What Ransomware Taught us in 2021

As the world adjusted to remote and hybrid work model in 2021, ransomware wreaked havoc globally. From high profile targets to SMBs, ransomware attacks affected all industries and organizations of every scale.

In addition to the financial costs, ransomware disrupted healthcare, legislation, services, education, retail, and more. In this blog, we summarize the lessons learned from ransomware attacks in 2021, so that you can better prepare for them in the future.

Ransomware attacks are growing in number, scale, and complexity

37% of organizations worldwide said they were victims to some sort of a ransomware attack in 2021, according to IDC’s “2021 Ransomware Study”. The number of ransomware attacks increased in each quarter of 2021, exceeding the total number of ransomware attacks in 2020 by October 2021. Not only did the number of ransomware attacks increased but also the scale and complexity.

The Financial Crimes Enforcement Network (FinCEN) identified $590 million ransomware-related activity in the first 6 months of 2021 – a 42% increase from the $416 million in 2020.

In 2021, we noticed more high-profile victims than ever before, such as:

• In March 2021, the Taiwanese PC manufacturer Acer was attacked by REvil ransomware group leading to the highest ransom demand ever: $50 million.
• In May 2021, Eastern US experienced a disruption in the flow of oil due to the ransomware attack on Colonial Pipeline.
• In June 2021, the US-based meat processing vendor JBS ended up paying $11 million to REvil ransomware group after the cyber-attack reduced the company’s ability to package meat products.
• In July 2021, the vulnerability in the remote management software of Kaseya was exploited to target their customers worldwide in a supply chain attack. The attack targeted government departments, legislative infrastructure, and corporate businesses globally.

The method of delivery for ransomware also grew more diverse and sophisticated in 2021. Common methods of delivery seen in 2021 included:

• Phishing email campaigns: Socially engineered legitimate-looking emails that attempt to trick the recipient into clicking a malicious URL or downloading a Word, Excel, .PDF, or zip file attachment which delivers the payload and executes malicious code in the background.
• Exploiting vulnerabilities: Exploit vulnerabilities to infiltrate the network, deliver malicious code and encrypt servers, notebooks, and all connected devices. Examples include QLocker, Log4j (Log4shell), Microsoft Powershell, etc.
• Drive-by downloads: Drive-by downloads exploit security flaws in applications, operating systems, or web browsers due to unsuccessful or lack of updates to deliver malicious code. Unlike other ransomware delivery methods, drive-by downloads do not require the targets to actively enable the attack.

Key Ransomware Trends in 2021: Supply Chain Attacks, Double-Extortion Attacks, and Ransomware as a Service

The following ransomware trends were more common in 2021:

Supply Chain Attacks: As opposed to carefully targeting and attacking a single company, ransomware groups target managed service providers (MSPs) who provide hardware/software to government and corporate organizations. Example of supply chain attacks include Kaseya and Accelion attacks.

Double-Extortion Attacks: Conventionally, ransomware encrypts critical files and demands ransom in exchange for a decryption key. Double-extortion attacks take this a step further. In addition to encrypting files, the hackers also steal sensitive information such as Personally Identifiable Information (PII), Personal Health Information (PHI), financial information, etc. and threaten to publish them unless the ransom is paid.

Ransomware as a Service (RaaS): In order to expand their operations, ransomware groups make their malware code and infrastructure available to malicious actors as a “pay-to-use” service. RaaS facilitates non-technical cyber-criminals to launch sophisticated ransomware attacks in turn adding to the number of cyber-incidents worldwide.

Ransomware targets in 2021 by industry

The common misconception is that ransomware attacks focus on large enterprises or specific industries. The truth is that ransomware attacks pick no favorites. While some industries are more affected than others, none are safe.

The most targeted sectors in 2021 were:

• Government
• Education
• Healthcare
• Services
• Technology
• Manufacturing
• Retail
• Finance

Backups alone are not enough – Air-gapping and Immutability are necessary

Not long ago, it used to be that backups were enough to recover data from a malicious data encryption. Ransomware has grown more sophisticated since then. Today, ransomware not only targets production but also backup servers in addition to shared storage devices and network-connected environment(s). Any workload that is “live” and accessible is targeted by ransomware and encrypted.

As a result, data protection measures such as air-gapped backups and immutable storage have become necessary. To ensure effective ransomware protection, it’s important to set up a backup and disaster recovery (DR) system that follows backup strategies such as the 3-2-1, 3-2-1-1-0, or 4-3-2.

Learn more about why air-gapping and immutability are necessary.

Ransomware recovery planning is necessary

As ransomware has become a matter of “when” rather than “if”, a ransomware recovery plan is as important as a business plan. With a documented and tested ransomware recovery plan, organizations, big and small, can make sure that their critical operations can recover quickly and critical information, such as PII, PHI, etc. is safe from ransomware.

This is exactly what we saw in 2021, organizations that had a ransomware recovery plan were able to respond quicker and recover faster as compared to organizations that didn’t.

Ransomware predictions 2022

Here is what to expect from ransomware in 2022:

• Ransomware-Related Legislation Worldwide: According to Gartner, in 2021, 1% of governments worldwide had some ransomware-related rules. This number is expected to grow to 30% by 2025.
• More High-Profile Attacks: Kela’s analysis of the dark web suggests that hackers will focus more on organizations with over $100 million in revenue, using RDP, VPN, and tools from vendors such as Cisco, VMware, Palo Alto Networks, Citrix, and Fortinet.
• Multiple Attacks on Victims: As noted by Crowdstrike, after successfully attacking an organization’s network, ransomware groups sell information to each other, allowing others to exploit known vulnerabilities and installed malware. This behavior was seen in 2021 and is likely to increase in the coming year.

How to protect mission-critical data from ransomware attacks

As ransomware is constantly changing, there is no cure-all for it. The best way to protect mission-critical assets from ransomware is to adopt a multi-layered approach.

• Train your employees: Human error is often the cause of a data breach and a successful ransomware attack. As a great number of ransomware groups continue to use phishing emails as a method of delivery, the ability to identify them and act accordingly can reduce the chances of a ransomware attack.
• Use multi-factor authentication (MFA): Protect admin access to your critical servers, repositories, and virtual environments from unauthorized access and brute force attacks using two-factor authentication or preferably multi-factor authentication.
• Firewalls and anti-ransomware: By using network firewalls and anti-ransomware, you can prevent ransomware from gaining access and automatically detect and remove dormant malware threads. While these measures alone are not enough, they are an integral component of a reliable multi-layered ransomware protection strategy.
• Update/patch your systems regularly: Often times hackers exploit unpatched vulnerabilities in operating systems and applications to gain access to and plant malware bots in your network. By making sure that your systems are updated and patched regularly, you can avoid these attacks.
• Set up a reliable backup strategy: Make sure that your backup and disaster recovery (DR) system follow a reliable backup strategy such as 3-2-1, 3-2-1-1-0, or 4-3-2.
• Air-gapping and immutability: Backups alone are no longer enough. It’s important to use air-gapping and immutability in addition to backups to ensure effective ransomware protection.

Conclusion

Ransomware attacks continue to grow in number, scale, and complexity. To make sure your critical data is protected, plan and prepare beforehand with backup and DR that uses air-gapping and immutability.

Don’t risk your business, prepare for ransomware before it attacks. Contact our experts today to discuss your projects.