Ransomware on the rise in 2023

The first quarter of 2023 saw the largest number of ransomware attacks ever recorded. In the UK, attacks rose by 87% in the first half of this year, and globally, attacks rose by 37%.

Cyber security firm JUMPSEC expects this year to be the most prolific year for ransomware, surpassing previous highs of 2021.

The firm counted 436 attacks worldwide in July alone, 20% higher than the previous all-time high caused by hacker group Log4j in 2021.

“Cybercriminals are taking advantage of vulnerabilities to increase ransomware’s severity and scale,” says Dan Middleton, vice president UK&I at cyber security firm Veeam.

“Along with this, cyber insurance is becoming a less viable option as many policies are now excluding ransomware from their cover, meaning businesses’ reliance on their backup infrastructure is deepening.”

As TI reported in its Ransomware Special Report in 2022, Ransomware is one of the fastest growing cyber threats that enterprises have to deal with. But what is driving the growth of this particular type of threat?

2023 ransomware

Charl van der Walt, head of security research at Orange Cyberdefense, says that he is seeing a shift towards smaller organisations in ransomware attacks, and more incidents happening on those in less developed countries over places such as the US, UK, and Canada.

“However, no business can afford to let its guard down as software vulnerabilities and misconfigurations continue to appear and they will be exploited,” he explains.

“I think ransomware gangs will become more aggressive in the techniques they use to encourage victims to pay their demands – including calling executives directly.”

In the same vein, JUMPSEC researcher Sean Moran says that he is seeing ransomware groups not only using sensitive company data to blackmail firms into handing over the cash, but also personal information.

“Before, it was very businesslike, but now they’ve started posting compromising pictures of the CEO of a company,” he says.

Plus, AI has meant cybercriminals are able to use machine translation and large language models to target different language groups and extort victims.

“Think of places like China and Japan where language may have historically presented a barrier to criminals,” says van der Walt.

Orange Cyberdefense also believes cybercriminals will start experimenting with ways to ransom operational technology (OT) systems, “which typically don’t carry data meaning traditional ‘double extortion’ approaches aren’t effective.”

“But we have demonstrated other ways by which OT environments can be held to ransom and we believe criminals will also eventually begin experimenting with such ideas,” adds van der Walt.

Just last week, the UK’s Ministry of Defence suffered a data breach as the result of an OT system.

A “rogue Windows 7 PC that was running software for one of [its] manufacturing machines,” was the fault of a breach that saw secret UK military and intelligence information leaked online, according to the reports.

What happens during an attack

Stealing company information worthy of blackmail is not as simple as a breaking and entering, it is a much longer process.

“First, attackers can spend anywhere from a few days to several months laying the groundwork,” explains Middleton.

Behind the scenes, attackers will start with an observation stage, then infiltration (often through phishing links), which involves entering and exploring the target’s infrastructure, exfiltrating data, and destroying backup repositories, explains Middleton.

As it stands, phishing remains the top initial access vector used by ransomware groups, says van der Walt: “With common lures including seasonal hooks, sector-specific issues, and job-related decoys used to encourage victims to click on a link.”

Ransomware groups will also exploit software vulnerabilities to gain access, and “SEO poisoning” has also been repopularised, which is the manipulation of sponsored results displayed in the top position of search engine results and paid social media content.

“The [final] encryption phase is key to applying pressure on victims,” says van der Walt. “Throughout the years threat actor groups have attempted to maximise their chances of being paid by hindering any possible recovery.”

For example, hackers will simultaneously encrypt workstations and servers, delete Volume Shadow Copies, and target backups and external drives.

“This all leads to the final stage, in which attackers make their presence known by encrypting data and demanding a ransom),” says Middleton.

To pay or not to pay?

In the event of an attack, cybercriminals will offer the return of sensitive data in exchange for money (typically in the form of a crypto transfer).

Authorities and cyber security experts do not encourage businesses to pay the ransom, with the argument that paying up will only fund more criminal activity.

However, it’s not illegal, clarifies JUMPSEC researcher Sean Moran. “You can do what you want.”

“Let’s say you have really sensitive documents about clients, you could get sued by them for having leaked those,” Moran explains.

In which case, being sued may end up being even more expensive than paying the ransom.

“Ransomware attacks wreak havoc on businesses, so it’s understandable that desperate times often call for desperate measures,” says Middleton. “However, it’s important to recognise that paying a ransom means you are trusting the enemy to stand by their word, and that is never a wise move.”

In fact, according to Veeam’s data, as many as 21% of organisations who paid the ransom still couldn’t recover their data.

In which case, Middleton says: “It’s always more reliable, efficient, and of course, cost-effective to build a ransomware recovery and backup strategy that enables you to recover data without being at the mercy of your attacker.”

Steps to take

In the current economic climate, budgets are tight, and for Middleton this means it’s even more crucial to “develop an iron-clad data protections strategy with proper backup and recovery plans, as the cost of paying a ransom, dealing with downtime, and compensating customers is even more foreboding”.

Middleton recommends following the 3-2-1-1-0 backup rule that involves immutable backup copies.

“This means keeping at least three copies of the data, stored on two different types of media (e.g., a copy stored on an internal hard disk and a copy in the cloud).”

One of these copies must be at an offsite location, and one must be offline and not connected to the organisation’s main infrastructure.

Most importantly, the zero means “there should be zero errors in your backup, which can be achieved through regular testing and monitoring”, says Middleton.

In agreement, van der Walt enforces that businesses must keep on top of software vulnerabilities and exploits.

“Our data shows that it takes organisations an average of 215 days to patch a vulnerability, with critical vulnerabilities only patched 36% faster than low-severity issues,” he says.

According to Orange Cyberdefense’s data, around 50 new vulnerabilities are discovered each day, “so businesses must prioritise the understanding and patching of their vulnerabilities, as well as simple steps such as raising staff awareness of security issues.”

“They also need to rely on the power of the community to tackle attacks. It’s crucial that the industry bands together to overcome this issue, stay one step ahead of threat groups, and safeguard themselves,” says van der Walt.

TechInformed’s Ransomware Special Report taps into the cyber security community with opinions and advice from dozens of cyber professionals on what to do in the event of a ransomware attack.