Ransomware attacks have evolved over the years from a threat primarily targeting individuals with modest ransom demands, to a sophisticated form of cybercrime that now jeopardizes large companies, government agencies and critical infrastructure. It's increasingly common to hear of a major corporation, educational institution or local government falling victim to a ransomware attack, in addition to the incidents that make national headlines. These attacks have far-reaching implications, affecting everything from critical public services, like hospitals, disruptions in supply chains, and even taking critical gas pipelines offline. I recently had the opportunity to testify before two subcommittees of the U.S. House of Representatives Committee on Oversight and Accountability on combating ransomware attacks.
My full written testimony goes into depth on the nature of the threat and how it’s changing, as well as how defenders can meet the moment through innovation, public-private partnership and a well-prepared workforce. Here, I’m sharing a few prominent insights from the ransomware cases we see as incident responders, as well as our key recommendations for how organizations can reduce risk.
Adversaries continue to enhance their techniques and increase their sophistication. In our 2023 Ransomware and Extortion Report, we specifically illuminate three alarming trends:
Threat actors have come to realize they’re more likely to get paid if they put additional layers of pressure on their victims. We call this multi-extortion. Aside from using ransomware to lock up an organization, the attackers also steal data and threaten to leak it. Multi-extortion tactics continue to rise. For example, threat actors are currently engaged in data theft in addition to ransomware in more than 70% of cases on average, compared to only about 40% of cases as of mid-2021. Criminal groups post about this data on leak sites, where Unit 42 researchers observe about seven new victims a day, on average – that’s about one every 4 hours.
Harassment is one particularly notable multi-extortion tactic. Ransomware actors now frequently target specific individuals in an organization (often in the C-suite) with threats and unwanted communications. This harassment is now involved in 27% of ransomware cases Unit 42 investigates, compared to just 1% a few years ago.
The group Unit 42 tracks as Muddled Libra (related to Scattered Spider) looks for strategic points of leverage to scale the impact of their malicious activity. By targeting business process outsourcing (BPO) providers, they’ve proven adept at compromising these widely used third-party services to gain access to BPO customers across multiple sectors. Among other tactics, threat actors frequently use social engineering or text messages to lure employees into providing credentials that allow access to organizations.
We have found that even sophisticated enterprises actually have twice the number of systems exposed on the internet than what they were internally monitoring – a visibility gap that gives adversaries the upper hand.
Our Attack Surface Threat Report provides a detailed analysis of the digital infrastructure that adversaries may try to exploit. A particularly concerning finding is the ubiquity of poor configurations around a remote access method called Remote Desktop Protocol (RDP), a prime target for ransomware attacks. RDP misconfigurations make up 20% of all exposures we observe on the public-facing internet. Additionally, over 85% of organizations we observed with these exposures left them unaddressed for at least 25% of a typical month. This leaves the organizations open to ransomware attacks or unauthorized login attempts for sustained periods of time.
We recommend organizations focus on the following actions to increase their cyber resilience:
While there is no silver bullet in cybersecurity, prioritizing these recommendations will materially reduce the risk of falling victim to an attack, more effectively contain an attack if one does occur, and help increase resilience for the entire cybersecurity ecosystem.
Information sharing venues, where commercial competitors become threat intelligence partners, remain a critical part of our collective defense. Whether through participation in the Ransomware Task Force, CISA’s Joint Cyber Defense Collaborative or the Cyber Threat Alliance, we’ve seen firsthand the value of sharing technical threat intelligence about ransomware threat actors and collaborating to build stronger defenses. Palo Alto Networks is committed to working in partnership with other organizations to be good cyber citizens and trusted security partners.
Sam Rubin is vice president and global head of operations for Unit 42, the threat intelligence and incident response division of Palo Alto Networks.
Watch Sam’s full testimony in this replay of the hearing.