3 Recent Ransomware Trends

Over recent months and years, ransomware groups have been evolving their tactics. Three trends stand out:

1. Gangs are becoming more organised

Ransomware groups are becoming far more organised – a trend started by LockBit – with gangs even conducting job interviews and calling for research papers on the dark web.

Basically, they’ve become proper organisations, albeit in an illegal line of business.

2. Attackers are favouring data exfiltration over encryption

Ransomware gangs seem to be shifting towards data exfiltration or double-extortion attacks rather than just encryption. Exfiltration attacks are particularly troubling for organisations, as the traditional ransomware counter of restoring backups doesn’t prevent blackmail.

Our research supports this trend, as we’ve found that over October and November of this year, 18% of publicly disclosed incidents – 108 incidents in total – were ransomware attacks. 90 of those incidents, or 83%, involved data exfiltration, accounting for 69,794,090 records known to be breached.

3. Attackers spend more time in victims’ systems to look for the most sensitive data

Linked to the second trend, attackers now spend longer in their victims’ systems, taking the time to look for the really sensitive data to exfiltrate. This gives the attackers more leverage, allowing them to ask for higher ransoms and increase the pressure on organisations to pay them.


Should you pay the ransom?

Public bodies and governments advise against paying ransoms. In fact, some countries even make paying them illegal.

But we understand that when threatened with having your data released on the dark web, you may feel tempted to pay the ransom anyway, despite the risk of the criminals not keeping their side of the bargain.

So, what do our experts say about this?

Cliff Martin, head of cyber incident response

When faced with a ransomware attack, we always recommend that you don’t pay. But as someone who works in incident response, that’s really easy for me to say.

I recognise that there are, unfortunately, circumstances where an organisation doesn’t have a choice. That could be down to, for example, the sensitivity of the encrypted and/or exfiltrated information, not having a backup, or a range of other reasons.

But you need to balance such considerations against whether you can really trust the criminals who had the scruples to attack you to begin with. So, I would generally advise against paying the ransom.

Vanessa Horton, cyber incident responder

Ethically speaking, you clearly shouldn’t pay, as this funds further criminal activity. Besides, they’re criminals. What’s to stop them selling the data, whether immediately or further down the line, even if you do pay?

However, paying could prevent sensitive data from being sold on the dark web, thereby reducing the impact of the breach. I do want to stress the could here though – again, there’s no guarantee the attacker will keep their side of the bargain.

So, I think the organisation needs to weigh up the risks to make the right decision for their specific situation. I don’t think the answer is a clear-cut ‘don’t pay’, but not paying will likely be the best action to take in most cases.


How to prevent ransomware attacks

The best thing that organisations can do is to implement measures that prevent ransomware attacks from succeeding to begin with.

Preventive measures such as passwords, MFA (multifactor authentication), regular patching and anti-malware software are crucial. Happily, they are also inexpensive.

Another highly effective way of reducing the threat of ransomware is by rolling out staff training and taking other measures to improve staff awareness and vigilance.

It’s important to be aware, however, that such measures can’t prevent all attacks.

For example, think about the recent MOVEit breach. This exploited a zero-day vulnerability – so the vulnerability was known, but no patch existed for it yet, making it almost impossible for organisations to prevent it from being exploited.


Ransomware Staff Awareness E-learning Course

This 30-minute course, ideal for initial and repeat engagements, covers:

  • The threats posed by a ransomware attack;
  • The main forms a ransomware attack can take and how they work; and
  • Actions that individuals and organisations can take to help protect against ransomware.


What to do if you suffer a ransomware attack

Should you become the victim of a ransomware attack despite your best efforts, a fast response is crucial.

One of the most important things to do is conduct an initial forensic investigation. That means figuring out:

  • What happened?
  • What was the root cause?
  • What data has been breached, exactly?
  • When did the initial attack happen?

You should investigate things like whether the attackers put a back door in your systems. This is a common tactic, as it allows them to easily access your systems again later.


The importance of forensics

By asking questions like the above and conducting this type of early investigation, you’re meeting your legal and regulatory obligations under, for example, the GDPR (General Data Protection Regulation).

Furthermore, with laws like NIS 2 (Network and Information Security Systems Directive) and DORA (Digital Operational Resilience Act) coming into force – which also have incident reporting requirements – such obligations clearly aren’t going away, particularly for the EU.

Gathering the information you need to take the right measures to prevent such situations from recurring is another vital outcome of conducting a forensic investigation. You may not be able to prevent this attack, but you want to learn from it so you can prevent future ones.


Speak to a cyber security expert

Not sure where to start on your cyber security journey? Need more information on preventing ransomware attacks? Want to learn more about incident response and forensics?

If you have questions like these – or any other cyber security questions – please get in touch. We’re always happy to help!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.