Today Kaspersky revealed that nearly half of security incidents handled by its Global Emergency Response Team (GERT) from January to November 2021 were connected to ransomware, an increase of nearly 9% from 2020. The trend prompted Kaspersky to name ransomware the Story of the Year, headlining its annual Kaspersky Security Bulletin series of predictions and analysis of key changes in the world of cybersecurity.
This year, ransomware took down gas pipelines and government health services. Ransomware operators refined their arsenals, focusing on fewer attacks against large-scale organizations, and an entire underground ecosystem has appeared to support ransomware gangs’ efforts.
Over the first 11 months in 2021, the percentage of ransomware-related IR requests processed by Kaspersky’s GERT team was 46.7%, a jump from 37.9% for all of 2020 and 34% for 2019.
Kaspersky’s Global Emergency Response Team is called in by companies after a security breach to limit the damage and prevent an attack from spreading. This is known as incident response (IR) and is reserved for mid-sized to large organizations.
Percent of ransomware-related IR requests per year
The most common targets were those in the government and industrial sectors. Together, attacks against those two industries accounted for nearly 50% of all ransomware-related IR requests in 2021. Other popular targets included IT and financial institutions.
Meanwhile, as ransomware operators have shifted to bigger ransom demands and more high-profile targets, they’ve been facing increasing pressure from politicians and law enforcement agencies – making efficiency of attacks critical. As a result, Kaspersky experts note two important trends that will gain popularity in 2022. First, ransomware gangs are likely to construct Linux builds of ransomware to maximize their attack surface. This is something that has already been seen with groups like RansomExx and DarkSide. In addition, ransomware operators will start to focus more on “financial blackmail.” This is when operators threaten to leak critical information about companies when they are undergoing critical financial events, such as conducting a merger or acquisition, or making plans to go public. When companies are in such a vulnerable financial state, they’re more likely to pay the ransom.
“We began talking about so-called Ransomware 2.0 in 2020, and what we’ve been seeing in 2021 is this new era of ransomware coming into full force,” said Vladimir Kuskov, head of threat exploration at Kaspersky. “Ransomware operators aren’t just encrypting data; they’re stealing it from critical, large-scale targets and threatening to expose the information if the victims doesn’t pay. And Ransomware 2.0 is going anywhere in the coming year.”
“At the same time, now that ransomware is in the headlines, law enforcement agencies are working hard to bring prolific groups down, which is what happened with DarkSide and REvil this year,” said Fedor Sinitsyn, security expert at Kaspersky. “These gangs’ lifecycles are being compressed, and that means they’re going to have to refine their tactics in 2022 to remain profitable, especially if some governments make paying ransoms illegal, which is being discussed.”
Read more about the Kaspersky Security Bulletin’s Story of the Year: Ransomware in the Headlines on Securelist.
You can also learn more about the lifecycle of high-profile ransomware gangs here.
To protect your business from ransomware, Kaspersky experts recommend:
· Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
· Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways to your network.
· Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
· Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals' connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
· Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service, which help to identify and stop an attack at its early stages, before attackers reach their final goals.
· To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect from ransomware attacks is available here.
· Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms which can prevent its removal by cybercriminals.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn