President Vladimir Putin to act against the hacking group. Just a day later, REvil vanished from the Dark Web entirely (don’t worry, they came back).

Another interesting fact regarding this attack is that, in the days following the attack, the FBI obtained the ransomware keys from the REvil’s servers. However, the FBI did not release the keys to the victims for another three weeks thereafter. Apparently, the FBI was planning on carrying out a counter-attack on REvil and didn’t want to tip them off by sharing the keys.

Update: On April 11, 2022, Kaseya announced it is acquiring DraaS leader, Datto.

Who is REvil

REvil, an amalgam for “ransomware” and “evil,” is a Russia-based hacking group that sells tools and technology to third-party hackers.

Members have created an online system that assists ransomware attacks in exchange for 20% of payments. REvil is a financially motivated group. These types of groups are considered more dangerous because they are willing to go to further lengths to get ransom money, even risking lives.

What's being done to combat ransomware?

Over the last year, the Biden Administration implemented a ransomware task force and a platform to educate and assist with cybersecurity-related issues. There is also a plan of action called “Rewards for Justice” which is a state department effort to offer up to $10 million for information that leads to the identification of illegal cyber activity.

More recently, the fight against ransomware has gone global. This month, over 30 countries pledged to “mitigate the risk of ransomware and harden the financial system from exploitation.”

To pay or not to pay the ransom?

The answer to this question is loaded and has significantly changed over time. Unfortunately, at the end of the day, it becomes a question of ROI and opportunity cost.

Looking back at one of the most prolific ransomware attacks of the century, the Sony attack of 2014. Some analysts estimate the cost to Sony somewhere between $35 - $100 million dollars. The 2014 Sony attack is unique in that more often than not, attackers seek out and negotiate speedy payment transactions that will impact the organization far less than if their networks were to go offline or the risk of data exposure. Once paid, some attackers will even offer support to fight future ransomware attacks… go figure!

Just remember, if you decide to pay the ransom, there are no guarantees you will recover the stolen or encrypted data. The average payout is $170,404 and the average recovery cost is up to $1.85 million, up more than 100% from 2020.

What can you do to protect yourself?

The increasing threat of ransomware makes top notch security practices and a Disaster Recovery plan or Disaster Recovery as a Service an even more important practice to have in place.

As for organizations, where many people have access to the company’s software, cybersecurity training should be available for the entire workforce to ensure their personnel are educated about cybersecurity threats and how to respond.